May 24, 2016

In Keynote Address, Kaine Discusses Formulating Cybersecurity Doctrine And Investments In Cyber Workforce

WASHINGTON, D.C. – Today, U.S. Senator Tim Kaine delivered the keynote address at the Center for Strategic and International Studies’ event, “Cybersecurity After Information Sharing,” in which he argued that unanswered doctrinal questions and the effects of budget uncertainty have undermined the United States’ cybersecurity posture. Kaine supported the creation of a commission that would offer lawmakers policy recommendations on how best to strike a balance between strengthening national security and protecting individual privacy. Citing Virginia’s large cyber footprint, Kaine also called for greater investments to create a workforce ready to tackle the cyber challenges of the future.

“We’re at the epicenter of a changing digital landscape. Obviously many of the key federal agencies that work on cyber policy are headquartered or have a significant presence in Virginia, as do their employees. We have a private sector in the cyber space that is second to none, it’s a great hub for IT and cyber innovation. Virginia is second in the nation in the percentage of the workforce that is in technology jobs,” Kaine said. “We’re the hub of internet traffic in the world. Seventy percent of the world’s internet traffic passes through Loudoun County, which has the highest concentration of data centers in the world. …Even as a center of a technology workforce, second in the nation of percentage of workers in technology jobs, even in Virginia there are huge gaps. Our State Economic Development Partnership says there is one candidate for every three cyber security positions that are open in Virginia and this is in the state with the technology workforce, so we have a dramatic need to get more people into this field.”

Kaine’s full remarks can be read below:

It’s good to be back. I want to thank Jim for his kind words. This is a pretty amazing day at CSIS, I knew I was going to be here, there’s going to be this great panel to follow me that will really dig into these issues, but you’ve got a speech later in the day. Marty Baron will be coming to talk about press freedom in the Americas which is an issue of the deepest importance to the United States and something I’m passionate about. You’ve got speeches later on today about higher education and Russia, and since higher education is sort of the bellwether for predictions of the future of the economy, that is a real critical topic. If I just didn’t have pesky votes in committee hearings, I would just sit here all day long, but I’m anxious to come and get this started and talk about cyber.

The title of the discussion the panel will address, Cybersecurity After Information Sharing. I’m not going to talk much about the congressional information sharing bill, I’m going to talk about other issues. Issues that remain for us to grapple with, but we can’t just assume that the information sharing bill is going to be implemented no muss no fuss, there’s going to be a lot of implementation issues and I think you’re going to hear some of those from the panel as well, but it is good to be back. The last time I was here at CSIS, I was here to talk about the role of the President and Congress and especially, in my view, the abdication of Congress around war powers issues. I’m very happy to be back to talk about cybersecurity.

So I’m a good Virginian, and when I was here talking about war powers I talked a lot about Madison, so let me talk about Jefferson. Two great quotes of Jefferson that I love. One that was in his “Notes on the State of Virginia”, this wonderful book that he wrote when he was ambassador to Paris, that really was I think the first work of true American literature that has stood the test of time, and this is a quote that was incorporated into the Virginia constitution, “Progress and government and all else depends upon on the broadest possible diffusion of knowledge among the general population.” Now, Jefferson couldn’t have imagined a digital world where all knowledge was digitized and internet, search engines and servers where it could be at your fingertips, to have that broadest possible diffusion of knowledge among the general population, he couldn’t have imagined it but he was still talking basically about the world we live in, and the notion that diffusion of knowledge to all democratically, would be great for the individual but it would also be great for society, would be a guardian against tyranny and an error if information was available to all rather than just kept to some. He also said, “Light and liberty go together, openness and freedom go together, secrecy and tyranny go together.”

