Russian interference in the 2016 U.S. election laid bare the vulnerabilities in American society and institutions to hacking and information operations. Two years later, policymakers are still searching for a comprehensive strategy for dealing with those vulnerabilities.
In a speech Friday, Sen. Mark Warner of Virginia, the top Democrat on the Senate Intelligence Committee, proposed a “whole-of-society” cyber doctrine rather than one that treats the cybersecurity challenges in government and private sector separately.
“It’s not enough to simply improve the security of our infrastructure, computer systems, and data,” Warner said at the Center for New American Security in Washington, D.C. “We must also deal with adversaries who are using American technologies to exploit our freedom, our openness, and basically attack our most important asset — our democracy.”
Warner called on the U.S. to redouble its pursuit of global cyber norms; social-media companies to do more to combat disinformation; the Pentagon to spend more on cyberdefense; and the U.S. government to require baseline security standards in the devices it buys, among other proposals.
The Virginia Democrat said he is hopeful that closer work with U.S. allies on cyber norms will make it easier to rein in cyber activity from Russia, China, and other adversaries. The State Department has pursued global cyber norms for years. While the U.S., China, Russia, and other countries reached a norms deal in 2015, the latest round of talks collapsed in 2017 as Washington and Moscow reportedly clashed over the right to self-defense in cyberspace.
It has “pretty much been open season” for Russia and Chinese hacking operations in the United States, Warner said. “This has to come to a conclusion. We need a national conversation about defensive and offensive tools we are willing to use to respond to the ongoing threats we face.”
While countries like Russia see information and cyber operations as interlinked, U.S. is treating them as separate and unique concepts, Warner said. Russia and China spend a greater proportion of their defense budgets on cyber and information warfare tools than the U.S. does, he added.
The Trump administration in recent months has publicly stated its willingness to conduct offensive cyber operations to deter adversaries. President Trump in August rescinded an Obama-era policy document that critics said unnecessarily delayed offensive operations.
“Our hands are not tied as they were in the Obama administration” in terms of cyber-operations, national security adviser John Bolton said in September. Days before the 2018 midterms, Bolton confirmed the U.S. had undertaken offensive cyber-operations to guard against foreign interference.
Warner on Friday welcomed the administration’s “delegation of authorities to defend and deter cyberattacks below the presidential level,” as well as cybersecurity strategies released by the White House and Pentagon. But Warner said these efforts weren’t enough to counter the threat, and he lamented the lack of a comprehensive government strategy for dealing with disinformation.
Facebook and Twitter’s leadership eventually conceded they didn’t do enough to respond to Russian accounts spewing disinformation on their platforms in 2016. In the last two years, the companies have done more to stamp out such propaganda, but Warner said he wants to “see much more from them” in the form of “investments in people and technology to help identify misinformation before it spreads widely.”
Warner’s seat on the intelligence committee has given him a window into how and why the Russian intervention in 2016 election was successful. The most under-appreciated lesson of 2016 was “the increasing convergence of traditional hacking and information operations,” the Virginia Democrat said in a recent interview with CyberScoop.
“We’re on the cusp of a new generation of exploitation, potentially harnessing hacked personal information to enable tailored and targeted disinformation and social engineering efforts,” Warner said in the interview.