A

You're listening to the Cyberwire Network, powered by N2K. At the end of the day, cyber attacks and cyber defenses are human. They are human stories. And if we can communicate them that way to the general public, then we'll get more people interested in cybersecurity, invested in cybersecurity and invested in protecting their data.

B

I'm David Moulton and this is Threat Vector. Today I'm speaking with Ali Mellon, the author of Code War, which Ali. Full Transparency. I've only gotten about halfway through. It's such a brand new book, Code How Nations Hack, Spy and Shape the Digital Battlefield. And now, in addition to being a former author and commentator on the industry. Author. So that's awesome. I'm curious. Last time we got together, we talked about XDR and the future of cybersecurity and cybersecurity operations. Today's going to be a little bit different. After writing the book, are you more or less confident about where we're going in cybersecurity than ever before?

A

Oof. Well, first off, thank you so much for having me. It's always great to be here. You guys ask so many good questions. So this is gonna be fun. After writing the book, to be honest, I am more confident and more impressed and just more proud of the cybersecurity industry as a whole. I. I am more concerned, especially, like, I'm an American. That's the perspective that I came at this book with. I'm definitely more concerned about the US's position as compared to some of the other cyber superpowers than I was before. So that's kind of a. It's a bit of a mixed bag because I think that the research that the cybersecurity community does is so important and they do such a great job with, and we're moving in the right direction with it. But there's a lot of forces at play here that factor into the cybersecurity status that each country has that are outside of the control of the cybersecurity community.

B

Yeah. As I was reading through, you named the three bigs, right? You've got your us, you've got your China, you've got Russia in there, and then a smattering of other countries. And it seemed like each is jockeying for leverage, each is jockeying for that position. It helps how they set up their. Their country and the expectations. And I just got to a point where the ability to work together seems like it's fallen off quite a bit. The number of reported vulnerabilities. I think you said Dropped down to half a million, I think, was the number. Is that what gives you pause is that one of the things that's giving you concern?

A

It definitely is one of the factors there. I think one of the things that we talk about a lot in cybersecurity, but it doesn't always come through to reality, is like this element of trust and how important trust is. And trust is so multifaceted for me, because it's not just about, okay, what vulnerabilities are we reporting on. It's also what decisions are we coming to to do attribution or to not do attribution in the first place. Attribution has become very much so a geopolitical tool, especially in a lot of these circumstances. And so that changes a lot of the dynamics. In addition, it is a factor, too, of, like, what is happening in the world from the standpoint of where tech is moving and where tech is being deployed and the investments that are being made in tech in different regions. One of the reasons that the US has been such a powerful force from a cybersecurity standpoint is because much of the technology used in the world is built by American companies. And that, especially on the infrastructure side, is changing so much right now, given how much China has invested in the digital silk road. And so I have concerns moving forward about who controls most of the infrastructure and the tech investments in the world and what that means for changing dynamics from a cybersecurity standpoint.

B

Yeah, I can see that. As I was preparing for today's conversation, I looked at your background. Hacker, researcher, you've shared stage and been on stage at black hat roles as a practitioner, an analyst. And I gotta think all of those things, you poured all of that experience into this book. How do those experiences, those in the business, around the business, shaping the business, how does that influence the argument that you make in Code War?

A

It was such a huge influence. It's hard to overstate what an influence my background was, especially even coming up with the idea for the book. The book is so focused on geopolitics and cybersecurity and the melding of those two worlds. Because I'm a huge history of war buff. I find that space so interesting. And obviously I have a lot of experience in the cybersecurity side of things, and it all came together into this mix. As I think about my background, where I've worked with a lot of three letter agencies, I have had experience as a hacker. I now work with a lot of different teams across the world. It is more of A recognition of one of the biggest difficulties within cybersecurity, which is actually just how do we communicate this to the rest of the world? And how do we get the rest of the world to care and pay attention? That is the thing that every conversation comes back to is like, we aren't able to get the buy in for this, we aren't able to get the support for this other thing. And to me, right now is such an important inflection point and, and such an important moment because we see, like the US as an example, loosening the reins a little on using cyber attacks in an offensive way. We see retaliation coming back based upon that. And those factors together mean that cyber attacks are incredibly important. We're in a very, very difficult geopolitical situation. And all of those pieces come together to mean that cyber attacks and defenses are going to be more important to businesses, to individuals, to citizens than they have before. And we need to be able to communicate that better. And so that's one of the reasons why I wrote the way that I did, is because I wanted this to be something that anyone could pick up and read and understand why this is so important, because we get it in cybersecurity, we get why this is important, we get why this matters, but we need to communicate it better to the outside world.