So those are two interesting thoughts as we contemplate the cyber challenges we have. They express a bias toward that diffusion of knowledge, the broadly accessible digital world that is both good for individuals and society. There is also a bias towards transparency rather than secrecy, so as we grapple with some of the cyber questions, working with privacy versus national security, Jefferson had a strong bias towards transparency rather than secrecy, but secrecy is different than personal privacy. Jefferson was also a strong believer in individual rights and that the individual should have some sphere that would be secure against any intrusion of government. That is also a Jeffersonian principle. So as we tackle these hard questions, some of that original wisdom of the greatest Virginian, I think most of us would feel that about Jefferson, a flawed person but we’re all flawed people but in terms of conceptualizing the future that we live in and beyond, very far-sighted.

I want to offer three observations about cyber after the information sharing bill, about Congress and cyber policy, but first let me do a quick commercial for Virginia, since I started with Jefferson, to tell you why this is important to me as a Virginian and many of you are Virginians in this room.

We’re at the epicenter of a changing digital landscape. Obviously many of the key federal agencies that work on cyber policy are headquartered or have a significant presence in Virginia, as do their employees. We have a private sector in the cyber space that is second to none, it’s a great hub for IT and cyber innovation. Virginia is second in the nation in the percentage of the workforce that is in technology jobs.

It’s kind of an interesting stat because our biggest industry sector in Virginia is still agriculture and forestry, so to have agriculture and forestry as the biggest by GDP but to be second in the nation in percentage of workers who work in technology jobs shows you something about the evolution of an older economy to a new one, and frankly, now agriculture and forestry are now high technology jobs too, but the workforce we have is a workforce that is very connected with these cyber questions.

We have strong colleges and universities, institutions training that workforce and, this is huge for Virginia, we’re the hub of internet traffic in the world. Seventy percent of the world’s internet traffic passes through Loudoun County, which has the highest concentration of data centers in the world, and that really started probably and attained critical mass with AOL and even though we’re many chapters beyond AOL and the kind of digital space, that really helped defense contractors, other federal agencies, AOL really helped ground that federal industry heavily in Virginia.

Lastly and sadly, we also have a lot of cyber attack victims. The OPM breach that took all of that data from these employees, both government employees like me but also contractors who were doing work with the government has affected Virginia very dramatically, and I know probably everybody in Congress and the Senate has had to deal with the aftermath and questions and people mad about it, but in Virginia we have a lot more people who are mad about it than in other states.

The three issues I want to spend my time on today, and they’re the issues I’m grappling with in my own committee assignments, are basically these: cyber doctrine; the debate over the security-privacy balance; and then third, cyber security investment. Let me just tackle three.

On cyber doctrine. So I’m a member of the Senate Armed Services and Foreign Relations Committees, and have an opportunity in those committees, I’m not on Intel, but on SASC and SFRC have an opportunity to do an awful lot of cyber-related hearings. Let me just give you some snapshots of hearings that I’ve attended in my time in the Senate.

An Armed Services hearing a couple of years ago the head of Cyber Command was testifying and talking about cyber and used the phrase, “in some instances, a cyber attack could lead to war,” so when it came time for me to ask questions, I said, “OK, so a cyber attack is by definition not war? It’s something short of war, like electronic vandalism or graffiti but it’s not war itself? I could hypothesize situations where a cyber attack would do as much damage to our nation or others as any war would do.” The witness said, “Well, I wasn’t exactly sure that’s what I meant” but at least in the description of the key decision-maker, a cyber attack was somehow short of war.

Recently we had a hearing in Armed Services again with Cyber Command, this was a posture hearing we had in March, and this was the way the hearing was set up: the testimony was heavily about all the cyber attacks that we’ve been subject to. The Target’s, the OPM’s, the Sony’s, the big ones were discussed at length and then there were also some statistics given about the number of cyber attacks we’re subject to everyday. I’m still relatively junior on the committee, so I’m really late in asking questions and everybody asks questions before I do. This testimony just frightened us all with the number of attacks we’re under, so I decided I would play a trick on my witness and when the questioning got to me, I said, “Ok, you’ve told us all about these cyber attacks we’re subject to, the numbers and the particulars, give me a great example of an instance where the US has effectively responded to a cyber attack.

