Sen. Mark Warner has used his position as ranking member on the Senate Intelligence Committee to call attention to the twin challenges to U.S. democracy posed by disinformation and from cyberthreats to election infrastructure. The Virginia Democrat sheds light on his approach to those issues and discusses the seminal Mirai botnet attack, among other top-of-mind cybersecurity issues.
CyberScoop: In your view, what is the most underappreciated cybersecurity lesson from the coordinated Russian operation to interfere in the 2016 U.S. presidential campaign?
Sen. Mark Warner: For me, the most under-appreciated cybersecurity lesson from the activity we saw in 2016 was the increasing convergence of traditional hacking and information operations. During the 2016 election, the Russians demonstrated how bad actors can effectively marry offensive cyber-operations, including hacking, with information operations. Worse still, this is only going to get harder with new advances in technology and artificial intelligence, like deepfakes. We’re on the cusp of a new generation of exploitation, potentially harnessing hacked personal information to enable tailored and targeted disinformation and social engineering efforts. That should frighten us all — particularly because these techniques can be used beyond just political disinformation.
Imagine the damage to markets if communications from the Fed chairman were leaked online, interspersed with elaborate forgeries. Or, consider the price of a Fortune 500 company’s stock if a dishonest short-seller was able to spread false information about that company’s CEO — or the effects of its products — rapidly online.
CS: As the co-founder of the Senate Cybersecurity Caucus, you have taken a close interest in cybersecurity issues for a while. What event, more than any other, sparked that interest?
MW: I have long been interested in cybersecurity issues, including in the Senate deliberations that culminated in the landmark information-sharing legislation in 2015. I also chaired the first congressional hearing following the Target data breach in 2014. The Mirai botnet distributed denial-of-service attack on internet infrastructure provider Dyn in 2016 substantially changed my thinking on these topics, illustrating to me that significantly more work needs to be done.
While the techniques were not new, the scale of botnets like Mirai — driven by insecure IoT devices — was unprecedented. Manufacturers today are flooding the market with cheap, insecure devices, with few market incentives to design the products with security in mind, or to provide ongoing support. And buyers seem unable to make informed decisions between products based on their competing security features, in part because there are no clear metrics. Because the producers of these insecure IoT devices currently are insulated from any standards requirements, market feedback or liability concerns, I am deeply concerned that we are witnessing a “tragedy of the commons” threat to the continued functioning of the internet, as the security so vital to all internet users remains the responsibility of none. The subsequent wiperware outbreaks in 2017 — where WannaCry and NotPetya wrought billions of dollars in damage worldwide — further illustrated to me that we have a systemic problem of software and device insecurity that’s not being adequately addressed.
CS: The 2015 OPM breach was a watershed moment in that it showed how vulnerable personal, U.S. government-stored information was to cyber-espionage. Are you confident that the U.S. government has learned its lessons from the OPM breach, or are there other “OPMs” out there – agencies that are highly susceptible to large-scale data theft?
MW: As one of the leading and most persistent critics of OPM’s handling of the 2015 breach, I do think large agencies like OPM have started to find religion on data security. But I fear that risks are growing faster than any single agency can address them. Just last year the Department of Homeland Security reported that the Continuous Diagnostics and Monitoring tools had revealed the average agency to have 44 percent more so-called “shadow IT” on their networks than their records indicated. Needless to say, ensuring that all of an agency’s information systems implement up-to-date security updates is made infeasible if an agency does not have an accurate inventory of endpoints connected to its network. And we’ve seen GAO routinely include federal information system insecurity as a material weakness on its High Risk Lists.
The last administration’s efforts on cybersecurity certainly weren’t perfect by any means, but one thing that’s abundantly clear is that you have lead change from the top. The current administration’s elimination of the [White House] cybersecurity coordinator is certainly not a strong indication that we’re trending in the right direction.
CS: With just a few weeks until Americans go to the polls in the midterm elections, the focus of the ongoing effort to better secure U.S. voting infrastructure will soon shift to the 2020 presidential election. What should lawmakers and policymakers prioritize in terms of election security for 2020 that they could not accomplish in time for the 2018 midterms?
MW: As the co-sponsor of a number of bills that seek to shore up weaknesses revealed in the 2016 election — from vulnerabilities in our ad disclosure rules that aided Russian disinformation efforts to security weaknesses in our voting systems that could be exploited in the future — I have been deeply disappointed by Congress’s inaction on election security.
The threat has been continuously documented, by the FBI, by DHS — albeit belatedly — and by the Senate Intelligence Committee. There are no technical obstacles, knowledge gaps, or competition among priorities that have prevented addressing these threats; it’s a lack of political willpower, unfortunately.