Commentary: WASHINGTON, D.C. (Nov. 8, 2017) - U.S. Senator Martin Heinrich (D-N.M.), a member of the Senate Armed Services Committee and Senate Select Committee on Intelligence, delivered a keynote speech at the 2017 International Conference on Cyber Conflict U.S. (CyCon U.S) on cyber threats and action we must take to keep the nation safe. CyCon U.S. is a collaborative effort between the Army Cyber Institute at the United States Military Academy and the NATO Cooperative Cyber Defence Centre of Excellence. The conference promotes multidisciplinary cyber initiatives and furthers research and cooperation on cyber threats and opportunities.
Senator Heinrich’s remarks as prepared for delivery are below.
Good afternoon, and thank you for inviting me to share a few words on the state of our cyber policy and strategy and the steps I believe we must take to make our nation more prepared for the very real threats we face today.
As a member of both the Senate Armed Services and Intelligence Committees, I have had a unique privilege of engaging in cyber policy and the leading strategists and decision makers in the intelligence community and our military.
Before I get started, I want to thank each of you here for what you are doing to make our nation safer in the face of new and extremely difficult challenges posed by cyber threats.
Successfully thwarting cyberattacks or taking proper precautions never earns headlines, and rarely if ever receives due recognition.
So I would like to say how grateful I am for what we are already doing right now to take seriously the cyber threats we face.
But I think we can all agree that we are not doing even close to enough to address this threat.
High profile cyber-attacks and information warfare campaigns in recent years—from Sony, OPM, and Equifax hacks to the Russian government’s interference in last year’s presidential election—have exposed a myriad of vulnerabilities in both our government and private sectors.
The lack of clear and strong responses to these attacks, even once we knew full well who was to blame, sent a message not of deterrence, but of open invitation to foreign adversaries and malicious cyber actors to keep trying to attack us.
In fact, as you all likely know, it has been reported that the same Russian military intelligence operatives responsible for last year’s DNC hack targeted attendees of this very conference with a weaponized phony invitation infected with malware.
Our increased reliance on the internet in the digital age has created new threats and vulnerabilities to our nation's infrastructure and even human life.
Critical infrastructure such as the electric grid, oil pipelines, air traffic control, and financial institutions all use the internet and can be manipulated, disrupted, and in some cases even destroyed.
And as we witnessed over the course of last year’s election, the democratic institutions responsible for protecting Americans’ ability to choose our own elected leaders are vulnerable to cyber-attacks and disinformation campaigns.
And that is to say nothing about the new threats and tools our military and intelligence agencies must adapt to in cyber warfare that play by a new and much more ambiguous set of rules than conventional warfare.
The future of warfare is moving further away from the battlefield, and closer to the machines and the networks everyday citizens have become so dependent on to live their daily lives.
In this new paradigm, determining and implementing the right approach has proven to be easier said than done.
I think it’s safe to say that, despite good intentions in Congress and the executive branch, after eight years of the Obama administration and ten months into the Trump administration, we have failed to formulate, implement, and declare a comprehensive cyber doctrine with the necessary sense of urgency.
This slow walking in the face of such a serious matter was unfortunately on display as recently as a few weeks ago when we held a hearing in the Senate Armed Services Committee.
The White House refused to have its top cybersecurity official testify as the committee examined our country’s defenses against cyber-attacks.
And the officials the administration did send presented us with an illustration of our federal cyber policy that was from January 2013.
A lot has happened in those last five years. I fear—and I think this is a widely held view among both Republicans and Democrats on our committee—that episode spoke volumes about our nation’s overall lack of preparedness in cybersecurity.
It’s not that we don’t have the right tools and resources. And it’s not that we don’t have some of our best and brightest minds in our military, at our national labs, and in our intelligence and national security agencies working to protect us.
We have simply lacked a strong cyber doctrine that sends a clear message to anyone who wants to attack us that they will be found out and that they will face consequences.
President Trump has repeatedly argued that ambiguity and unpredictability surrounding our responses to all of our national security issues is a good thing.
And, frankly, that approach is not all that different from the Obama administration’s repeated vague threats that our responses to cyber-attacks would be “proportional, perhaps not visible, at a time and place of our choosing.”
What deterrence value is there if our adversaries might not even be able to tell when, or if, we are going to retaliate?
One of my good friends on the Armed Services Committee, Senator Angus King of Maine, often references the “Doomsday Device” in Dr. Strangelove as it applies to cybersecurity policy. What good are our cyber capabilities if no one knows they exist?
It is imperative for the United States to communicate clearly to our adversaries the boundaries of what is acceptable in the cyber domain and to make clear that we have offensive capabilities that should deter any hostile cyber activity that crosses those lines.
Our frustration with a lack of a clear cyber deterrence policy led our committee to pass language in this year’s defense bill calling for the Department of Defense to make known to our adversaries the existence of our cyber capabilities to demonstrate that any foreign power will face enormous costs if they attack us.
A declaratory policy will tell our adversaries and allies alike that the United States has supreme offensive cyber capabilities, and that we are not afraid to use them.
I have also worked in the Senate over the last few years to try to pass legislation to shore up cyber defenses for critical infrastructure, including our electric grid, financial institutions, and state-run election systems.
Just last week, Senator Susan Collins and I introduced the Securing America’s Voting Equipment Act to help states upgrade the physical, electronic, and administrative components of their voting systems.
Our bill will also require the Director of National Intelligence to work with state election officials to ensure they have the appropriate information to protect their election systems from security threats.
But we must acknowledge that developing the best and most advanced cyber weapons and defenses will never be enough.
Cyber warfare and the information warfare and foreign influence campaign we witnessed during the 2016 election was just the beginning of what will likely be the new normal.
Our adversaries will not stop trying to infiltrate our institutions and conduct campaigns that benefit their interests.
Vladimir Putin surely views last year’s meddling in our democracy as a resounding success for his interests.
The Russians successfully used online tools and bots to target Americans’ social media newsfeeds with propaganda and fake information.
When the Russians selectively released hacked information, the American media reported on the contents of hacked emails they saw as salacious political gossip, instead of checking for attribution of how this content was stolen or telling the public about the deeper threat the hacking posed to our democratic process.
And a large reason for that is because the government took far too long to react defensively and hesitated for far too long to publicly attribute and forcefully retaliate to this attack on our democracy.
We took the bait, and the Russians caught us hook, line, and sinker. Americans as a whole now view our political process, our media, and our very democracy with more skepticism and cynicism.
And the President’s efforts to cast doubt on our investigations and his utter lack of interest in learning how to prevent a future similar attack on our nation’s democratic institutions make it all the more difficult to take the steps we need to take.
But I remain determined to do all I can to learn the full truth of what we’ve done right and wrong, and to create policies that will prepare us for the threats that lie ahead.
We all have a critical role to play in defending our country.
Not only the federal government, the military, and our national security agencies, but also private sector companies and even individuals.
We need to educate and train the next generation of cybersecurity professionals and cyber warriors who will keep our institutions and networks safe.
We must teach all Americans how to be diligent in protecting their private and personal information.
And most importantly we need to educate the public about the landscape we now live in, so they can learn to critically evaluate the information they read online and work alongside all of us to protect the integrity of our American institutions in the digital era.
Thank you once again for all that each of you are doing to take on this complex and difficult but vitally important effort.