The U.S. government has failed for decades to mount a workable defense against foreign cyberattacks and disinformation campaigns and must shift tactics or risk losing this century’s major battles, Sen. Mark R. Warner said in a cyber-policy speech Friday.
That shift should include greater investments in military cybertechnology, more funding for cybersecurity research and development and a reinvigorated process of building international cyber norms with allies and punishing nations that violate them, Warner (D-Va.) said during a speech at the Center for a New American Security think tank.
One new global rule the United States could advocate would be an agreement that nations will not hack one another’s private companies, he said.
Warner, who is the ranking Democrat on the Senate Intelligence Committee, attributed U.S. cyberdefense failures to numerous causes, including underinvestment at the State and Defense departments, convoluted oversight by overlapping congressional committees and market incentives that do not reward companies for investing in cyber protections.
He also called out Facebook, Twitter and other social media companies, saying they are not doing enough to secure their platforms against malign influence operations such as the Russian campaign that spread disinformation in advance of the 2016 election.
Warner, a former telecommunications investment executive, is leading the Senate’s investigation into Russia’s influence campaign, along with Sen. Richard Burr (R-N.C.), chairman of the Intelligence Committee.
The government’s underinvestment in cybersecurity has been partly driven by a naive belief that the U.S. model of a free and open Internet would naturally beat out Russian and Chinese models, which view the Internet as a place for commerce but also for censorship and disinformation operations, Warner said.
“In fact, China has been wildly successful at harnessing the economic benefits of the Internet in the absence of political freedom,” Warner said, adding that “today, China’s cyber and censorship infrastructure is the envy of authoritarian regimes around the world.”
Warner criticized a lack of “presidential leadership” on cybersecurity and faulted the Trump administration for downsizing cyber offices at the White House and State Department.
He also pointed to longer-term lapses, such as a failure to adequately protect major Pentagon weapons systems from cyberattacks.
Warner broke from typical government practice by urging the government to outline predetermined responses for nation-backed cyberattacks based on the perpetrator, the target and the severity of the attack.
Those responses could range from indictments and economic sanctions to retaliatory cyber-strikes and conventional military operations.
U.S. officials have typically argued that it would be counterproductive to predetermine responses to a cyberattack because that would limit the government’s flexibility and invite adversaries to walk up to a point that would invite retaliation but not cross it.
Warner acknowledged, however, that it will not be easy to halt Russia’s digital assaults and that the United States’ extreme reliance on Internet-connected technology would make it more vulnerable in an escalating tit-for-tat cyber-conflict with its former Cold War adversary.
“If a cyberattack shuts down Moscow for 24 hours with no power, that’s a problem,” he said. “But if someone were to shut down New York for 24 hours with no power — that would be a global crisis.”