B

So you've got your regular entree, but then there's this little bit of spice that you put in there that was fun. And also, just as somebody who's always curious about language, where do things come from, you know, to know that origin story? You said something, and I'm gonna come off of our questions about it. You said something a minute ago that I think is really profound. In your book, you write about Reagan coming away from a screening of War Games. War Games, right. Matthew Broderick, War Games and was absolutely horrified. It seemed to find that this was potentially possible. Asks this general to go run down, could this happen to us? And the answer was worse than we could have imagined. Absolutely. But at a much bigger scale. And War Games didn't get it right. It was too small. I think that my takeaway as somebody who really is fascinated with the power of storytelling was we've got a lot of media and movies and television and really sensational storytelling that I think moves us in the wrong direction to motivate people. And I'm curious, you know, maybe again, I didn't get to the back half, read as much as I could on the flight out here, but is that an area that you have looked into of like the power of storytelling in and around this industry, this business that makes all of our lives go until it stops when something goes wrong.

A

I'm so glad that you brought this example up, because I love this story so much. It was like the day after War Games came out and Reagan was at Camp David and was like, I'll watch this movie. And then he comes back and he's like, in the Oval Office talking with Joint Chief of Staff and was like, hey, figure out, is this something we need to worry about? It's such a funny story. It's so human. And I actually completely agree with you. One of the things that was really important to me throughout the book is everything is about the human story. Everything is about the human element of it. I start the book with a quote from Richard Feynman, which is that. Oh, God, what is the exact quote? I have it on a bookmark.

B

I was gonna say it's right here.

A

We have is for a successful technology, nature cannot be fooled. Something along those lines. And what it's really about is the Challenger disaster. Coming out of the Challenger disaster and saying, hey, ultimately, you can have all the good PR you want. You can claim that everything's going to be fine all you want, but at the end of the day, if something's wrong with the technology, you're going to find out and it's going to be really bad, as was the case with the Challenger disaster. And I think we have a very similar thing within cybersecurity, but I like to frame it a little bit differently, which is like, everything that we do in cybersecurity affects the real world. If it doesn't, there's no reason that we should be doing it. And there's no reason for a nation state to be using an attack if it doesn't affect the real world. And so sometimes I think we get a little lost in what we're talking about within cybersecurity in this digital realm. It kind of reminds me of the metaverse and how everybody's like, oh, we're going to live in the metaverse and not interact with the real world. And it's like, people don't have an interest in doing that. Most people don't. If you're outside of tech, but when you start to put things in that context of how does this affect nature, how does this affect the real world and what we're operating in, then you actually can start to really understand the motivation for things and to communicate it in a way that people will understand and care about. It stops being Magic. It stops being something that's too technical, because, to be quite frank, it isn't. We can include more people in this space. We just haven't. And once you start to do that, then people really start to get why it matters and why it's so important. So even though some of these cultural references don't do the best job at conveying what we do in cybersecurity or what the ramifications are, they can include other people in the conversation that we otherwise wouldn't have included, like, apparently. Right. And so it becomes really important because it sets the foundation, like in that case, for cybersecurity policy at the federal level in the United States, which is just so crazy to think about. It's like a movie is what did that when we had so much going on in the world?

B

And I think that. I mean, movies have been used to move a point of view of a country and push propaganda or push a point of view. But to think that you sit down and you watch War Games at Camp David, and it kicks off this whole chain of events that leads to, we've got to get our cybersecurity, our security together. It was a profound moment in the book right out of the gate that, you know, caught my attention. I didn't realize that that had happened.

