tv Senate Intelligence Committee Vice Chair Warner on Cyber Threats CSPAN December 7, 2018 11:51pm-12:33am EST
tv. on c-span 3. test>> now mark warner called fr the adoption of a cyber strategy. he warns that foreign powers like russia and china are ahead of the u.s. in cyber warfare. this is 40 minutes. >> sen. warner: thank you so much, i apologize about being a little bit late. i can unambiguously say that when i was governor there was a lot less traffic. [laughter]
i want to thank the center for american security and victoria who i've had a chance to know and respect and i appreciate your leadership here. mr. fontane it's great to see you, and eli ratner was involved in putting this event together as well. this is i share with what victoria said one of the most urgent challenges of our time. the use of cyber warfare, by our adversaries and the need for us in the united states to articulate a clear and thoughtfully u.s. tire doctrine. cyber doctrine. a little unusual we're doing this today on december 7th, which is an auspicious date in our history. we remember pearl harbor as the first foreign attack on u.s.
toil in modern history. unfortunately, weil also remembr pearl harbor as a major intelligence failure. as vice chair of the intelligence committee i've spent the better part of the last two years on an investigation connected to america's most recent intelligence failure which was also a failure of imagination. a failure to identify russia's broader strategy to interfere in our elections. our federal government and institutions were caught flat-footed in 2016. and our social media companies they would failed to anticipate how their platforms could be manipulated and misused by russian operatives. frankly, we should have seen it coming. over the lastt two decades, adversary nations like russia have developed a radically
different conception of information security, one that spans cyber warfare, and information operations. i fear that we've entered a new era of nation state conflict, one in which a nation projects strength less to traditional military hardware. and more through cyber and information warfare. for better part of two decades, this was a domain where we thought in the united states we had unparalleled superiority. but thinking of -- the thinking was our cyber capabilities were unmatched.d. our superiority allowed us to write the rules. this confidence appears to have blinded us on three important developments. first, we are under attack and candidly we have been under attack for many years.
our adversaries and their proxies are carrying out cyberattacks at every level of our society. we've seen state sponsored or sanction attacks on our healthcare systems, energy infrastructure, and our financial system. we are witnessing constant intrusions into our federal networks. wewe are seeing regular attempts to access parts of our critical infrastructure and hold them ransom. last year, we saw global ransomware attacks increase by 93%. now the service attacks increased by 91%. according to some estimates, cyberattacks and cybercrime account for up to $175 billion, in economic and intellectual property loss in north america alone. globally, the estimates are closer to $600 billion.
and typically, our adversaries aren't using their most sophisticated cyber tools. they are attacking tunistically, using phishing techniques and figururatively rattling unlocked doors. this has been happening under our noses. the effects have been devastating yet the attackers have faced few if any consequences. second, in many ways we brought this on ourselves. we live in a society that is becoming more and more dependent on products and networks that are under constant attack. yet the level of security we accept in commercial technology products is unacceptively low. particularly when it comes to the growing internet of things. the problem is only compounded by our society-wide failure to promote appropriate cyber
hygiene. it's an outrage that more digitall services from email to online banking don't come up with default two-factor authentication and it's totally unacceptable that largest enterprises including federal agencies aren't using the available tools of defense. lastly, we have failed to recognize that our adversaries are working from a totally different play p.m. book. countries like russia are increasingly merging traditional cyberattacks with information operations. this emerging brand of cyber warfare exploits our greatest strengths our openness and free flow of ideas. and unfortunately, we're just not waking up to that fact. looking back the signs have been pretty obviously. 20 years ago serving as russia's
un ambassador advanced a draft resolution at the united nations dealing with cyber and prohibiting particular dangerous flows forms of information operations. now we can debate the sincerity of russia's draft resolution but in hindsight, the premise of this resolution is striking. specifically the russians sawterals cyber warfare and cyber espionage interlinked with information operations. it's trueru that as recently at 2016 in the russia operations against our system there the cyber operations the hacking of the dnc and emails was carried out with one vector and the misinformation and ira activities were on a separate track, but there's no doubt putin and his leadership now sees the full potential of marrying these cyber operations. by contrast, our country spent
two decades treating information operationsop and traditional informationti security as distae domains. and increasingly, we traded info operations as quaint and frankly outmoted. just a year after lad the united states eliminated the information agency relegate counter propaganda and improper information operations to a lower tier of foreign policy. in t the two decades that follod the u.s. embraced the internet resolution as inherently deprocruatizing. but we ignored the warning signs outside the bubble of western democracies. the naivety of u.s. policymakers, extended not just to russia but to china as well. recall when president clinton warned china that attempts to
