Published by The Lawfare Institute
in Cooperation With
Editor's Note: This post contains the text of a speech that Sen. Mark Warner (D.-Va.) delivered on Friday, June 8 at the National Security Agency’s 29th annual Law Day.
Good afternoon. Thank you, Glenn, for that generous introduction and thank you all for the warm welcome. I am delighted to be here and want to thank NSA for hosting Law Day.
I also want to congratulate the Hon. Judge John Bates, a senior judge on the U.S. District Court for the District of Columbia, on being the 2018 recipient of the Intelligence Under Law Award. Judge Bates has dedicated his professional life to upholding the rule of law, and confronting the unique issues at the intersection of intelligence and the law. President George W. Bush nominated Judge Bates to the District of Columbia on Sept. 4, 2001, exactly one week prior to the tragic events of 9/11. His career on the bench has been largely shaped by the fight against terrorism, including serving as the presiding judge of the Foreign Intelligence Surveillance Court from 2009 to 2013.
Judge Bates is the consummate public servant and his reputation on the bench precedes him. I am delighted to share the stage today with someone as well respected and broadly admired as Judge Bates.
I. Rule of Law: Need to Maintain Strong Institutions
Today’s theme—the rule of law—could not come at a more critical time for our nation. Preserving the rule of law, and trust in our institutions, is important to maintaining U.S. national security. Our adversaries and competitors, including Russia, North Korea, China, and Iran, would like nothing more than to witness the collapse of the U.S.-led international order and the foundational legal standards upon which it is built.
The dedicated professionals in this room know that intelligence has helped to secure our people and our freedom since the founding of this nation. In the revolutionary war, the Sons of Liberty patrolled the streets in search of signs of British raids. At Bletchley Park during World War II, the British broke the infamous Enigma machine, helping save the lives of countless allied troops in Europe; and codebreakers in the Pacific helped win the fight against fascism. During the Cold War, the threat of nuclear war accelerated the need for first-rate intelligence gathering, and increased the costs of failure.
But our national security agencies are only as strong as the trust that they hold with the American people, and with our partners across the globe. Absent trust, our allies will refuse to share critical intelligence on potential terrorist attacks, nuclear proliferation, or other threats—information that our leaders require to keep this country safe. Without trust, our citizens will not volunteer to the FBI the information needed to prevent deadly attacks. Without trust, the intelligence community cannot operate.
A free and open society, demands that no person or institution is above the law. It demands that truth and justice remain paramount.
Partisan fights, congressional investigations, accusations of corruption, are nothing new in America—in fact, our system of checks and balances encourages vigorous and open debate and discussion. We have seen some difficult times in this country, and we always rise to the challenge.
But today is different. We are witnessing a sustained, unrelenting, and unjustifiable attack against the institutions that the professionals in this room have devoted their lives and livelihoods to serving.
Even more troubling, these attacks are not coming from the fringes of society. They are coming directly from the top of the very government that holds the constitutional responsibility to enforce the laws fully and fairly.
Every day, we see a White House that openly disregards the norms and traditions that we developed over the last two centuries to keep us safe. This White House is breaking basic norms that have always governed our intelligence and law enforcement efforts, regardless of what party is in power.
A recent case-in-point was the White House effort to force the release of classified information, information that would reveal the identity of a confidential human source who reportedly worked on our behalf for decades. Maybe even worse, the White House was seeking to transmit this information not through any of the normal channels we have designed to handle sensitive intelligence—like the “Gang of Eight”—but instead, wanted to share it only with members of Congress from one political party.
If anyone in this room tried to handle sensitive information that way, they would be fired. This cannot be the way our government works and, it now appears that this unfounded story continues to play itself out based on recent media reports.
Increasingly, there are rumors that the White House will use—actually, abuse—the presidential pardon power to stop the special counsel’s investigation. Let me remind everyone that the law is clear: the pardon power is not a tool for self-protection. No man is above the law.
It is unfortunate that, as I stand here, I feel it necessary to warn you: There may come a time in the not-too-distant future where this White House might take further actions to undermine rule of law. If that day comes, history will judge all of us on how we react in that moment.
And this challenge to our democratic institutions and rule of law is not just happening at home. Russia and China have openly challenged our democratic ideals and are engaged in an active effort to undermine the fundamental principles of a free and open society. Today, we are engaged in a geopolitical and ideological struggle in defense of our democracy that rivals the Cold War. In some ways, it is even worse because during the Cold War, “politics stopped at the water’s edge.” Today, we are allowing ourselves to be divided from within and not sufficiently resisting efforts to divide us from without.
Silence in the face of such a serious ideological challenge is not an option. Russia and other foreign adversaries would like nothing more than to see the United States continue to distance itself from democratic allies, and surrender our leadership position in a rules-based international order that has kept the world peaceful and prosperous since World War II. They would like nothing more than to shake the confidence of the American people in their leaders and in their elections. In launching attacks designed to undermine faith in the rule of law and assaulting the rail guards of law and order, our own leaders are doing the dirty work of our enemies.