A

Well, it's so funny because, like, the proof is in the pudding. If you go back, I went back and looked at the congressional hearing that led to the Computer Fraud and Abuse act, and War Games was mentioned at least four times. It really was just so pivotal to the kickoff of some of the most important legislation that we've had related to cybersecurity in the US So it's. It's really fascinating the. Those stories and, like, finding those stories was such a treat for me.

B

So I want to go back to that conversation we started to get into on attribution. You make the point that you have to understand a country's national doctrine, what is their strategic objective, and then you can start to understand aspects of where attribution is going to make sense. And I've got a lot of questions about that. But I'm wondering, with as powerful as attribution could be, it can be very misleading. Walk me through how attribution works in practice and maybe where some of the pitfalls are.

A

Yes, there's a lot of pitfalls. This is one of the things that makes it so difficult and one of the reasons why I very intentionally chose to include the United States as one of the main cyber powers in this book. And to address it both from the defensive and offensive standpoints is because we lack so much context about the US in part because so many researchers are Western based and because in many cases those are the researchers that we can trust. And I don't say that lightly because there is a lot of work that happens in Russia, in China, in many of these nations that is towards attribution that is really good and that they do a lot of great work. But the problem is that it is very difficult to trust the output of attribution from these nations because at the end of the day, the government can make a decision to include something or not include something in the attribution. And so they can fundamentally change what's coming out of those nations. And so it just makes it very difficult. So I wanted to make sure that I was giving as comprehensive of a picture as we could possibly get about the situation, both from the US Standpoint and these other countries. And one of the things that I did in the book was I do mention and dig into some examples of attribution that has been done by companies in China of operations that were supposedly by the United States. And I wanted to include that because I think it's a perfect example of this contrast that you're talking about where like, what is the difference between a strong attribution and a poor attribution? Like in one example, there was an attack that was that a company in China said, this is the United States, and we know it's the United States because they use tools that were previously used by the nsa, but those tools had been public for like eight years. And it's like, we can't just say that this is an attack perpetrated by the US because they're using NSA tools, because anyone could be using these NSA tools, they've been out for eight years kind of thing, or just because the code has been developed or the operations are happening within normal working hours in the US because let's be real, if you're in the nsa, you're not working normal US Hours because that's an immediate tell as to this is probably happening inside the US So I do think that there's a level of sophistication here that matters. There's also so much evidence that the U.S. u.S. Has developed tools that are specifically made to make it seem like either they're working different hours or that they're working in different languages such that they can avoid attribution, which is just going to become even more difficult with AI and everything that we're seeing There. So there's a lot of factors that come into play here. But beyond the standard, what we think of, hey, what language was this code written in? What language are the comments written in? Are there any indicators from an infrastructure standpoint that we can look at? It's also a factor of, like, what's the reason why a nation would do this? Like, one of the things that I talk about in the book is an example from the Olympics where a false flag operation happened and it was originally attributed to North Korea, but in reality, like, North Korea was trying to, to a certain extent, normalize relations around the Olympics at that time by sending Kim Jong Un's sister to the Olympics and, like, making these overtures. Meanwhile, Russia was still really upset about everything that happened with the Withdra. And so it came out later that it was actually an attack that was perpetrated by Russia that they were trying to hide and trying to make it seem like North Korea. But one thing that was really important in that moment is that it is a factor of like, okay, just because it's a nation that's attacking the Olympic Games in South Korea doesn't mean that North Korea's the one doing it. At the end of the day, you have to look deeper than that and you have to see what are the actual motivations happening here in the broader world to make that type of decision.

B

Yeah. As somebody who has both been blamed and blamed his sibling for things, you know, I'm now putting on my dad hat and thinking about, you know, there are going to be moments when you try to make it look like it wasn't you that did something, but you want to be able to get away with it. And maybe even as big as a country can be, they're not so different.

A

Right.

B

It's just that human nature, that human behavior.

A

Oh, my God, if my sister could hear this conversation.

B

Sorry, Jim. It. Well, so far we've been talking about what nations do to one another, but a big part of your book is about the surveillance, the data control, information manipulation, internal propaganda that countries hoist upon their own citizenry. And I think that that's one of the things that I hadn't given as much consideration to. Attribution is one thing where you're looking at, how would you use or misuse that. But talk to me a little bit more about that information control and why that's such a problem.