police the internet would be "like nailing jell o to the wall." in fact, china instead has been wildly successful at harnessing ethe economic benefits of the internet in the absence of political freedom. china's doctrine of cyber sovereignty is the idea that a state has the absolute right to control information within its border. this takes the form of conferenceship, disinformation, and social control. it also takes the form of traditional computer network exploitation. and in china has developed a powerful cyber and information affairs bureaucracy with broad authority to enforce their doctrine. we see indications of the chinese approach in their successful efforts to recruit western companies to their information control efforts. it's pretty amazing to me that google is actually looking to
work with china to develop a censored version of its search engine in china. today, china's cyber and sensorship infrastructure is the envy of authoritarian regime around the world. china is now exploiting both its technology and its cyber sovereignty doctrine the country's like venezuela, ethiopia, and pakistan. with the export of these tools and ideas with countries like north korea and iran copying russia's disinformation play p.m. book these challenges will only get worse. and yet, as a nation, we basically remain complacent. now despite a flurry of strategy documents from the white house and dod the federal government is t still not sufficiently organized or resources to tackle this hybrid threat. we have no white house cyber zar, no siesh bureau or senior
cyber coordinator at the state department. and we have insufficient capacity at both state, and dhs when it comes to both cybersecurity and disinformation. our global engagement center at the state department is not sufficiently equipped to encounter propaganda from our adversaries. and the white house has not clarified the cyber across the whole exans of the usg. some of the private sector to grapple with these challenges many m more remain resistant to changes and regulations needed. and the american people are still not fully aware and cognizant of the threat. they have not internalized the lessons of the last few years. we have a long way to go on cyber hygiene, and online media consumption habits. let me be clear. congress as well does not have its act together. we have no cyber committee,
cyber -- across numerous committee jurisdictions frequently hindering our ability to get ahead of the problem. it's even worse in the area of misinformation and disinformation. and the dangers are only growing as new technologies such as deep fakes where audio and video information can little put words in the mouth of a business leader or any other leader or official and these efforts are now being commercialized. the truth is, we all know as a nation we are becoming ever-more dependent on software. but at the same time, we are treating cybersecurity, network resiliency, and data reliability as afterthoughts. and these vulnerabilities will only continue to gree as our so-called real economy becomes inseparable from our digital economy. if we need to turn this around jwe need not the whole of government approach but a whole
of society cyber doctrine. what would a u.s. cyber doctrine look like? it's not enough to simply improve theas infrastructure and computers and data. we must also deal with adversaries who are using american technologies to exploit our freedom, our openness, and basically attack our most important asset, our democracy. so let me modestly lay out five resemblances.ut we need to develop new rules and norms for the use of cyber and information operations. and we need to better enforce existing norms. and most importantly, we cannot do this alone. we need to do this on an international scale. we need to develop shared strategies with our allies, that will strengthen these norms. and when possible, we need to get our adversaries to buy into these norms as well. the truth is, our adversaries continue to believe there won't
be consequences for their actions. now wean all know in the post 91 national security environment we spent tremendous energy combating triple and rogue states, and that was appropriate for terrorism. we've allowed our near adversaries to operatepe with relative immunity when they attack the united states in the digital domain. there have been reports in the press about the united states supposedly pushing back at second-tier adversaries on occasion. and some of these items we all know about. we frankly largely avoided this with russia and china out of a fear of a cyber escalation. i think we all would recognize if the cyber tools somehow mouse cow got shut down for 24 hours it would be a problem. but if someone shut down new york for 24 hours, it would be a global crisis. and as a result, for china and
russia, it's pretty much been open season in terms of their attacks against the united states. this has to come to a conclusion. we need a national conversation about defensive and offensive tools we are willing to use to respond to the ongoing threats we face. in short, we need to start holding our adversaries accountable. failing to articulate a clear set of expectations about when and where we will respond the cyberattacks is not just bad policy, it's downright dangerous. wenr are looking other nations d allowing them to write the playbook on cyber norms. part of this is the result of u.s. inaction. from the late 90s into the early 2000's the u.s. was a consistent dissenting voice where meetings where cyber norms were proposed.
