The United States is unprepared for and doesn’t have the right tools to play in the current cyberespionage and cyberwar landscape, necessitating the need for a new doctrine to lay out the rules of engagement, a key member of the Senate intelligence committee says.
“I fear that we’ve entered a new era of international conflict, one in which a nation projects strength less through traditional military hardware and more through cyber and information warfare. For the better part of two decades, this was a domain where we thought we had superiority. The thinking was that our cyber capabilities were unmatched. Our supposed superiority allowed us to write the rules,” Sen. Mark Warner (D-Va.) said in a speech Friday.
“China is exporting its cyber doctrine. The federal government is in no position to counteract this. We have insufficient capacity at the Department of State and DHS.”
Warner, the vice chairman of the Senate Select Committee on Intelligence, said during an event at the Center for a New American Security Friday that recent events have dictated the need for new rules and updates doctrines when it comes to information operations and offensive cybersecurity. Warner cited Russian interference in the 2016 presidential election, attacks on the email system of the Democratic National Committee, and other incidents as evidence of how things have changed. He said that the U.S. government was caught unawares by these attacks and remains unprepared to respond to such operations.
The reason for that, he said, is that the U.S. government has outdated policies regarding nation-state attacks and notions about how to react.
“We have failed to recognize that our adversaries are working with a totally different playbook. Countries like Russia are increasingly merging traditional cyberattacks with information operations. This emerging brand of hybrid cyberwarfare exploits our greatest strengths,our openness and free flow of ideas. Unfortunately, we are just now waking up to it,” he said.
"We are allowing other nations to write the playbook on cyber norms.”
Warner said the U.S. needs to continue its recent policy of attributing attacks publicly to specific countries or attack groups while also updating other areas of its doctrine.
“We should be linking behavior in cyber explicitly with policy. We should be clearly and publicly linking our actions and countermeasures with specific actions against us,” he said.
There has long been a debate in both government and industry circles about the proper response to a nation-state cyberattack. Much of that debate--as well as the actions themselves--take place out of the public view, but Warner said the U.S. needs to consider a broader range of responses when a foreign adversary attacks government or private networks. He said sanctions, retaliatory cyber operations, and even military responses all should be considered, depending upon the incident.
“None of this ended in 2016. This is an ongoing threat, and not just to the United States,” Warner said.
While some foreign countries have developed their own internal norms and doctrines on how to conduct and respond to cyberattacks and cyberespionage, Warner said the U.S. has failed to put together a comprehensive plan.
“Despite a flurry of strategy documents from the White House and Department of Defense, the federal government is still not sufficiently organized or resourced to tackle this hybrid threat. We have no White House cyber czar, no cyber bureau or senior cyber coordinator at the State department. And we still have insufficient capacity at State and DHS when it comes to cybersecurity and disinformation,” Warner said.
In his speech, Warner recommended that the U.S. try to work with its adversaries to establish guidelines and rules for how information and cyber operations should be conducted, and said that if other countries believe they can act with impunity, they will continue to do what they want.
“We need to develop shared strategies with our allies that will strengthen these norms. When possible, we need to get our adversaries to buy into these norms, as well. The truth is, our adversaries continue to believe that there won’t be any consequences for their actions,” Warner said.
“Failing to articulate a clear set of expectations about when and where we will respond to cyber-attacks is not just bad policy, it is downright dangerous. We are allowing other nations to write the playbook on cyber norms.”