A

There were two sides to the book that I wanted to make sure were in there, of course, the cyber attacks and the doctrine of the nations from a military standpoint and how they were approaching it, but also the defensive side and why the defensive decisions were made from a cyber perspective, because it affects the way that cyber attacks can be perpetrated in the way that they can't. And what I found very quickly is that a lot of the excuses for why surveillance infrastructure was established was claiming for defense and defensive purposes, which makes sense, right? That's not unusual at all. But it was very fascinating to see how different nations have approached this over time and how their histories have impacted how they've chosen to approach it. Like Russia, as an example, is so focused on information warfare and this idea of controlling information, or at least like guiding the conversation, that they made very different decisions than China, which has been very concerned about controlling information as well, but much more so on how to manage that for their own populace and how to create this walled garden. And so seeing the forethought that they had to start establishing the Great Firewall and the Golden Project so early in the 90s, that set them up in such a different way than what we see with Russia, which kind of like a decade later saw what China was doing and was like, we should probably do this too. But at that point, it's too late. Like, you have so much more foundational work that you haven't been able to do that has already taken place, that it's just impossible to get the same level of control that China has as an example. And then in the US it's so fascinating because there's a lot of conversations early on in the US about how cyber defense is primarily a civilian space. Like, the DHS secretary said that in the early 2000s, which now is funny to think about, because we've seen so much change happen to the point where there's a recognition that it is not just a civilian space, that it is a very critically a public private partnership that has to happen together. But at the time, they were so tentative to do it, in part because, like, one of the things I talk about in the book is the idea of the social contracts that nations have with their people. And of course, in the US a lot of the social contract is freedom, or anything outside of freedom is tyranny. And so when that happens, ultimately, like, if you're the DHS and you're trying to put controls in place to defend critical infrastructure against cyber attacks, when does that start to verge on tyranny? And when does the populace start to push back? And more importantly than the populace, the companies that operate in that country start to push back because they're the ones with the money that can start to push forward those conversations in the way that they want. And that's very different than the ideas of freedom in China or Russia, who were much more willing to accept a level of information control because of the trade offs that they were able to get through the government because of that.

B

Yeah. And I don't think you'd see something like a section 230 outside of the US that is vehemently defended in some of these other countries and other models. And yet here I think you described it as cutting both ways. It gives you the incredible innovation and the growth and the ability to really go and have a Twitter or have a space where people are publishing whatever they want without having the company be responsible for it. But then you also get hate speech, you get misinformation, you get election interference. So. Well, Ali, you covered China, Russia and the US really in depth. But you also looked at Iran, North Korea, Israel's and some others. Each of those countries also hacks differently, I think, goes back to what's there, what's their position, what are they trying to achieve, what is their history that informs why they're doing something or why they're not doing something, and maybe even their technical capabilities. Right, walk me through what makes China's approach distinct from Russia. And then if you have a story or two out of Iran, North Korea, Israel that you think is interesting to contrast with that, you know, what makes them different and why do those differences matter to defenders?

A

Yeah, China is such an interesting one because they can be so quiet and very careful with the attacks that they perpetrate on a broader scale. Even though a lot of times obviously there's a lot of attribution that goes to China. But they're not bombastic like the attacks that we see with Russia, where Russia's like, yeah, we're going to take this system offline or we're going to openly threaten this and it'll be very clear that it is Russia doing this. You know, a lot of the attacks are low and slow from China. They try to get in there for espionage purposes. That changes completely once you get into the region that they're operating out of. When it comes to Taiwan, they're so aggressive and there's so many interesting things that we can learn from what's happening in Taiwan. But one of the things that I really love about the difference between like a really, a really poignant example about the difference between China and Russia comes down to disinformation and how it's Used, obviously, Russia, when it comes to narrative attacks, disinformation, all that has had a lot of successes. They're kind of looked at by, like, Iran as an example of some of the most effective influence operations that have happened in recent decades. And China has tried to replicate that, but they have really struggled. And it's fascinating to see because what China is ultimately missing in a lot of these influence operations they're trying to perpetrate is, is the cultural context. So they have like, their reports that they have 50 to 1 as far as personnel from an attacking standpoint, from a cyber attack standpoint, compared to the US So they have a lot of people on this. They're willing to throw a lot of people at the problem, but they struggle to get the same level of virality as the Russian military does when they're perpetrating disinformation and narrative attacks. And the reason is because they're stuck behind the great firewall. And so they don't have Facebook, they don't have Twitter, they don't have any of these references that we have ingrained in our culture memes, all of that.

