In a speech on Friday, US Democrat Mark Warner, vice chairman of Senate Intelligence Committee, presented what he called "a new cyber doctrine," advocating not only for a hardening of America's digital infrastructure but for an approach to cyberwarfare that doesn't hinge solely on mirroring adversaries' use of offensive tactics.
The US needs to increase its presence on the international stage, argues the Virginia senator, and play a central role in establishing common "rules and norms" for the invisible battlefield — or China and Russia will.
Speaking at the Center for a New American Security, Warner advanced the idea that America's cybersecurity is on the whole ineffectual; that its response to foreign adversaries is either too weak or too slow to matter; and that its vulnerabilities, in addition to past failures, are largely the result of existing in a state of complacency and overconfidence for decades.
More specifically, he said, the US has failed entirely to devise a substantive approach for mitigating an influx of information operations, in which private American citizens are chiefly the target.
The federal government, Warner admits, was caught "flat-footed in 2016," though he places equal responsibility on companies such as Facebook for failing to "anticipate how their platforms could be manipulated and misused by Russian operatives."
In recommendations offered later in his speech, Warner defined what he calls a "whole-of-society approach" to security, which relies partly on a self-regulating free press, but also "places limits on social media platforms." Mark Zuckerberg, the only corporate officer named in the speech, is offered up as the quintessential security-illiterate executive, as Warner recalls how quickly Zuckerberg was to brush aside the notion his platform could influence global elections.
"I don't have any interest in regulating them into oblivion," Warner says. "But as these companies have grown from dorm-room startups into media behemoths, they have not acknowledged that this power comes with great responsibility."
Companies should be compelled to treat identifying and combating bots and disinformation as a "duty," he says, facing "consequences" if they "continue to propagate truly defamatory content." "We've seen these tools used against other Western democracies," he adds. "We've seen them used to incite racial and ethnic violence in places like Myanmar."
Warner also presents the US military and intelligence agencies as wholly unprepared for adversaries that hold a "radically different conception of information security," one which is not focused entirely on the defence and infiltration of protected networks but relies evenly on the use of disinformation, sabotage, and manipulation of the press.
"I fear that we have entered a new era of nation-state conflict: one in which a nation projects strength less through traditional military hardware, and more through cyber and information warfare," he says. "For the better part of two decades, this was a domain where we thought we had superiority."
Warner further describes how confidence in this "supposed superiority" has left Americans virtually defenseless against cyberattacks "at every level of our society," listing off examples of state-sanctioned attacks on a myriad of critical industries — health, energy, and financial — as well as constant intrusions into federal networks and a drastic uptick in global ransomware and denial-of-service attacks.
"We're seeing regular attempts to access parts of our critical infrastructure and hold them ransom," he says, adding later: "in many ways, we brought this on ourselves."
Society's perfunctory approach to security, even as its reliance on online products and services continues to crescendo, is remarkably disproportional to the swell of attacks "happening under our noses," he says. America's adversaries are playing a different game of ball, he argues; a form of "hybrid cyberwarfare," devised to not only pilfer and destroy critical systems but to exploit "our openness and free flow of ideas."
Circling back to private companies, Warner calls for consideration of a "software liability regime" aimed at nudging market forces towards increased security "across the entire product lifecycle." Congress, he says, should explore the pros and cons of imposing "duty-of-care" responsibilities on app and device makers, suggesting that developers might ought to face statutory penalties for failing to uphold reasonable security practices.
"Vendors should also have coordinated vulnerability disclosure policies," he says. "They should have established policies for intake, handling, and remediation of bugs. In addition, public companies should have at least one board member who can understand and model cyber-risk."
Congress does not get a pass, however, as he describes how jurisdiction over security matters unproductively crosses numerous committees — hindering, he contends, the legislature's ability to "get ahead of the problem."
"We have no cyber committee," Warner proclaims.
Notably, his "doctrine" is light on specific recommendations for the use of offensive cyber operations, which has been central to US President Trump's stated approach to cybersecurity since former diplomat John Bolton became his national security adviser. In September, following the roll-out of the president's new national cyber strategy, Bolton asserted that the US would deter adversaries through greater use of offensive attacks, intending to demonstrate that the cost "is higher than they want to bear."
Perhaps expectedly, Warner spends less time discussing the use of covert actions authorised under executive powers and instead seeks out solutions that would involve, as he puts it, "all of us," meaning the government, including Congress, private companies and the American people.
There will be no single moment, no "digital Pearl Harbour," he warns finally. "They're happening every day."
"Our personal, corporate, and government data is being bled from our networks every day; our faith in institutions and our tolerance for one another is being eroded by misinformation," he concludes. "It's time we dramatically shift how we view these threats."
Below is a full copy of Warner's speech, as prepared.