FOREWORD BY SEN. MARK WARNER
"Today, December 7th, is an auspicious date in our history. We remember Pearl Harbor as the first foreign attack on US soil in modern history. Unfortunately, we also remember Pearl Harbor as a major intelligence failure. As Vice Chairman of the Intel Committee, I've spent the better part of the last two years on an investigation connected to America's most recent intelligence failure. It was also a failure of imagination-a failure to identify Russia's broader strategy to interfere in our elections. Our federal government and institutions were caught flat-footed in 2016, and our social media companies failed to anticipate how their platforms could be manipulated and misused by Russian operatives. Frankly, we should have seen it coming.
Over the last two decades, adversary nations like Russia have developed a radically different conception of information security-one that spans cyber warfare and information operations. I fear that we have entered a new era of nation-state conflict: one in which a nation projects strength less through traditional military hardware and more through cyber and information warfare. For the better part of two decades, this was a domain where we thought we had superiority. The thinking was that our cyber capabilities were unmatched. Our supposed superiority allowed us to write the rules.
This confidence appears to have blinded us to three important developments: First, we are under attack, and candidly, we have been for many years. Our adversaries and their proxies are carrying out cyber attacks at every level of our society. We've seen state-sponsored or sanctioned attacks on healthcare systems, energy infrastructure, and our financial system. We are witnessing constant intrusions into federal networks. We're seeing regular attempts to access parts of our critical infrastructure and hold them ransom. Last year, we saw global ransomware attacks increase by 93%. Denial-of-service attacks increased by 91%. According to some estimates, cyber attacks and cybercrime account for up to $175 billion in economic and intellectual property loss per year in North America. Globally, that number is nearly $600 billion. Typically, our adversaries aren't using highly sophisticated tools. They are attacking opportunistically using phishing techniques and rattling unlocked doors. This has all been happening under our noses. The effects have been devastating, yet the attackers have faced few, if any, consequences.
Second, in many ways, we brought this on ourselves. We live in a society that is becoming more and more dependent on products and networks that are under constant attack. Yet the level of security we accept in commercial technology products is unacceptably low-particularly when it comes to rapidly growing Internet of Things. This problem is only compounded by our society-wide failure to promote cyber hygiene. It is an outrage that more digital services from email to online banking don't come with default two-factor authentication. And it is totally unacceptable that large enterprises-including federal agencies-aren't using the available tools.
Lastly, we have failed to recognize that our adversaries are working with a totally different playbook. Countries like Russia are increasingly merging traditional cyber attacks with information operations. This emerging brand of hybrid cyber warfare exploits our greatest strengths-our openness and free flow of ideas. Unfortunately, we are just now waking up to it. Looking back, the signs should have been obvious. Twenty years ago, Sergei Lavrov, then serving as Russia's UN Ambassador, advanced a draft resolution dealing with cyber and prohibiting particularly dangerous forms of information weapons. We can debate the sincerity of Russia's draft resolution, but in hindsight, the premise of this resolution is striking. Specifically, the Russians saw traditional cyber warfare and cyber espionage as interlinked with information operations. It's true that, as recently as 2016, Russia continued to use these two vectors-cyber and information operations-on separate tracks. But there is no doubt that Putin now sees the full potential of hybrid cyber operations. By contrast, the United States spent two decades treating information operations and traditional information security as distinct domains. Increasingly, we treated info operations as quaint and outmoded. Just a year after Lavrov introduced that resolution, the United States eliminated the United States Information Agency, relegating counterpropaganda and information operations to a lower tier of foreign policy. In the two decades that followed, the United States embraced the Internet revolution as inherently democratizing. We ignored the warning signs outside the bubble of Western democracies.
The naïveté of US policy makers extended not just to Russia, but to China as well. Recall when President Clinton warned China that attempts to police the Internet would be like nailing Jell-O to the wall. In fact, China has been wildly successful at harnessing the economic benefits of the Internet in the absence of political freedom. China's doctrine of cyber sovereignty is the idea that a state has the absolute right to control information within its border. This takes the form of censorship, disinformation, and social control. It also takes the form of traditional computer network exploitation. And China has developed a powerful cyber and information affairs bureaucracy with broad authority to enforce this doctrine. We see indications of the Chinese approach in their successful efforts to recruit Western companies to their information control efforts. Just look at Google's recent push to develop a censored version of its search engine for China. Today, China's cyber and censorship infrastructure is the envy of authoritarian regimes around the world. China is now exporting both its technology and its cyber-sovereignty doctrine to countries like Venezuela, Ethiopia, and Pakistan. With the export of these tools and ideas, and with countries like North Korea and Iran copying Russia's disinformation playbook, these challenges will only get worse. And yet as a country we remain complacent.
Despite a flurry of strategy documents from the White House and DoD, the federal government is still not sufficiently organized or resourced to tackle this hybrid threat. We have no White House cyber czar, nor cyber bureau or senior cyber coordinator at the State Department. And we still have insufficient capacity at State and DHS when it comes to cybersecurity and disinformation. Our Global Engagement Center at the State Department is not sufficiently equipped to counter propaganda from our adversaries. And the White House has still not clarified roles and responsibilities for cyber across the US government. While some in the private sector have begun to grapple with the challenge, many more remain resistant to the changes and regulations needed. And the American people-still not fully aware of the threat-have not internalized the lessons of the last few years. We have a long way to go on cyber hygiene and online media consumption habits. Let me be clear: Congress does not have its act together either. We have no cyber committee. Cyber crosses numerous committee jurisdictions frequently hindering our ability to get ahead of the problem.
It's even worse in the area of misinformation/disinformation. The dangers are only growing as new technologies such as Deepfakes audio and video manipulation that can literally put words into someone's mouth are commercialized. The truth is, we are becoming ever more dependent on software. But at the same time, we are treating cybersecurity, network resiliency, and data reliability as afterthoughts. And these vulnerabilities will only continue to grow as our so-called real economy becomes increasingly inseparable from the digital economy.
If we're going to turn this around, we need not just a whole-of-government approach; we need a whole-of-society cyber doctrine. So what would a US cyber doctrine look like? It's not enough to simply improve the security of our infrastructure, computer systems, and data. We must also deal with adversaries who are using American technologies to exploit our freedom and openness and attack our democracy.
Let me lay out five recommendations:
1 NEW RULES
First, we need to develop new rules and norms for the use of cyber and information operations. We also need to better enforce existing norms. And most importantly, we need to do this on an international scale. We need to develop shared strategies with our allies that will strengthen these norms. When possible, we need to get our adversaries to buy into these norms as well. The truth is, our adversaries continue to believe that there won't be any consequences for their actions. In the post-9/11 national security environment, we spent tremendous energy combating terrorism and rogue states. But frankly, we've allowed some of our near-peer adversaries to operate with relative impunity when they attack the United States in the digital domain. There have been some reports in the press about the United States supposedly punching back at second-tier adversaries on occasion. But we've largely avoided this with Russia and China out of a fear of escalation. If a cyber attack shuts down Moscow for 24 h with no power, that's a problem. If someone were to shut down New York for 24 h, that would be a global crisis. As a result, for Russia and China, it's pretty much been open...
