The United States needs to take a hard look at its national security policies and focus its attention on investing in defensive, as well as offensive, measures to deal with cyber threats, US Sen. Mark Warner (D-VA) said at the Atlantic Council’s Annual Forum in Washington on December 14.
Pointing out that “we just spent $716 billion on a defense budget; Russia spends $70 billion; China spends roughly $200 billion,” Warner said: “I fear that we are buying way too much of the best 20th century military stuff in terms of tanks, planes, ships, and guns when most of the conflict in the 21st century will be in the domains of cyber, misinformation, and space.”
“On a percentage basis, our near peer adversaries… Russia and China, even with much smaller defense budgets, are disproportionately spending in the domains of cyber and misinformation, in particular,” he said. “We need a fresh look at our national security policy. We need to articulate norms and a defined cyber strategy. And I think we need to recognize that the next iteration of this battle will be where cyber and misinformation and disinformation combine,” he added.
Warner participated in a discussion with retired Adm. Michael Rogers, a former US commander of Cyber Command and former director of the National Security Agency, at the Atlantic Council’s Annual Forum. Ellen Tauscher, a former US congresswoman and former US under secretary of state for arms control and international security affairs, moderated the discussion.
Warner said that besides an urgent need to re-evaluate cyber hygiene, there is also a need to alert the American public about the existing vulnerabilities. “Many people have said what will only stir us to action is a cyber 9/11 or a cyber Pearl Harbor. I think that is completely wrongheaded,” he said. “We are experiencing a level of cyberattacks on a daily basis where particularly these near pure adversaries like Russia and China are bleeding us of our information… on a daily basis,” he added.
Warner said denial of service and ransomware attacks have increased by more than ninety percent globally in the past year.
In June 2017, a cyberattack carried out using a ransomware virus dubbed NotPetya hit state and private-sector organizations and companies in Ukraine. It also spread across Europe, the United States, Russia, and Australia. The cost to the global economy of the attack ran into billions of dollars. The CIA blamed Russian military hackers for the attack.
The New York Times reported this month that a massive data breach of Marriott International’s Starwood reservation system, which exposed the data of up to 500 million guests, has been traced to Chinese hackers.
Addressing the challenge
Warner said the Trump administration—at the White House level—“has still not accepted both the threat and the responsibility” of dealing with cyber threats. “If we don’t have leadership at the top, this challenge that we face is much greater,” the senator said.
“We do need to acknowledge that we have not really had… a clearly articulated cyber doctrine in the 21st century,” said Warner. “We have not had an agreement that there ought to be international norms that some cyber actions against our country or against any other Western country have to be met by not only defensive postures but the potential use of offense.”
He said it is also important for the United States to work with its allies, as well as adversaries, to determine which cyberattacks would trigger a response. “While we have been willing to take on secondary states like Iran and North Korea, we have been afraid of cyber escalation with near pure adversaries because of our increasing technological dependence,” said Warner.
Rogers said when he was leaving government he had two primary national security concerns. First, US adversaries are focused on attempting to gain advantage using capabilities short of armed conflict. “They know that if they were to go head to head with us in a traditional military confrontation, we are going to win,” he said. “Many of the nation states of the world have come to the conclusion the way to gain advantage against the United States is to not trip the threshold that generates an armed response, rather engage in behaviors at a lower risk level that don’t trip a US policy response but still enable you to achieve a competitive advantage.”
The second concern Rogers had was his belief that the United States has “not yet come to grips with what are the implications of technology in the digital age for our nation’s security.”
“If you look at the way the US government is organized, I think to myself ‘Guys, we are still in this industrial age,’” he said.
While serving in both the Obama and Trump administrations, Rogers was part of efforts to identify critical infrastructure. “When we first did this with the Obama team we thought very industrial output focused: manufacturing, petroleum, aviation, finance. We did not think about things like, ‘So what are the processes that enable cohesion in this democracy we call America? Like elections.’ We never even thought of that.”
Again, in the Trump administration, Rogers recalls in hindsight, “we did not fully think about what are the implications for data.”
“It’s not by chance you are watching nation states out there going after data in huge concentrations because now you’ve got the technical means to actually analyze it and generate value,” said Rogers. “Five or ten years ago someone would have said to you, ‘Why as a nation state would I be interested in hotel reservation and credit card information? What would that do for me?’ But if you look at it now… you get a whole amount of identification data that can potentially be used and harvested.”
Tauscher described the arguments made by Warner and Rogers as a call to arms. “This is about not suiting up to play checkers when everybody else is playing 3D chess,” she said.
Warner said that the intelligence community has been consistent about the gravity of the cyber threat. It is on lawmakers to bring this message to the American public, he said.
“The community that has been the most reluctant to take even this brief in a classified setting is some of our friends in private equity who have such large investments at this point in these Chinese companies that they don’t want to hear the truth,” said Warner. “But the starting point here is an information campaign.”
Warner said that US allies around the world were waking up to the threat posed by China a couple of years ago. When Trump came into office in 2017 he had an opportunity to build an international coalition to press China to play by the rules, he said. “But we missed that opportunity when the president said Canada is a national security threat,” said Warner, referring to US tariffs on Canada.
Rogers is still trying to figure out what it will take to get the United States to be serious about cyberattacks. Noting significant improvements in auto and aviation safety over the decades, he said: “We have got to come to the conclusion that cybersecurity is a national good and therefore we are willing going to impose, by consumer action and by government action, a series of norms.”
Rogers said that it is in the best interests of the industry to “try to come together collectively as industries and try to come up with some minimum standards that can be a starting point. This will evolve over time. It’s just like automotive safety.”
Tauscher, who is an Atlantic Council board member, said there was a need for “adaptable guardrails so that we at least can create the contours of what good behavior is.”
“Right now part of our problem is the definition of good behavior is behind a screen. People don’t get to see enough of that and they don’t even know what bad behavior is because we have really hidden it from them,” she added.
Ashish Kumar Sen is deputy director of communications, editorial, at the Atlantic Council. Follow him on Twitter @AshishSen.