Our foreign adversaries would also like nothing more than to undermine the legitimacy of our intelligence and national security agencies that protect us. I firmly believe that our institutions are strong—thanks in large part to the people in this room. Some types of damage to may yet be repaired; talented professionals can be rehired ... new leadership can restore faith in our institutions ... and budgets can be replenished.
But other types of damage have permanent consequences. The damage to our foreign partnerships, once done, cannot be reversed overnight. Once squandered, the faith and trust of the American people will not be easily or quickly regained. Rather, foreign relationships and intelligence sharing arrangements, to say nothing of the willingness of the American people and American industry to support and assist the IC, survive on a fragile foundation of trust and confidence. This foundation is easy to break but difficult to rebuild.
We need these partnerships with allies and with the American people to continue to collect the most accurate and timely information in the world. One only needs to think back to the horrors of September 11th to know why intelligence failures are not an option, especially as new cyber tools, terrorist organizations, and the proliferation of nuclear weapons create increasingly complex demands on our national security agencies, demands we will simply not be able to meet without help from overseas, from U.S. citizens, and from U.S. companies.
In the face of political challenges at home and abroad, we must defend the democratic principles that have defined our nation since its founding and stand up for the laws and institutions that keep our country safe.
II. Cyber Doctrine, Creating New Norms in the Digital Age
Today’s struggle to protect our institutions and defend the rule of law is further complicated by the pace of technological change. New technologies—companies such as Amazon, Twitter, Facebook, and Google—have dramatically changed the way that we as individuals both share and consume information, with the simple click of a button.
Emerging trends such as unmanned and autonomous transportation technologies, artificial intelligence, robotics, and quantum computing have the potential to transform our way of life.
As a former tech entrepreneur myself, I’m a big believer in the power of technology. These technologies are bringing healthcare and education to new corners of the globe ... democratizing information ... and accelerating human progress. As a nation, we do more business online than ever before, trillions of dollars each year.
However, our increased reliance on the internet has also created new threats and vulnerabilities. As American businesses increasingly operate in the global economy, they are also being targeted by hackers and other nefarious actors.
Just think back to the 2014 Sony Pictures hack by North Korea that erased the content of thousands of computers, released embarrassing internal emails, and intimidated Sony into curtailing the movie’s release. Or, more recently, the 2015 China “Great Firewall” attacks that stopped service on a number of U.S. websites as retribution for content that Beijing found objectionable.
We are witnessing malware threats to our stock exchanges and banking systems, attempts to access and hold at ransom some of our critical infrastructure, cyber attacks that seek to compromise air traffic control systems, and constant intrusions into federal networks.
To put the size and scope of these cyber threats in perspective: Defense Department systems are probed by unauthorized users roughly 250,000 times an hour—over 6 million times each day. A single intrusion can steal and leak petabytes of sensitive data. While we have made strides on cyber-security best practices, such as more secure methods to authenticate users and encrypt sensitive data, we have not figured out how to implement these defenses at scale.
The use of misinformation and disinformation on social media platforms compounds our cyber challenges. Russian intelligence operators have begun to skillfully combine cyber hacking and digital espionage with our own social media platforms, which allows influence operations to reach millions and millions of Americans. While disinformation campaigns have been employed for decades, today they are having an even more devastating effect. Facebook has estimated that a Russian troll group reached upwards of 150 million people on its platform alone. I hope that these activities did not have a substantial impact on the final vote tally. But we will never know that for sure.
We are facing a new, more complex threat that involves technology companies as well as social media. The use of disinformation in social media platforms, once the envy of Wall Street and used by our children every day, is an immense challenge. When you put together the cyber threat and the use of disinformation, now we have a real problem.
To give one example, if your personal information was taken during the Equifax hack, today foreign adversaries can use that data to target you on social media by creating false content that pretends to come from your friends and family, from the people you trust. This content can now include the use of so-called “deep fake” technology that can literally put words into someone’s mouth that they never spoke. We’ve mostly focused on how these threats will impact our politics, but we cannot ignore the potential effects for business, the markets, or public health.
No sector is immune. For good and for bad, cyber is changing every facet of the world that we live in. Unfortunately, our legal structures are failing to keep up with the digital age.
Our prior focus on counterterrorism efforts, radical ideologies, and rogue states such as Iran and North Korea, reduced the attention we paid to rising near-peer adversaries, namely China and Russia. We have the world’s preeminent military, but that physical battlefield dominance led our adversaries to develop capabilities for the 21st century battlefield—cyberspace. Russia spends roughly $70 billion a year on their military. We spend ten times that. But we’re spending it mostly on weapons designed to win wars that take place in the air, on land, and at sea. We must expand our toolkit so we can win on all the 21st century battlefields.
