Sen. Mark Warner (D-Va.), vice chairman of the Senate Intelligence Committee, suggests the U.S. has been asleep at the keyboard while our adversaries were launching cyber attacks with relative impunity. He also says that while he doesn't want to regulate edge players "into oblivion," he signaled that they may have to be regulated into submission if they don't voluntarily become more of the cyber solution.
That came in a speech Friday (Dec. 7) at the appropriately named Center for New American Security in which the senator proposed a new "Cybersecurity Doctrine" to secure American networks and data.The date was appropriate as well .
"We remember Pearl Harbor as the first foreign attack on U.S. soil in modern history. Unfortunately, we also remember Pearl Harbor as a major intelligence failure," he said. "As Vice Chairman of the Intel Committee, I’ve spent the better part of the last two years on an investigation connected to America’s most recent intelligence failure. It was also a failure of imagination — a failure to identify Russia’s broader strategy to interfere in our elections."
He suggested the next catastrophic attack is already underway. "People keep warning of a 'digital Pearl Harbor' or a 'digital 9/11' as if there will be a single, extraordinary event that will force us to action on these issues. But I have news for you: we are already living these events. They’re happening every day."
So, that force is already with us, he signaled, and the time to act, rather than react, is now.
Warner said the problems on the cybersecurity front were three-fold 1) we are under attack, 2) the U.S. brought it on itself in part by "unacceptably low" security in commercial tech, particularly internet of things tech, and in part because large enterprises, including federal agencies did not use available tools; and 3) we don't recognize our adversaries, like Russia and China, are working out of a different playbook, merging cyber attacks with information--or mis-and disinformation operations.
He said the U.S. is just now waking up, but needs to get up and start moving.
The White House has announced a cyber strategy, but Warner says despite a flurry of documents, which he called positive steps, the Administration is still not sufficiently organized or resourced.
He pointed out there was still no White House cyber czar, no cuber bureau or senior cyber coordinator at the State Department. Then there is the problem of many in the private sector resistant to the "changes and regulation" needed.
And Warner said his own Houses were not in order. "Congress does not have its act together either," he said. "We have no cyber committee. Cyber crosses numerous committee jurisdictions — frequently hindering our ability to get ahead of the problem. It’s even worse in the area of misinformation/disinformation.
The truth is, we are becoming ever more dependent on software," he said. "But at the same time, we are treating cybersecurity, network resiliency, and data reliability as afterthoughts."
What's a country to do?
Warner's doctrine has five major components:
1. There need to be international norms and rules for the use of cyber and information operations, certainly among allies and among adversaries if possible--sort of a Geneva Convention for cyber, a version of which Microsoft is proposing). He said that by not taking the lead, "We are allowing other nations to write the playbook on cyber norms."
He also said there needed to be a conversation about both defensive and offensive cyber tools, something the White House has also said it needed.
2. He called for a society-wide effort to combat misinformation and disinformation on social media--and that includes the private sector. Warner said platforms like Twitter, Facebook, Reddit, YouTube and Tumblr "aren't doing nearly enough to prevent their platforms from becoming "petri dishes" for Russian propaganda.
Warner said he did not want to regulate those companies "into oblivion"--Warner is a former tech exec himself--but added quickly: "as these companies have grown from dorm-room startups into media behemoths, they have not acknowledged that their power comes with great responsibility."
Warner said he wanted edge provider input on solutions, but said that Congress is quickly moving to a point where it will have to "act on its own."
3. The U.S. needs to harden its computer nets, weapons systems and IoT devices. "[O]ur nation’s strategic response must also include greater vigilance by the private sector, which has frequently resisted efforts to improve the security of its products," he said. Warner said the days when avoiding legislation was part of a strategy to set a global light-touch standard need to give way to the recognition that while regulations have costs--he is a businessman and knows that--but inaction has costs, too.
Warner said the government should at least set minimum security standards for devices it purchases. And there should be financial penalties for companies that fail to secure their systems from attacks.
4. There needs to be a realignment of defense spending priorities, redirecting some of that $700 billion into cyber defense. "I worry we may be buying the world’s best 20th century military hardware without giving enough thought to the 21st century threats we face," he said.
5. The President and the federal government must lead for any cyber doctrine to be effective, he said. "It’s true, there are men and women within DoD, DHS, and other agencies who are working hard to defend the United States from cyberattacks.
But only the President can mobilize the whole-of-society strategy we need."
Warner says there are cyber war powers the President could and should exercise, including "authority to direct Cyber Command to respond and deter “an active, systematic, and ongoing campaign of attacks” carried out by Russia, China, North Korea, and Iran."
To check out the entire speech, go here.