Podcasts
Afternoon Cyber Tea with Ann Johnson
Ep 127
Afternoon Cyber Tea with Ann Johnson 3.17.26
Ep 127 | 3.17.26

Code War with Allie Mellen

Show Notes
Transcript

Ann Johnson: Welcome to "Afternoon Cyber Tea." I am your host, Ann Johnson. On "Afternoon Cyber Tea," we focus on where innovation and security intersect. From the front lines of digital defense to the groundbreaking advancements shaping our digital future, we bring the latest insights, expert interviews, and captivating stories to help cyber leaders and defenders stay one step ahead. [ Music ] Today on "Afternoon Cyber Tea," I am joined by Allie Mellen, a Principal Analyst and one of the most clear-eyed voices in cybersecurity today. Allie is also the author of a new book, Code War: How Nations Hack, Spy, and Shape the Digital Battlefield, which takes on one of the most misunderstood topics in our industry, nation-state cyber conflict, and what that really means for leaders, boards, and organizations navigating an increasingly complex digital world. Welcome to Afternoon Cyber Tea, Allie. It's great to have you.

Allie Mellen: Thank you so much for having me. I'm thrilled to be here.

Ann Johnson: Well, first, congratulations on your book. I definitely want to talk about that a bit and start there because Code War feels both timely and a little bit overdue. For leaders who hear" nation-state cyber" and immediately think this does not apply to them, how would you describe what this book is really about and why you felt compelled to write it now?

Allie Mellen: Thanks. Yeah, it's so funny that you say that because I, too, feel like the timing,on the one hand is very, very good, unfortunately, but also, things just change so much constantly that the book could have been written at any point, and I think there would have been a lot of value in having it out there. Ultimately, what Code War is about is it is the intersection of cybersecurity and geopolitics. It is all about how the histories of Russia, China, and the United States have led to the way that they use cyberattacks and defenses against other nation-states and their citizens. In the book, I go back to Tsarist Russia and Imperial China, and I pull out themes that put into context why these nations use cyberattacks the way that they do. That's the first piece of what it's about, but it's actually about more than that as well. I start the book off with a quote from Richard Feynman and his 1986 Rogers Commission Report on the Challenger Shuttle disaster, which is, "For a successful technology, reality must take precedence over public relations, for nature cannot be fooled." I really love this quote. I think that it is -- of course, it was very timely when it was first given, when it was referencing how technical failures can't just be covered up by press releases and good PR. You can't just pretend that they don't happen, but I also find that this quote is so applicable to cybersecurity and to the world that we operate in every day, just in a very different way. Throughout the book, I emphasize that without a real-world impact, without a real-world purpose and meaning, cyberattacks and defenses by nation-states, they're just not going to happen. They're motivated by something that every person can understand, by some element of national power, whether that's diplomatic, economic, military, or resource-related. At the end of the day, that's the true meaning of this book, and what I really wanted to get across is that reality must take precedence. I ground every attack and defense I talk about in the historical context, but also, the modern context that helps explain that motivation better and what the nations were really looking to get out of that attack in that moment.

Ann Johnson: I love that concept, and I often talk about nation-states, and I think it ties in well to your book because I talk about the fall of Rome, and actually, how a lot of it had to do with the actors poisoning the external water supplies, because they realized they could starve out the population that way. That's just another type of defense that needed to be put in place that you weren't thinking about at the time. I try to correlate that to cyber, so I love the fact that you've written a book that actually takes historical context and correlates it to cyber.

Allie Mellen: That is so cool. I love that reference. I think that's so topical, because to your point, or what I imagine you're getting at with that is that, like, it's -- and what I talk about a lot in the book, is that cyberattacks are another tool at a nation's disposal. They are not the only tool. They are not the most important tool, but when they're used well, they can be really effective for what that nation wants to do.

Ann Johnson: Yeah, and it's all about infrastructure.

Allie Mellen: Yes.

Ann Johnson: Carrying that theme forward, one of the things you actually do beautifully in the book is you strip away the mythology about cyberwar, the idea that it's chaotic or that it's even mysterious, or driven by these shadowy geniuses. What do you think is the most dangerous misconception leaders still have about nation-state cyberattacks?

