An influential senator called on Friday for an open dialogue about when the U.S. is willing to use offensive cyber weapons to deter adversaries and retaliate against attacks, arguing that failing to articulate those standards has allowed highly-capable nations like Russia and China to launch their own attacks with relative impunity.
Sen. Mark Warner (D-Va.), the vice chairman of the Senate Intelligence Committee, said recent cyber strategy documents from the White House and Defense Department were a step in the right direction, but that more must be done to establish and enforce norms of behavior in cyberspace.
“Failing to articulate a clear set of expectations about when and where we will respond to cyber attacks is not just bad policy, it’s downright dangerous,” he said during an address at the Center for a New American Security on Friday.
Warner said his concerns extend not just to discrete attacks that aim to shut down critical infrastructure, destroy data or steal information, but more complex and ongoing information operations. These include the attacks intelligence agencies believe Russia engaged in to interfere with the 2016 election.
“People keep warning of a digital Pearl Harbor or a digital 9/11, as if there will be a single act that will wake the country up and make us take action on these issues. But we’re already living those events on a daily basis,” he said. “Look at the 2017 NotPetya attack. In the United States, we treated that as a one-day news story. The truth is the cost was more than $10 billion. It was the most costly and devastating cybersecurity attack in modern history, but most Americans have no idea it even occurred.”
The 2017 NotPetya cyber attack targeted companies around the world and was pushed out in part using the leaked National Security Agency-developed EternalBlue tool.
“The true cost of our cyber vulnerabilities and the cost of those attacks won’t come with a single event, they will be gradual and accumulating,” Warner said. “Our personal, corporate and government data is being bled from every network every day. Our faith in our institutions and our tolerance for one another is being eroded by misinformation. This is leaving us exposed as individuals, and vulnerable as a country.”
Rebalancing DoD’s budget to make room for cyber
Beyond describing its thresholds for the use of military force in cyberspace, Warner called for a series of changes that would impact how the federal government organizes itself to deal with cyber threats.
The Defense Department, he said, should realign its spending priorities in order to allocate more funds toward cyber issues and less toward conventional weapons systems. He argued that the Pentagon’s $716 billion budget has plenty of room to rebalance away from kinetic weapons that already outmatch any potential adversaries, especially when compared with the respective $200 billion and $70 billion military budgets of China and Russia.
“If you add up all the money Russia spent interfering in our elections in 2016, all they spent in the French elections in 2017 and the cost of spending in the Brexit election, it’s less than the cost of one F-35 airplane. It’s both an effective methodology and it’s also remarkably cheap,” he said. “The same is true in China, which spends a disproportionate amount on cyber and misinformation and disinformation. The frightening thing to me is even with delta between what we spend on our defense budget and what China spends – that $500 billion – they are investing in artificial intelligence, quantum computing, and a whole host of other 21st century technologies where China hopes not to simply be our peer, but to actually lead the world. And they’re starting to outpace us in some of those investments by orders of magnitude.”
Outside of the military sphere, Warner said the rest of the federal government is ill-prepared to tackle cyber challenges.
He decried the White House’s decision to abolish the role of Cyber Coordinator on the National Security Council, the absence of a cyber bureau at the State Department, what he said were inadequate cyber defense resources at the Department of Homeland Security, and the 1999 decision to close the U.S. Information Agency, the State Department’s anti-propaganda arm.
“But let me be clear: Congress does not have its act together either,” he said. “We have no cyber committee – it cuts across numerous committee jurisdictions, frequently hindering our ability to get ahead of the problem, and it’s even worse in the area of misinformation and disinformation. And the dangers are only growing as new technologies such as deep fakes, where audio and video manipulation can literally put words into the mouth of an official or a business leader, and these efforts are now being commercialized.”
Warner said the government is becoming more dependent on software while simultaneously treating cybersecurity, network resiliency and data reliability as afterthoughts.
“And these vulnerabilities will only continue to grow as our so-called real economy becomes increasingly inseparable from our digital economy,” he said.