He said, and I knew he would say this, “We’ll have to do that in a classified setting.”

I said, “Really? So you’ve been very willing to talk about all the particular attacks we’re subject to, many of which are in the news, even the numbers of attacks, and when we have other hearings in this Committee about the war against ISIL we will talk to the number of bombing runs we’ve conducted, how many troops are deployed, how many dollars we’ve spent, so we will talk about what we’re doing in other areas, and we’ll talk about the attacks we’re subject to, but you won’t even share one example publicly of how the US has responded to something in cyber?”

“No, we’re going to have to do that in a classified setting.”

Well can you imagine that the American public, if they’re only hearing publicly about the attacks we’re subject to rather than what we’re doing maybe they would feel pretty anxious about this? They might feel like their government isn’t really doing anything? That they’re not really responding? Of course we are, but if you don’t share it, what confidence are you giving your citizens that you’re on top of it?

We’ve had other discussions including in this one where Senator King has been really focused on this issue, if you’re not willing to talk publicly about what you do, do you have a deterrence doctrine? Is there such a thing as a deterrence doctrine that you keep secret? If you keep it secret is it deterrence? We had a deterrence doctrine and we have one with respect to nuclear and other military doctrines, but if it’s all kind of on the down low with respect to cyber, then how are we deterring attacks? We’ve had extensive areas where we’ve challenged the administration over deterrence.

Then when we have the commander of EUCOM in, and we talk about NATO, here is another question we’ve asked. When would a cyber attack trigger the Article 5 collective defense obligation of NATO? Obviously if Vladimir Putin crosses into a NATO jurisdiction with Russian military assets that’s one thing, tanks or troops, but what if there is a well-documented and clear effort to destabilize the power sources of the communications network or destabilize an election? There already have been efforts to do that. When does that rise to the level of an attack that would trigger a defense obligation? And when we asked that question, we’re basically told, “We’re starting to have those discussions but we don’t yet really have an answer to them.”

So I think the real issue, and in some ways it’s funny because this is what I talked about last time when I was here, I talked about doctrine. The real question, and in that instance the doctrine I was talking about was war powers doctrine, we’re doing things, we’re taking steps, we’re reacting but the doctrine that tries to rationalize what we’re doing I think is sorely lacking and I would say the same in the cyber space.

What is a proportional response to a cyber attack? How do we make plain that we will undertake it either in the cyber domain or in another domain? And what is the right role for the government to undertake steps including proportional responses when the cyber attack is not on the government but on a private sector like Sony? I think these are big questions.

I think our technologies have raced ahead of our doctrinal effort to provide answers to these questions, and then make them public so our citizens know we have a doctrine can feel some comfort thereby, and our adversaries can know as well and hopefully feel deterred.

I do think in this first area that Chairman McCain and the other SASC members are really starting to focus on this, and as I’ve had discussions with folks especially at DoD and the intel agencies, I think they’re running to catch up on the doctrinal questions. There are discussions going on in NATO about the collective defense obligations, but more work in the areas are absolutely critical because technical solutions and tactical decisions should ultimately advance an overall doctrine rather than be one-by-one, or one-off case-by-case reactions. So I think the first issue I want to put on the table, and hopefully the panel will discuss is the need for more doctrine and the status of those doctrinal discussions.

Second thing I want to talk about is the balance between privacy and security that is raised so starkly by the FBI-Apple case but that are many other cases that raise it as well. I want to just offer you an observation about this, and I guess my punchline is, though Congress is ultimately responsible for legislative activity in this area, we’re uniquely unqualified to make these decisions. Uniquely unqualified and let me explain why.