Allie Mellen: Honestly, it remains that these attacks won't happen to them, that they don't apply to them. I especially see this with small and mid-sized businesses, and unfortunately, the reality is that it's just not true. I think about, and I talk about in this book, NotPetya as a great example of this. How did NotPetya start? It started with this tax document software created by this company, Intellect Service, which was a small, family-owned Ukrainian company that just made tax software and was just doing that for the country of Ukraine. It was a small business. It was a family-run business, and it ended up causing such a larger conflict when it was originally hit. Especially in the past few years, and I know that your team has done a ton of research here that's been really valuable to paint this picture. The supply chain is everything. It is the way in for so many threat actors that don't want to just target the big players and want to find ways in that are a little bit more simple for them, or where they can take advantage of some things that they might not be able to take in these larger scenarios. Unfortunately, like, the scale that you can get with those attacks is everything, too. Especially as we move forward, as we continue to somehow be even more interconnected than we are already today, that is the thing that really needs to be driven home is that, at the end of the day, everyone has a role to play in this. It's important that we address that at the source and do our best to have the strongest security posture possible.

Ann Johnson: I think that's right. I do think that a lot of folks, when they think about nation-state actors, they think that they're going to attack the largest companies in the world, right, the Global 2000 or the Fortune 500. In reality, they're not always there, right? They often find the softest targets to make a point.

Allie Mellen: Exactly.

Ann Johnson: A core idea is that -- and I love this, but the way you talk about it, it's that cyber activity reflects national identity, whether it's history -- you talked about a little doctrine, even culture, and you focus heavily on the US and on Russia and on China. What should executives understand about how these differences actually play out in cyber operations?

Allie Mellen: It was really fascinating as I was writing this book, because I originally started out with the intent to just look at the cyberattacks that these nations were perpetrating and focus most of my energies on that. What I found is the more I went into it, the more that I couldn't ignore the regulations that were being put in place, the defensive actions that were being put in place, and the actual choices that the governments had made and the social contracts they'd established with their people, and how all of those things factored into the defensive and offensive decisions they could make and what was available to them. It's been really interesting because I do feel like when we look at the United States as an example, it's so much quieter with the attacks, or it has historically been so much quieter with the attacks that have been perpetrated, much more focused on being clandestine as much as possible, concealing the existence of the operation in any way possible. A part of that is because there is an expectation that the US is going to act a certain way on the global stage, but you can contrast that with other nations. We can go beyond China and Russia into North Korea as an example. They use the cyberattacks that they do, particularly, to gather resources through Bitcoin and other cryptocurrencies because there's no reason for them not to. It's not like we could sanction them more at this point, so they might as well go and use cyberattacks that way. Or you can look at Russia and see just how bombastic a lot of the attacks that they use are and how loud a lot of the attacks that they use are, because at the end of the day, all the attacker groups associated with Russia are trying to do is get as much attention, as much meaningful attention, from Putin as they possibly can. I find that really interesting because when we look at a lot of the historical decisions that have been made with these cyberattacks, so much of the success of the cyberattacks nation-states perpetrate is based on the coordination that they have between different branches of the military, and so when you've set up a system like there is in Russia where everyone is vying for some type of attention from Putin, it makes it so much more difficult to execute these attacks in a coordinated way where everyone plays their own part. We see that it's an even more different thing in China, where they've set up such a walled garden for themselves where there's so much censorship, there's so many websites that you can't even access, that there are a lot of instances where Chinese hackers will hop onto a box that's outside of China just so that they can log into their own Facebook accounts or their own X account because they want to be on social media, but they can't in their home country. In other cases, the Chinese government outsources a lot of hacker activity to countries like Malaysia because they can't actually execute those actions directly in China. It's fascinating to see the workarounds that they have to do in order to make it work, especially when put in the context of the geopolitical presence that they have and their choices within their own social contracts in their own nations.

Ann Johnson: When you think about the average CISO, and a lot of the listeners to the podcast are CISOs, they're really stretched thin. They're balancing an awful lot. They're balancing identity. They're balancing ransomware. They're balancing cyber hygiene. They're balancing AI security. They're balancing cloud, and then they see these constant headlines about nation-state attacks. What advice would you give them about when they should worry about nation-state cyber risk and when is it just a distraction?