This happened because, for over a decade, U.S. administrations from both parties have shown complacency in the face of their growing cyber-aggression. China and Russia have honed their cyber tools to target U.S. government and society. We have allowed our adversaries to conduct cyber activities against us with little or no response.
Just last fall, former NSA Director and U.S. Cyber Command chief Adm. Mike Rogers told Congress that he still had not received direction from the White House to disrupt Russian cyberattacks targeting U.S. elections despite the unanimous assessment of the heads of our intelligence agencies that Russia interfered in the 2016 elections and plans to do so again.
This is unacceptable. Failing to articulate a clear policy and to set expectations about when and where we will respond to cyber-attacks, is not just bad policy. It is downright dangerous.
The absence of such a doctrine governing responses to cyber-attacks allows for rapid, unpredictable escalation because our adversaries do not know what actions will trigger what responses. It took centuries of land-wars to define rules of armed conflict and create militarily norms around proportionality, meaning what type of actions will trigger limited or full-scale military responses. There are no rules of the road in cyberspace, which leaves us open to an accidental conflict. And the absence of an overt response to prior cyber-attacks leaves the public and other nations with the impression that those activities are acceptable. What message does it send to China about interfering in elections across Southeast Asia and sub-Saharan Africa if Russian interference in the U.S. elections has ostensibly elicited little U.S. response?
When it comes to cyber norms, we are allowing other nations to write the playbook. All of you in this room know better than anyone that creating universal cyber norms is not an easy task. We will need the help of everyone in this room to strike the right balance between protecting our national security without stifling innovation and our companies’ competitive edge.
As digital life continues to evolve, we will need to consider how to reconcile different nations’ notions of digital privacy, different expectations around cybersecurity, and different uses of cyberwarfare. Countries like China and Russia, for instance, view the control of information—offensively via disinformation and defensively via censorship—as within the domain of cybersecurity. We will also need to develop the ability to accurately and transparently attribute cyber-attacks, if these norms are to be enforceable. We will also need guidelines on social media, and a better understanding of the “social compact” between individuals, companies, and government on and the responsibilities of each party to secure our cyber-domain.
At the same time, we need to tread carefully here. I have absolutely no desire to “kneecap” our social media companies—which are, after all, great examples of American innovation and ingenuity—only to have them replaced by Chinese tech giants that are only accountable to the government in Beijing.
During the Cold War, the United States undertook a long and concerted campaign to educate our adversaries and allies on the risks of conflict in Europe and the costs of a nuclear war. For example, we invited the Soviets to our military exercises to show them firsthand the speed of deployment and risks of escalation. They brought their own stopwatches and timed the speed of deployment. While it seems obvious now that nuclear war is untenable for humanity, it took years to convince other nations that there is no such thing as “limited” nuclear war. For nuclear weapons, the only choice is zero tolerance.
Today, we need to undertake a similar campaign to work with other countries to set forth a common set of standards governing cyber. We need strong and predictable rules that keeps people, products, ideas, and capital flowing. And that also protect our critical systems and national infrastructure. Like we did with international treaties on chemical or biological weapons, the United States urgently needs to lead to establish the norms that will govern this behavior. And we are going to have to focus some of our own military spending away from 20th Century hardware to focus on our own cyber tools and defenses.
Because of a failure of American leadership, we are allowing the Europeans to define new notions of digital privacy that are binding on our largest data and technology companies, and changing the way that they do business. U.S. companies who fail to comply with the General Data Protection Regulation that went into effect just two weeks ago, can incur hefty penalties. Whether or not you agree with Europe’s approach, I think that we all can say that the United States should be leading those discussions around personal privacy and cybersecurity—not following from behind.
I don’t have all the answers. We live in a complex world, where adversaries have the ability to combine cyberwarfare and disinformation campaigns and can coopt the same technologies that underpin our economic edge. While we still attempt to understand what happened in 2016 with fake accounts, bots and misinformation, new technologies—such as audio and video manipulation, so-called “deep fakes”—are emerging and will present even greater challenges as we head into the 2018 and 2020 elections.
Our nation has weathered difficult times before. Many in this room remember the horrors of Sept. 11 and are haunted by the signs that we missed leading up to the attacks. But the efforts of intelligence community in the wake of 9/11 cannot be overstated. The IC improved its capabilities, learned to more quickly and effectively share information at the state, local, and federal levels, and pioneered new cyber-tactics and tools. Ultimately, we created a framework that protected us while ensuring our citizens’ privacy, liberty, and fundamental rights.
Today, we face a new set of challenges—challenges to rule of law at home, challenges from autocratic powers abroad, and challenges posed by an uncharted internet domain.
Unfortunately, we cannot build a wall on the internet to keep foreign adversaries out. The only way to meet these urgent challenges is to work with other democracies to create common rules and legal standards. And to continue to uphold the rule of law at home. I know that we, as an intelligence community, as a government, and as a nation, are up to this task.
Thank you for what you do each and every day.