There are two principle approaches right now being discussed on the privacy-security balance in Congress. Senators Feinstein and Burr have a proposal that would require a person or company to provide law enforcement with information or technical assistance upon a specific court order, it would be a defined proposal to try to avoid using the All Writs Act which is more generic and not necessarily tailored to this kind of information, and that is a proposal that is within Intel on the Senate side right now that is being bandied about.

Another proposal that's a little bit different, is a bicameral one, a proposal from Senator Warner and Chairman McCaul on the House side to propose a sixteen-member digital security commission to assess the broad issue of digital security, not just the encryption question, obviously that would be part of it, but the broad issue of digital security and then make recommendations to Congress, hopefully, in a relatively urgent time horizon.

This is modeled after the 9/11 Commission and it would include, hopefully, technology experts and privacy experts and folks from the business sector who understand if we make changes, how that might affect both US companies and US technologies, would it chase people to other technologies. And, obviously, national security leaders and the idea would be the commission would grapple with this and could make a recommendation.

Now, I know, there's kind of a reaction to, “Oh, man, another commission. Just what we need.” But I actually think it would be a good idea to do that commission that could then forward material to Congress and I’m going to tell you why I like that. I would prefer to do that rather than jump right into Feinstein-Burr and I’m going to give you a reason you may not have thought of, but as soon as I explain it you will immediately get it. The question of privacy versus security is about a careful balancing of really important interests. As I said, while members of Congress should have the ultimate responsibility for voting on legislation to try to strike that balance, we're uniquely unqualified to do it for this reason.

There's no area where a member of Congress is more different than the American public than in a reasonable expectation of privacy. Members of Congress, the 535, we're different than the American public in a whole lot of ways, but I would argue there's no area we're fundamentally more different and that we have long ago surrendered any expectation of privacy and we have forgotten what it is to have an expectation of privacy.

I started in politics in 1994 and it was pre-YouTube and essentially pre-internet. I still at that point as a city council person had some expectation of privacy, but I have none now and nor do anybody else in my line of work. So if you give us the task of striking the balance between privacy and security, first, we will overvalue security and of course we should. That should be the top priority of everybody in Congress is to protect national security and so we will be extremely diligent about that and we should, but we will undervalue privacy because we've forgotten what it's like to have any privacy. So if trying to strike that balance is something that is for Congress, we're doing to strike it in a way that I don't think we'll fairly take into account the legitimate privacy interest of American citizens.

Now, that question, “What is a legitimate privacy interest of the citizenry, the private citizenry?” is a very complex question. It's not easy. There's got to be some – to strike the right balance – some expectation of what is a reasonable expectation of privacy. Most citizens knowingly or unknowingly surrender that privacy every day in the commercial sphere and there's sort of an issue of how relevant is that repeated surrender to the question of how much privacy vis-a-vis government individuals would be entitled to.

So there's all kind of challenges as you get to trying to decide this issue about the scope of a legitimate individual privacy interest, but Congress is just not the right body to do that. And we would really be benefited by a commission of people that includes folks who can remember what it's like to have a private sphere and would also respect the national security interest trying to set that balance. So rather than rush in to a solution where we haven't really sussed out the scope of that individual, legitimate privacy interest, I would say we should get that done and hopefully get it done with some dispatch because I think those recommendations back to us would really help us grapple with it. That's my second thought.

My third thought is in the cyber security investment area. We have to invest more in cyber capacity and I think this is one of the areas of government that has been most affected by budgetary uncertainty. If you look at sequester, shutdown, furloughs, continuing resolutions instead of budgets, they’ve had an effect on everything we do, but I would argue it might have had as much or more effect on cyber as anything else because first, it's coincided with the time where the need and the acknowledged need for increased cyber investments has really been ramping up just as that's been happening, we ran into March 1, 2013 going into full-on sequester and then needing to figure it out.

The cyber workforce is incredibly in demand right now, so some of the budgetary austerity or budgetary uncertainty that people are looking at career paths, and they're going to look at one with the government that seems really uncertain and they'll look at all other kinds of opportunities, I worry that our budgetary uncertainty basically chases talent in another direction.