Allie Mellen: This is such a good question because I feel like it's always something where much of the cybersecurity community is saying, you need to be worrying about this. It's like the boy who cried wolf in some ways, even though it is an important issue that we need to pay attention to, but I'd say tangibly, it is hard to deny that if there was a moment to be worried about nation-state cyberattacks, geopolitical risk, that moment is now. It has to be now. There are times when it is more of a distraction than a help, but this is not one of those times. When I was writing this book last year, I had so many moments where I thought to myself, gosh, I wish this was coming out right now and that I could release it right now, because I feel like it's so relevant. Now, as I look back on that, I'm like, thank God I didn't, because this is the time that we need to be having these deeper conversations within security and within other areas of the enterprise and even to the level of citizens and consumers. We are at an inflection point right now. Russia's war in Ukraine has evolved hybrid warfare and shown just where it can and cannot be effective. There's a big shift happening in the world order that is leading to deeper splintering of the internet, greater focus on digital sovereignty, fracturing alliances. We see that surveillance technology is becoming more ubiquitous and, unfortunately, seeing that some tech companies are deprioritizing privacy in lieu of their own type of political maneuvering. All of this is against the backdrop of constantly changing geopolitical conflicts like those that we're seeing in Venezuela and in Iran. This is the tipping point where nations are becoming more aggressive with their offensive cyber operations. We even saw this as one of the top pillars in the Trump administration's National Cyber Strategy for 2026. The collateral damage of more offensive nation-state activity is inevitably going to be the private sector, and so we need to take this into account as we enter an age where we're likely going to see much more aggressive cyberactivity from the typical threat actors we'd expect, but also from a lot of the Western nations, including the US as well.

Ann Johnson: Yeah, I think that we're definitely wading into pretty dangerous waters here, and it will be a trying time for CISOs. It'll be a trying time for any security professional because they're also trying to balance sovereignty conversations and resilience conversations with cyber conversations and, of course, AI, which we're going to talk about in just a second, but if you had just one piece of advice to a CISO that's trying to balance all this, what would you tell them?

Allie Mellen: Right now, every organization should be holding regular meetings on geopolitical risk and the geopolitical threat landscape. These should be happening at least once a quarter, but if you have the resources to do so, they should be happening more often and when new conflicts break out. At the end of the day, there are a lot of organizations that may not be direct targets of some of the threat actors associated with these conflicts, but the conflicts that are breaking out make them even more of a priority than they were before. That's where the big change is taking place and one of the things that makes this so important and to have these conversations so quickly is that, ultimately, while you may not be a target today, you could be a much higher priority target tomorrow because of what's happening on the geopolitical stage.

Ann Johnson: Yeah, I think that makes perfect sense and it's rapidly evolving, so making certain that you're connected to the FBI if you're in the US or your regional or state national law enforcement entity, making sure you're connected to your physical security folks, and making sure you're just staying up to speed on world affairs is increasingly important for CISOs. Let's talk a little bit about AI. We can't get through any conversation in the year 2026 without talking about AI. You explore how AI is changing the digital battlefield and potentially accelerating everything. What concerns you more right now, AI empowering highly capable cyber powers or AI lowering the barrier for everyone?

Allie Mellen: This is such an interesting question because it is a difficult one, right? It's very important to keep track of the fact that AI is lowering the barrier to entry for everyone else, but to be honest, as I think about AI -- and keep in mind, I'm a big skeptic in general of technology. I've been a big skeptic of AI for a while, but I'm starting to see the tide turn here. I am definitely more worried about AI empowering highly capable cyber powers because at the end of the day, what we're seeing is there's so much potential with what we can do with AI as attackers and as defenders that whoever gets to that first is going to have a significant advantage. If we look at, for example, the Anthropic report that was released last year, that research goes into how they're seeing Chinese state-sponsored threat actors for attempting to automate as many aspects of a cyberattack as possible using AI. Admittedly, they're not able to automate the entire process yet, but I 100% expect that's going to come this year, and I have big concerns about that. My background is as a hacker. I understand just how many constraints hackers have and how difficult it can be when you're thinking about the malware that you're going to create and how you have to understand the operating system you're working off of. You have to understand the vulnerabilities that system could have. You have to build exploits specific to that system. It's a lot of work, but with a jailbroken LLM, you could realistically be able to do that by just issuing a couple of prompts to AI, which would make it not only faster but also much more dynamic in the malware that's being created. If the attackers are able to break through and accomplish that, then we need to have an equivalent way to respond to those situations and to prevent that from taking place, or at least prevent it from being effective. And so in the long term, and to be honest, in the relatively short term, that's one of my biggest concerns, and I expect that once that happens, it's going to trickle down to the cybercriminal community and to some individuals that maybe have a little bit less skill than others and need the barrier to entry to be lowered for them, and that will lower it significantly.

Ann Johnson: I agree. I completely agree. I think that one of the bigger challenges we're going to have isn't necessarily the nation-state actors adopting AI, because they will. We know they're going to, right?

