You are on page 1of 13
 
 
1
Sen. Mark R. Warner
 — 
 
“A New Doctrine for Cyberwarfare & Information Operations” 
 Center for New American Security 7 December 2018  Intro: Intelligence Failures
Thank you to the Center for New American Security. Thank you, Victoria Nuland and Ely Ratner for giving me this opportunity to speak about one of the most urgent challenges of our time:
the use of cyberwarfare by our adversaries
and the need to articulate a U.S. cyber doctrine.
Today, December 7
th
 is an auspicious date in our history. We remember Pearl Harbor as the first foreign attack on U.S. soil in modern history. Unfortunately, we also remember Pearl Harbor as a major intelligence failure. As Vice Chairman of the Intel
Committee, I’ve spent the better part of the last two years on an investigation connected to America’s most recent intelligence failure.
It was also a failure of imagination
 — 
 a failure to identify
Russia’s
 broader strategy to interfere in our elections. Our federal government and institutions were caught flat-footed in 2016, and our social media companies failed to anticipate how their platforms could be manipulated and misused by Russian operatives. Frankly, we should have seen it coming. Over the last two decades, adversary nations like Russia have developed a radically different conception of information security
 – 
 one that spans cyber-warfare and information operations. I fear that we have entered a new era of nation-state conflict: one in which a nation projects strength less through traditional military hardware, and more through cyber and information warfare. For the better part of two decades, this was a domain where we thought we had superiority. The thinking was that our cyber capabilities were unmatched. Our supposed superiority allowed us to write the rules.
 Blind Spots
This confidence appears to have blinded us to three important developments:
First
, we are under attack, and candidly, we have been for many years. Our adversaries and their  proxies are carrying out cyberattacks at every level of our society.
 
 
2
We’ve seen state
-sponsored or sanctioned attacks on healthcare systems, energy infrastructure, and our financial system. We are witnessing
constant intrusions into federal networks. We’re seeing regular
attempts to access parts of our critical infrastructure and hold them ransom. Last year, we saw global ransomware attacks increase by 93 percent. Denial-of-service attacks increased by 91 percent. According to some estimates, cyberattacks and cybercrime account for up to $175 billion in economic and intellectual property loss per year in North America. Globally, that number is nearly $600 billion. Typically, our adversaries
aren’t usin
g highly sophisticated tools. They are attacking opportunistically, using phishing techniques and rattling unlocked doors. This has all been happening under our noses. The effects have been devastating, yet the attackers have faced few, if any, consequences.
Second
, in many ways, we brought this on ourselves. We live in a society that is becoming more and more dependent on products and networks that are under constant attack. Yet the level of security we accept in commercial technology products is unacceptably low
 — 
 particularly when it comes to rapidly growing Internet of Things. This problem is only compounded by our society-wide failure to promote cyber hygiene. It is an outrage that more digital services
 – 
 from email to online banking
 – 
 
don’t come with
default two-factor authentication. And it is totally unacceptable that large enterprises
 – 
 including federal agencies
 – 
 
aren’t using the
se available tools.
Lastly
, we have failed to recognize that our adversaries are working with a totally different  playbook. Countries like Russia are increasingly merging traditional cyberattacks with information operations. This emerging brand of hybrid cyberwarfare exploits our greatest strengths
 – 
 our openness and free flow of ideas. Unfortunately, we are just now waking up to it.
 Early Warnings and Lessons Not Learned
 
 
3
Looking back, the signs should have been obvious. Twenty years ago, Sergei Lavrov, then s
erving as Russia’s UN Ambassador 
, advanced a draft resolution dealing with cyber and prohibiting
“particularly dangerous forms of information weapons.”
We can debate the sincerity of Russia’s draft resolution
, but in hindsight, the premise of this resolution is striking. Specifically, the Russians saw traditional cyberwarfare and cyberespionage as
interlinked
with information operations.
It’s true that
, as recently as 2016, Russia continued to use these two vectors
 — 
 cyber and information operations
 — 
 on separate tracks. But there is no doubt that Putin now sees the full  potential of hybrid cyber operations. By contrast, the U.S. spent two decades treating information operations and traditional information security as distinct domains. Increasingly, we treated info operations as quaint and outmoded. Just a year after Lavrov introduced that resolution, the U.S. eliminated the United States Information Agency, relegating counter-propaganda and information operations to a lower tier of foreign policy. In the two decades that followed, the U.S. embraced the internet revolution as inherently democratizing. We ignored the warning signs outside the bubble of Western democracies. The naiveté of U.S. policymakers extended not just to Russia, but to China as well. Recall when President Clinton warned China that attempts to police the internet would be like
“nailing
Jell-O
to the wall.”
 In fact, China has been wildly successful at harnessing the economic benefits of the internet in the absence of political freedom.
China’s
doctrine of cyber sovereignty is the idea that a state has the
absolute right 
 to control information within its border. This takes the form of censorship, disinformation, and social control. It also takes the form of traditional computer network exploitation. And China has developed a powerful cyber and information affairs bureaucracy with broad authority to enforce this doctrine.

Reward Your Curiosity

Everything you want to read.
Anytime. Anywhere. Any device.
No Commitment. Cancel anytime.
576648e32a3d8b82ca71961b7a986505