in part this reflected our version the piece meal approach to cybersecurity. it also reflected a view that we didn't want as america to be bound by lesser nations. in 2015, there was a major effort of the un including the united states in this case to agree to principles of state behavior up in cyber space. we saw from international consciousnessing, around political infrastructure and mitigating cybercrime. unfortunately, these 2015 principles at the un failed to address economic espionage. and even the short-lived 20 sau.s. china cyber deal was insufficient. and in 2017, disagreements between the u.s., china and russia, led to a deadlock on the question of how international law should apply to cyber conflicts. let's acknowledge since that time a that little progress have
been made. it's true some folks in the private sector and ngo space have stepped up. look at microsoft, and geneva convention. look at the recent call for paris truses and cybersecurity trust and security in cyber space that was signed by 57 nations. but not the united states. this is another example of the united states stepping back on the world stage and allowing countries like france to filled the void. recently the united states government and state department in particular have renewed efforts to advance norms and norms discussion. thems efforts must be elevated d strengthened. but norms on traditional cyber attacks alone are not enough. we need to bring international frustration operations into debate. this brings support for rules for internet's potential for oppression. we need to present alternates
that explicitly embrace a free and open internet and we need that responsibility to extend not only to government, but to the private sector as well. we need multi-lateral agreements with key allies just like we've done with international treaties on biological and chemical weapons. that discussion needs to address mutual defense commitments. we should be linking consensus principles of state behavior in cyber space explicitly with the tdeterrents and enforcement doctrines.s. u.s. policymakers with allies should predetermine responses for potential targets, perpetrators, and severity of attack. thatat means clearly and publicy linking actions and counter measures to specific provocations. that could me sanctions, export controls or indictments, it could even include military
action for other responses. now we should be realistic though about the limits of norms in shaping behavior. slest not kid ourselves. at leastst in the short run nations like russia that routinely ignore global norms is not going to make an about-face in the cyber domain. but this should not deter us. itit should give us a more realistic set of expectations for how quickly we can expect to seeo results. but the stronger we make the alliances the more teeth we can apply to these norms and the more countries we can recruit to a them, and the more effective they will be at disciplining the behaviors of russia china and other similar adversaries. my second recommendation is we need a society-wide effort to combat misinformation and disinformation. cuparticularly on social media. my eyes were open to this through the intel committee's investigation on the russian
incushion. everyone onn the committee democrat, republican alike agrees that the linkage between cyber threats and disinformation is a serious challenge. especially on social media. and again in some ways the misuse and abuse of social media was a whole new world for the intel community. it's now clear that foreign agents used american-made social media to spread disinformation and hijack our civil discourt. and again let's recap. the russian playbook in 2016 included cyber penetrations of our election infrastructure, hacked and weaponizing of leaked information. amplification of devices prokremlin messages, via social media. traditional overt propaganda, funding and supporting extreme candidates or parties, and misinformation disinformation, and the real thing in terms of fake news.
the goal was and is, to undermine our faith and facts our faith in the news media, and our faith in the democratic process. the truth is none of this ended in 2016. this is an ongoing threat, and not just to the united states. we've also seen these toolsa used against all western democracies. we've seen them used to insight racial and ethnic violence in countries like -- this threat is serious in countries with low media literacy. liin those countries social meda is the internet. so what do we do? how do we combat this threat? we can start by recognize that this is truly a problem. a 21st century and misinformation doctrine cyber should lean more into our alliances like nato, and other allies who share our values. earlier this year, senator rubio
and i brought together a group of 12 i parliamentarians from across our nato allies and every one of our nato countries have seen russian intervention within their election process or their civil society. we have 12 parliamentarians together at the atlantic counsel. we focused the meeting on combating russian election interference. that was the very same day that president trump appeared on the international stage with president putin, and we saw an american president -- to a russian leader. meanwhile we were working with our nato allies to develop a roadmap for increased information to inventory russian aggression. in many countries the truth is because they've experienced this for a longer period of time.