Allie Mellen: Yes.

Ann Johnson: But we also understand them in a meaningful way, and we don't understand, necessarily -- I'm always more worried about the random person, either the hacktivist or just somebody that's doing cyber financial gain and has no other motivation and what damage they're going to do in doing so. Let's talk a little bit about signal. What is one signal that leaders today should be watching to tell -- a couple of signals? One, that AI is becoming a threat vector that they should be concerned about, particularly in their enterprise, but two, that the rules of cyber conflict are shifting and, potentially, their geography or their sector or their industry is going to be targeted.

Allie Mellen: On the AI front, it's definitely a factor here that organizations need to be paying attention to the research that's coming out. I do think that the model providers have a significant responsibility here to be identifying just how effective threat actors that are potentially using their models are able to be with those capabilities, because that type of research is going to be what gives us visibility into how these attacks are being done, because at the end of the day, like, realistically, the attacks being done using AI agents could look very similar to those that are done by a typical threat actor. They ideally would be -- would look very similar. I think there are some exceptions that you could find with things like the number of times a certain port or endpoint is hit, that type of thing, but ultimately, it's copying the things the normal threat actor would do. It's just doing them in a much more dynamic and potentially faster way. We need those types of signals from the model providers, but on the geopolitical front, I do think that what we're seeing now with the latest in Trump's national cyber strategy for 2026 and the response to it is a big signal for how cyber conflict is going to shift. We saw in the Trump administration's first term that they prioritized initiatives like Defend Forward, which pushed more offensive cyber operations and had a bunch of really powerful successes in stopping attackers at the source. I expect, and based on the cyber strategy, that we are going to continue to see more offensive cyber activities take place, which is going to cause retaliation from the threat actors that they're targeting, unfortunately, likely to hit the private sector. That's one factor that's worth noting is a lot of what these nations and governments are saying they're going to do with the cyberattacks and defenses that they have. The other factor is definitely just what is the situation in the world? What new conflicts have broken out? Those are the signals that are going to make a difference, and we need to be keeping track of those as closely as possible, just for our own experiences in the world and in the world of business, but also because of the implications that cyberattacks caused by those conflicts could have.

Ann Johnson: I think that makes perfect sense, and I think you're -- I called you at the beginning "clear-eyed." I think you're very clear-eyed about it.

Allie Mellen: Thank you.

Ann Johnson: Before we wrap, we have a couple more questions. I want to take a moment just to reflect on your personal journey. What surprised you the most while writing Code War, and how did it change how you think about leadership or responsibility in cybersecurity?

Allie Mellen: My hypothesis going into writing this book was that I'd be able to tie a lot of historical references, like, we're talking -- like I mentioned earlier -- BCE China, to the modern-day cyberattacks that are being perpetrated. I'm not going to lie. It was surprising when that theory was proven to be correct in its own way, because it is a big ask to look back at some of these historical moments, but in every chapter of the book, I start with a historical example and then show how it ties through. One of the ones that, kind of, I found to be the most surprising and the most interesting was when I started to look at some of the attacks on US elections that have happened over the years. What I found is that of all things, it is strongly related to Edgar Allen Poe and his death. Are you familiar with that at all?

Ann Johnson: Not terribly, so I'd love to hear it.