B

Right.

A

And so they try to use them, but it's like uncanny valley where they just slightly miss every time, and so it doesn't go viral.

B

Right.

A

And so that, to me, is so fascinating because the system that they've set up to protect themselves, to control the populace, has also made it so that it's much more difficult for them to execute on the cyber attacks that they want. And when it comes to, like Facebook, Twitter, anything social media related, at the same time, it also affects how they operate. Because one of the things that we saw, especially in the early 2000s, a little bit less so now is that many of the attackers that came out of China would pop onto a box that they use as their command and control operations to get somewhere else. But once they were out of the great firewall, they start logging into their personal social media accounts.

B

Yeah, I remember reading that and going like, of course they did.

A

Yeah. You know, because they can in China, which is so funny because then you can figure out so much about them. Like, the APT1 report showed us this really well. And so I find stuff like that to be so fascinating where, like. And one of the reasons why it was so important for me to take on the defensive side in addition to the offensive side is because they do play into each other quite a bit as far as, like, what we're able to discern about these nations and also where they're able to perform really effectively versus where they aren't.

B

Yeah. Going back to that Ted Lasso quote, every disadvantage is an advantage.

A

Yes.

B

And so you've got this protection, you got the great firewall, and yet you're kind of awkward.

A

Yeah, she's kind of a dork.

B

Can't really trust that it's going well. Well, I could talk to you about this all day. I love the combination that you had of. Here's what happened. A little bit of context sharing. You put in some of. I could hear your voice gems into the book. And instead of asking to give away more, I think our readers should go get the book. I'm sure you do too, and read it. I wanted to ask you, why did you write this book? Who was it for? Was it for a specific audience? Was it for yourself to organize your thoughts and to figure out your position? Some other reason?

A

Yeah, it was for one of the things that I really love to do and I think is like one of the areas where I find the most joy is explaining very difficult technical subjects in a way that anyone can understand them. And we talked about how I strongly feel like that's a gap that we have in cybersecurity, especially for the general populace, and helping them to understand why cyber attacks matter, why their data matters, why all of this is important. Like the number of times that I've heard someone say to me, well, why would China care about my data? Is like, it's bad. And so what do you say to that?

B

Because I have my feelings on it and I've run into. And I'll group it. Younger guys in particular do not seem to care. And I was talking with the CEO of a company called Cloaked and he actually said that population, younger guys, 18 to 25, they're not good customers for his company, which protects your private data or whatever. And I wondered what it was. Is it a risk, aggressiveness, a lack of information in our population? Is it just a culture thing to just be like, eh, it doesn't really matter? And yet how do you answer that question when somebody says, why would China want my information? It doesn't matter. You know, it's out there. What am I supposed to do?

A

But in reality, if you look at the attacks across time, these nations care the most about your data. They're willing to kill for it. They are willing to constrain companies for it. That's the reality that we're dealing with, is you've got the tech companies on the one hand and you've got these nations on the other, and they're all vying for your data, whether you want to be involved in that system or not, you are involved in that system. And so you can either choose to take control of your information in that environment or you can just pretend like it's not your problem and it's going to be used by one of these groups in ways that you probably don't want it to be, to be manipulated, to track you, to find information about you and your family. Like these are the problems that I'm having is like, I think a lot of the reason why there are people that, especially in the United States, that don't prioritize their data is because they haven't had to. They haven't had to worry about being surveilled or being tracked or being targeted in that way. But especially as we see an uptick in the rise of an authoritarian focus, authoritarian regimes, everyone should be worried about how the data can be used. One of my colleagues, Enza Iannopolo, told me this really fascinating thing when I was doing the interviews for this book that didn't actually make it into the book because I didn't focus so much on Europe. But it clicked something for me that changed, like how I operate in the entire book. She told me that one of the reasons that GDPR was so important to the EU and went in place was because of how Europe had seen Germany and the Nazis use data on Jewish people during the Holocaust. And that to me is the reason that this should matter to people is because Europe made that decision because they saw how data was used and they didn't want data to be used that way again against people. And that could happen to all of us, especially in such a chaotic geopolitical environment.