these countries are further along in educating their populations about the threat of misinformation and disinformation. last month, i met with the prime minister of finland. as he put it, the fins have been dealing with russian misinformation for well over a hundred years. but finland, is one of the most resilient country when o it coms to countering this threat from its neighbor to thet east. i asked why. again, i believe it's partially because of their whole of society approach. it relies on a free press, it maintains trust, through strong self-regulatory mechanisms and high journalistic standards. it places a limit on the use of social media platforms particularly for the very young. they also have a vibrant digital civics initiative, something we desperately lacked. finland's approach also depends on a national leadership that stays true to its values. even in the midst of contested
elections and its own brand of partisan politics. here in the united states it will take all of us the private sector, the government, including us in congress as well as the american people to deal with this new and evolving threat. in terms of the private sector the major platform companies like twitter and facebook, but also red t, youtube, tumbler, aren't doing nearly enough to prevent their platforms for becoming petri dishes for misinformation and propaganda. i don't have a interest into regulating these companies into ubbliv v live wherein. but as these companies have grown into dorm room startups, to huge media companies of the 21st century they have to acknowledge with that great power comes greater responsibility. i recall very vividly that immediately following the 2016
election, when i started to raise the question that we might have had russian interference mr. zuckerberg publicly ridiculed the idea that russia had influenced the u.s. elections, via facebook posts but he basically said the idea that russia intervened was a pretty crazy idea. now, i don't pretend to have all the solutions but i expect these platforms to work with congress so that together we can take steps to protect the integrity of our elections and civil discourse in the future. companies like facebook and twitter have taken some helpful volunteere steps. but we need to see much more from them and their peers. that's going to require investments in people and technology. to help identify misinformation before it spreads widely. now i put forward a white paper with 20 ideas that lays out some of the policy proposals for addressing this. for example, i think we could
all agree we need to start with greater transparentsy. i think the human beepings ought to have a right to know when they're being contacted on social media whether that message is coming from a human being or from a bot. there's nothing inherently wrong where machine generated information coming to us but we ought to have that knowledge. i've put forward bipartisan information. the greater ads act that would include greater trance appearance for advertisish. we alsodg now a full-fledged debate for companies who have a duty to identify in authentic accounts. if someone said they're mark from alexandria but it's boris from saint petersburg we must have a geoindicator when that post occurs. we have put forward detailed ideas around how we look at
aplatforms responsibility and i would acknowledge that facebook acknowledged this responsibility to try to take down truly defamatory content. i think platforms should give greater scases to independent academics and other analysts studying social trends like disinformation. in our paper we put forward a number of other ideas around privacy, price transparency, data portable, just the ilinformation if any american kw how much data was being collected that would help increase our knowledge. the truth is most americans think the serviceerize free. there is nothing free about the amount of information these companies collect about each of us and then use in the marketplace. these ideas are intended to spark a discussion. and we desperately need social media companies input. we have to move quickly. and at some point if they don't work with us, congress will have
to act on his own. once this happen is clear, one thing is clear, the wild west days of social media are coming to an end. third, we need to harden the security of our computer networks weapon systems and devices. of the responsibilities for cyber and misinformation and disinformation will fall on the government. but our nation's strategic response must also include greater vigilance by the private sector. which to tell the truth has frequently resisted efforts to improve the security of their products. for over a decade the united states thought it could set a light-touch standard for global data protection by basically avoiding legislation. and while let me be the first as a former business guy i understand regulations can have costs. but what we've also learned in our country is that inaction can also cause costs. as other jurisdictions leap
ahead of us with more stringent privacy and data protections. we see this with the gdpr where the u.s.'s failure to adopt national reasonable data protection and privacy rules left the field open for candidly clunkier european rules. and the standards set by europe are now being adopted by major economies like brazil, india, and kenya. more broadly, we need to think about a software liability regime that drives the market towards more secure development across the entire product life-cycle. but nowhere is the need for private responsibility greater than in theint of things. general ashley, director of the dia had described insecure iot and mobile devices as "the most emerging cyberer threat to our nationalal security." so, as a first step, we should use the purchasing power of the
federal government to require that iot divided meet at least minimum security standards. and again i have bipartisan legislation on this with senator cory gardner. at least at the federal level with federal dollars we need to makeke sure the devices we purchase are patchable, make sure sure they don't have hard-coded password,s that cannot be changes and we must make sure they meet standards that they're free of known security vulnerablabilities. on a broader level beyond iot public companies should have one board member who understands and can model cyber risk. another area i've been working on is trying to impose at least some level of financial penalties on companies like equifax who failed repeatedly to take the necessary steps to
prevent cyber intrusions. unfortunately even in areas where we could expect a high level of cybersecurity in hygiene we find some of the same problems. in october, a gao report found that nearlyy all of our new weapon systems under development are vulnerable to cyberattack. now earlier this year we successfully included language in the ndaa requiring cyber vulnerablability assessments for weapons systems which will hopefully credibility correct the problem. and the pentagon has taken steps teto make cybersecurity a greatr priority within the dod. but frankly, we face serious workforce challenges in recruiting and retaining top cyber professionals in the government when they have such attractive offers in the private sector. this is a good segue to my fourth recommendations. realigning our defense spending priorities. the unitedioe states military budget and i'm proud to say i'm
