The US needs improved cybersecurity policies if it is going to catch up with the practices in the rest of the world, Sen. Mark Warner said on Friday, saying the government has failed to recognize the seriousness of the situation.
The Virginia Democrat, who serves as vice chairman on the Senate Select Intelligence Committee, said US cybersecurity fails to provide adequate protection of critical infrastructure or guard against the dissemination of disinformation online. He made the comments in a keynote address at the Center for a New American Security in Washington, DC.
Cyberattacks and disinformation campaigns have presented a growing threat for governments around the globe with hackers causing billions of dollars in damages online. Last year, the Russian military’s NotPetya attack caused more than $10 billion in damages and wiped out computers at huge companies like shipping giant Maersk and delivery specialist FedEx.
Foreign propaganda remains a growing problem on social media with companies such as Facebook continually uncovering disinformation campaigns that originate in Iran, Russia and other countries.
In his speech, Warner said these attacks will only get worse unless US policy develops to grow with it. He proposed a new US cyber doctrine and suggested an international agreement on standards in cyberattacks and security.
“Countries like Russia are increasingly merging traditional cyberattacks with information operations. This emerging brand of hybrid cyberwarfare exploits our greatest strengths — our openness and free flow of ideas,” Warner said. “Unfortunately, we are just now waking up to it.”
He also criticized the US government’s failure to focus on cybersecurity, specifically calling for the White House to acknowledge that Russian hackers undermined the presidential election in 2016. He noted the White House still does not have a cybersecurity coordinator, a position that it eliminated in May.
Warner said it was “totally unacceptable” that federal agencies aren’t using two-factor authentication for security. Senators found in September that only 11 percent of the State Department’s staffers have the security measure enabled.
He also called on lawmakers on Capitol Hill to improve its security policies and practices.
“We have a long way to go on cyber hygiene and online media consumption habits. Let me be clear — Congress does not have its act together either. We have no cyber committee,” Warner said.
Warner’s proposed US cyber doctrine calls for five major changes:
On international norms, Warner pointed to treaties like the Paris Call for Trust and Security in Cyberspace, which the US didn’t sign.
“Our adversaries continue to believe that there won’t be consequences for their actions,” he said. “That needs to change.”
Combating Misinformation and Disinformation
Warner said a solution to disinformation campaigns would have to be “society-wide.” The doctrine calls for more regulation of tech giants, but also asks for tech companies to take better control of their platforms.
“The major platform companies, like Twitter and Facebook, but also Reddit, YouTube and Tumblr, aren’t doing nearly enough to prevent their platforms from becoming petri dishes for Russian disinformation and propaganda,” he said.
“People need to be able to trust the connections they make on Facebook. We continue to investigate, remove additional associated fake events and Pages, and take action against those involved in creating them,” a Facebook spokesperson said in a statement.
Twitter, Reddit, YouTube and Tumblr didn’t respond to a request for comment.
Harden Networks, Weapons Systems and IoT
Warner’s proposal warned that Internet of Things devices posed the “most important emerging cyber threat to national security.” Connected devices are notorious for their poor security, as many device makers fail to provide needed security patches or ship out gadgets with default passwords you can’t change.
In 2017, four senators — including Warner — proposed the IoT Cybersecurity Improvement Act, which would require minimum security standards for connected devices sold to the federal government.
Realign Defense Spending
Warner said the government wasn’t spending enough on cybersecurity. Russia’s budget for election interference in 2016 cost less than one fighter jet, the senator pointed out.
“I worry we may be buying the world’s best 20th century military without giving enough thought to the 21st century threats we face,” he said.
Presidential / Government Leadership
The senator called for presidential leadership to carry out his proposed changes to US cybersecurity policy. The Trump administration signed an executive order on cybersecurity in 2017 and published a National Cyber Strategy in September, which allowed for government agencies to more aggressively hack US adversaries.
Warner said the US has to dramatically change its policies on cybersecurity, as threats continue to pour in.
“The true cost of our cyber vulnerabilities won’t be sudden or catastrophic,” Warner said. “They will be gradual and accumulating.”
CNET’s Holiday Gift Guide: The place to find the best tech gifts for 2018.
Taking It to Extremes: Mix insane situations — erupting volcanoes, nuclear meltdowns, 30-foot waves — with everyday tech. Here’s what happens.