The US needs improved cybersecurity policies if it's going to catch up with the practices in the rest of the world, Sen. Mark Warner said Friday, adding that the government has failed to recognize the seriousness of the situation.
The Virginia Democrat, who serves as vice chairman of the Senate Select Intelligence Committee, said US cybersecurity fails to provide adequate protection of critical infrastructure or guard against the dissemination of disinformation online. He made the comments in a keynote address at the Center for a New American Security in Washington.
Cyberattacks and disinformation campaigns have presented a growing threat for governments around the globe, with hackers causing billions of dollars in damages online. Last year, the Russian military's NotPetya attack caused more than $10 billion in damages and wiped out computers at huge companies like shipping giant Maersk and delivery specialist FedEx.
Foreign propaganda remains a growing problem on social media, with companies such as Facebook uncovering disinformation campaigns that originate in Iran, Russia and other countries.
In his speech, Warner said these attacks will only get worse unless US policy evolves with the times. He proposed a new US cyber doctrine and suggested an international agreement on standards regarding cyberattacks and security.
"Countries like Russia are increasingly merging traditional cyberattacks with information operations," Warner said. "This emerging brand of hybrid cyberwarfare exploits our greatest strengths: our openness and free flow of ideas. Unfortunately, we are just now waking up to it."
Warner also criticized the US government's failure to focus on cybersecurity, specifically calling for the White House to acknowledge that Russian hackers undermined the presidential election in 2016. He noted the White House still doesn't have a cybersecurity coordinator, a position it eliminated in May.
Warner said it's "totally unacceptable" that federal agencies aren't using two-factor authentication for security. Senators found in September that only 11 percent of the State Department's staffers have the security measure enabled.
Warner called on lawmakers on Capitol Hill to improve Congress' security policies and practices.
"We have a long way to go on cyber hygiene and online media consumption habits," Warner said. "Let me be clear -- Congress does not have its act together either. We have no cyber committee."
Warner's proposed US cyber doctrine calls for five major changes:
Warner pointed to treaties like the Paris Call for Trust and Security in Cyberspace, which the US didn't sign.
"Our adversaries continue to believe that there won't be consequences for their actions," he said. "That needs to change."
Combating misinformation and disinformation
Warner said a solution to disinformation campaigns would have to be "society-wide." The doctrine calls for more regulation of tech giants, but it also asks for tech companies to take better control of their platforms.
"The major platform companies, like Twitter and Facebook, but also Reddit, YouTube and Tumblr, aren't doing nearly enough to prevent their platforms from becoming petri dishes for Russian disinformation and propaganda," he said.
"People need to be able to trust the connections they make on Facebook," a company spokesperson said in a statement. "We continue to investigate, remove additional associated fake events and Pages, and take action against those involved in creating them."
A spokesman from Oath, which owns Tumblr, pointed to a blog post from November discussing its efforts in stopping disinformation campaigns.
"None of the blogs contained any content related to the 2018 midterm elections, and all of the blogs were dormant since the 2016 election cycle," the spokesman said.
A Twitter spokesperson said the social network is investing heavily in fighting disinformation on its platform.
"We are constantly seeking to improve our own ability to detect, understand, and neutralize these campaigns as quickly and robustly as technically possible. We also believe that many stakeholders have a role in combating these threats," the company said in a statement.
Reddit and YouTube didn't respond to a request for comment.
Harden networks, weapons systems and IoT
Warner's proposal warned that internet of things devices pose the "most important emerging cyber threat to national security." Internet-connected devices are notorious for their poor security because many device makers ship gadgets with default passwords consumers can't change, or fail to provide needed security patches.
In 2017, four senators, including Warner, proposed the IoT Cybersecurity Improvement Act, which would require minimum security standards for connected devices sold to the federal government.
Realign defense spending
Warner said the government isn't spending enough on cybersecurity.
"I worry we may be buying the world's best 20th century military without giving enough thought to the 21st century threats we face," he said. Russia's budget for election interference in 2016 cost less than one fighter jet, the senator pointed out.
The senator called for presidential leadership to carry out his proposed changes to US cybersecurity policy. Last year the Trump administration signed , and in September it published a National Cyber Strategy, which allowed for government agencies to more aggressively hack US adversaries.
Warner said the US has to dramatically change its policies on cybersecurity, as threats continue to pour in.
"The true cost of our cyber vulnerabilities won't be sudden or catastrophic," Warner said. "They will be gradual and accumulating."
Originally published Dec. 7, 10:05 a.m. PT.
Update, 12:12 p.m.: To include statements from Twitter and Tumblr.
CNET's Holiday Gift Guide: The place to find the best tech gifts for 2018.
Taking It to Extremes: Mix insane situations -- erupting volcanoes, nuclear meltdowns, 30-foot waves -- with everyday tech. Here's what happens.