as pro-defense as anyone. recently passed $716 billion. remarkable thing is, when you look at russia, it's budget, military-wise is about $70 billion. the truth is, the united states is spending most of its money on conventional weapons and personnel. by contrast, russia devotes a much greater portion of that much smaller budget to cyber and other tools of asymmetric warfare like misinformation. russia has come to the realization some of that comes back to 2011 when the russian joint chiefs of staff laid out the military democratic republic for the twenty-first century when they said russia could not compete with the west in terms of tanks and ucfors and guns, but in the area of cyber or disinformation or misinformation they could compete. when the comes to cyber misinformation and disinformation russia is already
our peer and in the areas of misinformation and disinformation, i believe is ahead of us. truth is, if you look back at russia's effectiveness and cost effectiveness if you add up all that russia spent interfering in our elections in 2016, all they spent in the french elections in 2017, and then add on their cost of spending in the brexit election, and then add it all together, it's less than the cost of one new f-35 airplane. so the notion that this is a one-off example isn't the case. this is't both an effective methodologyme for russia and remarkably cheap. the same is true with china. china spends more on defense budget and some of that is okay, but estimates are it spends around $200 billion, spending a disproportionalf amount on cyber and misinformation and disinformation. there the frightening thing to
me is the delta between what we spend and what china spends on the defense budget, that $50 billion china's investing in art financial intelligence, 5g technologies andnd a whole hostf other 21st century technologies where china hopes to not be our peer but to actually lead the world. frankly, they are starting to outpace us in these investments by orders of magnitude. we needtm to realign our priorities while we still a can. we need to redirect some of our dot spending towards cyber and frankly within other parts of our government misinformation and disinformation. and at the same time, we need that sputnik moment to make sure that we make the investments in 5g, ai, quantum and other technologies to keep a pace of particularly china. the final point, it that we desperately need strong federal and presidential leadership for
any u.s. digital doctrine to be truly effective. because this challenge literally touches every aspect of our society, we need presidential leadership, and a snore coordinating official to headen the interagency process on this issue. it's true there aremen and women within dod and dhs and within other agencies working really hard to try to protect the united states from cyberattacks. and we made some good progress in 2018 in terms of election security. but only the president can mobilize the whole of society's strategy we need. now i do want to acknowledge some positive steps even by this administration have been taken in h recent months. the white house and dod have released two important strategic documents on cyber strategy that move us in the right direction. i also welcome the delegation of authorities to defend and deter cyberattacks below the
presidential level. this will allow for quicker responses and greater interagency qornz coordination. but again these actions alone are inadequate. and the most recent ndaa congress attempted to establish a more aggressive posture on u.s. p cybersecurity policy. this includes the potential use of offenses cyber capabilities to deter and respond the cyberattacks against u.s. interests. as well as authorization to combat info operations. it also grands the president and defense secretary authority to direct cyber command to respond and deter to "an active and systematic and ongoing campaign attacks" carrieded out by chinas like russia china korea and iran. these powers if used accurately are important components of a cyber doctrine. by definition they require decisech and thoughtfully leadership at the top.
i'll leave you with a couple final thoughts. obviously more broadly we need a coherent strategy for how to deal with the hybrid approach of cyber and disinformation that is coming from our adversaries. but let me be clear about what i'm not saying. i am not advocating thest that the u.s. mimic the approach of russia and china. the idea that states have a sovereign right to control or censor information within their borders. frankly that ishe a vision thats incompatible with american values and our constitution. what i am saying, though, is that we need to confront the fact that our adversaries have an approach that considers control of information an essential component of their overall domestic as well as offensive defensive and offensive strategies we have not only failed to recognize this situation over the last two decades, but we have particularly tended to downplay
and minimize the dangers of information operations. the truth is, the 2016 presidential campaign served as a wake-up call for cyberattacks and information operations. now people keep warning and today being december 7th, of a digital pearl harbor or a digital 9/11 as if there will be a single act that will wake the country. and make us take action on these issues. i think i know and many of you in this room know as well, we're already living those events on a daily basis. look, simply look at the 2017 -- attack. in the united states we treated that at a one-day news story that was way below the fold. the truth is the cost of that one single attack was more than $10 billion. this is the most costly and
devastating cybersecurity attack in modern history, but most americans have no idea that it even occurred. the true cost of our cyber vulnerablabilities and the true cost of those attacks won't come with a single event. they will be graduateddual and accumulating, our personal and government data is being bled from every network every day. our faith in our institutions is our tolerance for one another is being eroded by misinformation. . . toward the comprehensive cyber doctrine and misinformation disinformation doctrine we so desperately need that these challenging times. thank you very much. [applause]
>> if you give everybody the vote but only a small percentage share in the spoils everybody else will get angry and that he will punish you with the political power to elect. populism is when something is wrong with your democracy donald trump is a warning to the rest of us this is going in the wrong direction. they cannot get the attention of the policymakers so they elected trump.