Allie Mellen: Okay, awesome, so I found this so fascinating. I didn't know it before I wrote the book, but Edgar Allen Poe, the way that he died is very mysterious. He was actually found lying in a gutter outside of a polling location called Gunner's Hall in Baltimore, Maryland. He was incoherent. He was in poorly fitting clothes, which was not typical for him, and he was reeking of alcohol. When he was found, he never regained consciousness. He was in and out of hallucinations, and he eventually died a couple of days later. This is very mysterious, according to some of the Poe biographers that exist, because all of it was very unexpected for them. Oddly enough, Poe had left Richmond, Virginia, a week prior to go to Philadelphia, but he never actually arrived and instead very randomly turned up in the gutter in Baltimore on election day. It's very mysterious, and many biographers who talk about Poe still don't know exactly what happened. However, they have one very enduring theory, which is that Poe died after being a victim of what's called cooping. During this time in Baltimore and in much of the United States, there was very rampant voter fraud. This was in the 1850s. One of the most common methods of voter fraud was called "cooping." It was where people were kidnapped and forced to vote for one candidate multiple times. The kidnappers would beat these people into submission, dress them up in different outfits each time they went to vote, so they wouldn't be noticed as repeat voters -- kind of crazy stuff. This was also a very different time in the US, one where voters were given a little treat of alcohol after voting. It was considered their little reward for voting, so ultimately, if you voted multiple times in one evening, you would get pretty drunk by the end because you'd get multiple little treats. The polling location that Poe was found outside of was well known for being used for cooping, and some speculate that was actually how Poe died, was that he was a victim left to die after the voting was done. Now, by the late 1800s, many reforms were introduced to prevent cooping and other methods of voter intimidation, so they did things like instead of party-distributed ballots, secret ballots administered by the government were adopted to ensure voter anonymity. Voter registration requirements were adopted to ensure that voters would register in advance to be eligible to vote and to prevent some repeat voting and issues like that. Those reforms, especially those that were implemented in the late 19th and early 20th centuries, those were what fundamentally changed voting in the United States and made it very difficult to execute voter fraud on a large scale. Yet, as we see to this day, the fears of voter fraud still persist, and in the book, I take this example and tie it into a lot of the challenges that we saw in the 2016 and 2020 US elections and some of the concerns that come through there. It's just been so fascinating how these things that happened so long ago have such a big and important tie to the way that cyberattacks are used today and to some of the challenges that we have using cyberattacks to execute particular attack techniques.

Ann Johnson: It's fascinating, absolutely fascinating. Well, I always wrap Afternoon Cyber Tea with optimism. I know that for everything in the news, there's thousands of things that defenders have blocked, so what are you optimistic about with the future of cybersecurity?

Allie Mellen: This is such a good question because sometimes I do struggle a little bit to be optimistic here, and I go and talk to a lot of my friends in the industry and I'm, like, what keeps you doing this? What keeps you optimistic about this situation? For me, it ultimately comes back to the community that we have in cybersecurity and the people that we have in cybersecurity. I have met so many great people through this, so many brilliant people, who are very dedicated to what they do, very mission-driven, and in many ways, it is about the creativity that they bring to the problems that we're solving. As we see tech evolve, as we see AI evolve, what we're seeing is a group of people that are very dedicated to making the best out of this and making sure that technology is used in a safe, responsible way and a secure way, and so that's the thing that gives me the most hope is that, like, even as I was doing the research for this book, I was able to interview so many amazing people who give such incredible perspectives on the state of the industry, on the history of cyberattacks and how these types of things happen, and have a unique perspective on the future. I think that so long as we keep that spirit of creativity and that mission-driven purpose, we have so much opportunity here.

Ann Johnson: I think that's fantastic, and I really appreciate you joining us today, Allie. I appreciate the clarity, the perspective you bring, and what I appreciate about Code War is that it does not just explain how cyber conflict works, it challenges leaders to think differently about power, about intent, and about responsibility in the digital age. It is not a book about panic. It's a book about clarity, so for our listeners, Code War: How Nations Hack, Spy, and Shape the Digital Battlefield is available now, and Allie, where can people go to learn more about the book and also about your work?

Allie Mellen: Yeah, so the book is available anywhere books are sold. You can find it on Amazon, Barnes & Noble, Blackwell's for international, and you can find out more about the subject and my thoughts as we move forward into this year on Substack at The Latest Breach, and, of course, happy to connect and chat on LinkedIn at any time. I'd love to hear from anyone who reads the book and exactly what you think of it, so please reach out.

Ann Johnson: Awesome, and many thanks to our audience for tuning in. Join us next time on "Afternoon Cyber Tea." [ Music ]

Afternoon Cyber Tea with Ann Johnson
Podcast Info
HOST(S):
Ann Johnson
Ann Johnson, Corporate Vice President and Executive Security Advisor at Microsoft, talks with cybersecurity thought leaders and influential industry experts about the trends shaping the cyber landscape and what should be top-of-mind for the C-suite and other key decision makers. Ann and her guests explore the risk and promise of emerging technologies, as well as the impact on how humans work, communicate, consume information, and live in this era of digital transformation. Please note, the opinions expressed by guests on this podcast are their own and are not endorsed by, nor do they necessarily reflect opinions of, Microsoft or Ann Johnson.
Schedule: Tuesdays
Credits: Executive Producer is Cathy Courtney, Producer is Rob Petrillo. Production Manager is Max Solomon, Scheduling and Administrative Support is Katie Zwart, and our Audio Engineer (and magician) is none other than The Great Rich Cerbini.
Creator: Microsoft