B

Right.

A

And so that's what makes it so important is it may not be something that you have to deal with right now because of the privilege that you were lucky enough to have. But with where we're at in this geopolitical moment, that can change immediately.

B

Right? Yeah.

A

One of the things that I did in the book is I start with the Gulf War, which is kind of interesting because it's 1990, 1991. We're not really using cyber attacks, but the Gulf War was a huge inflection point for were how multi domain warfare was used in the United States and also how information operations became a part of that. It also kicked off China's rush to try and be more effective in that way because they hadn't before. It was a validation for Russia of their strategy with radio electronic combat and So I wanted to start there because to me that set the groundwork for what we see now. And so I ended the book with Russia's war in Ukraine and showing how effective cyber attacks can be when they're truly integrated into multi domain operations. And so it was fascinating for me because I think that now is the time for a book like this to exist. That is really important because we have seen in the past how we got here. We've seen how effective it can be when used well and how you can really not do a good job with it, to be honest. Like there's a lot of cases where it doesn't make sense, but now is where things are going to start to pick up and we're going to see it be used a lot more and a lot more publicly and a lot more effectively in warfare especially.

B

So you have a story in there about the United States and Benjamin Franklin using disinformation. I won't ruin it for the readers, but if you're even vaguely aware of US history, Benjamin Franklin isn't a contemporary. And then you get to this idea that you just described of how disinformation integrated into multi domain can be incredibly effective. But it always was, it was just the technologies and the scale of the time. There's no right or wrong answer to what happens in five years. But what do you think is next? Do these problems get harder or easier to solve? And what makes that happen?

A

They're about to get much more difficult. We're about to see attribution become a lot harder. We're about to see a lot more dynamic attacks. And a lot of this is, I mean we had to mention AI at least once or twice here. So a lot of this is driven by AI. Like Anthropic's research released late last year that talks about how China state sponsored APT is using AI to orchestrate a attack across the entire lifecycle with like a couple of breaks. For a human to be involved and in the loop is really powerful for what we're going to see in the future. It's something that we have talked about for years, but now we're actually seeing nation states be able to accomplish that. And once they do, like who cares about another zero day? Obviously like I care, but that's not where I think this is most important. Where this is most important is being able to use a AI system to create a more dynamic attack that takes advantage of the vulnerabilities that already exist. Yeah, because like there's so many constraints that we deal with on the hacker side of having to do reconnaissance, understand the operating system, understand the vulnerabilities that version of the operating system has, understand how to create an exploit for that, and then either try to dodge attribution or try to mimic someone else's attribution. All of that gets easier. With AI, all of that becomes more dynamic. It means that the malware that state sponsored actors write is going to be more dynamic and is going to be able to be used across different circumstances more effectively. And so I have a lot of concerns moving forward about how we're going to be able to address that from the defensive side, because it requires even more of an investment in the basics that we have struggled with forever. And it also means that we have to be using AI effectively, which is a whole other challenge and difficulty, much of which the individual enterprise is not equipped to start doing or start doing effectively today.

B

Yeah, well, Ali, thank you for coming on again, two time guest. And once again I feel like I got more out of it than maybe you did because you're brilliant and it's always good to have a conversation with you, especially after getting through some of your book and having some questions and having you expand on it. For me and for our guests here on Threat Vector, I appreciate making time for me today.

A

Thank you so much for having me. These conversations are always so fun. You ask great questions, so it's my treat.

B

That's it for today. If you like what you heard, please subscribe wherever you listen and leave us a review on Apple Podcast. Your reviews and feedback really do help me understand what you want to hear about. If you want to reach me about the show, email me@threatvectoralonetworks.com I want to thank our executive producer, Michael Heller. Mix and original music by Elliot Peltzman. We'll be back next week. Until then, stay secure, stay vigilant. Goodbye for now.

A

Sa.