On the Budget Committee, I came into office with sort of two goals in mind on that committee. First, a very state-centric kind of Governor's type goal which is I really like two-year budgeting, every state does two year budgets. At the federal level we do one year budgets when we do budgets, but states do two-year budgets and they do two-year budgets because it's good for predictability. Predictability is wonderful for our own people. Predictability is even more wonderful for the private sector, so that everyone can understand the parameters and what they're going to be dealing with and then adjust accordingly.

We have now done two two-year budgets in a row. It was ugly getting there, the first happened only after the shutdown of government and the second only happened after the Speaker decided “I'll resign to do a two-year budget deal.” I don’t think we can count on a cataclysm every two years to get us to a budget deal but at least we're moving back towards some level of predictability.

But I’ll tell you, when I go out and talk about budgetary issues to Virginians, and I try to make the case for why sequester and budget caps, the BCA strategy that was voted on in August 2011 and the caps that went into place March 2013. When I try to tell them why it's bad, I always use cyber as my example. So the BCA caps, basically in sequester held harmless safety and its spending on Medicaid, Medicare, Social Security and core war fighting expenses, those were held harmless, but everything else nondefense discretionary and defense other than core war fighting, were all affected by sequester, so it's kind of like artificially we're going to hold everything down.

People say, “That's great. We should save money.”

I say, “How many of you think we’re doing too much on cyber right now?” Of course no one raises their hand.

“How many think we need to do more on cyber?” Everybody raises their hands.

So why should cyber, when it's not core war fighting get affected like everything else? The notion of across the board anything is foolish from a management standpoint, especially areas where there's a wide recognition that we're doing too little, not too much.

The first thing that we need to do on the investment side is hopefully get this BCA and sequester behind us. For the third year in a row, in the NDAA markup on the Senate side I’ve gotten included anti-sequester language calling for an end or a dramatic mitigation of the sequester both in the defense and non-defense accounts. A lot of work we do in cyber is obviously done in DHS. That is a non-defense account and to the extent BCA caps hit DHS, cyber gets affected, so the NDAA which will be taken up on the floor starting later this week and after Memorial Day in the Senate, I’m really going to try and do again what we’ve done the last couple of years which is if not eliminate at least lift or mitigate the effects of cyber cuts. And if we do that, then we have to make the right investments and the right investments are at least twofold and then I’ll be glad to open it up and take some questions.

The first one is workforce, when Jim introduced me, he talked a little bit about work that I do. Virginia is a center for technology workforce, not the only center – there are other states that have huge expertise in it too, Maryland, California, other states – but even as a center of a technology workforce, second in the nation of percentage of workers in technology jobs, even in Virginia there are huge gaps. Our State Economic Development Partnership says there is one candidate for every three cyber security positions that are open in Virginia and this is in the state with the technology workforce, so we have a dramatic need to get more people into this field.

This is one of the reasons, among others that when I came into the Senate, I didn't get put on the HELP Committee, health, education, labor, pensions is a committee I really wanted to be on, but I realized you don't have to be on the Committee, you just have to pick an issue that nobody on the Committee is championing, and I picked up career and technical education.

I grew up in a manufacturing house. My dad ran an ironworking and welding shop. I ran a vocational school in Honduras 35 years ago. The US sort of systematically downgraded the importance of career and technical education over the course of a few generations, but now there's a renaissance and it's coming back and cyber is one of those areas where trained technical talent does not necessarily have to have a college degree, there are other ways to get the skills, to verify validated skills that you need to be a player in this area.

So this is one of the things we're working on, we put in important career and technical advances into the rewrite of No Child Left Behind, the Every Student Succeeds Act. We're now working on Perkins Act reauthorization, do the same thing when we get to Higher Ed Act reauthorization will work on CTE advances that will include cyber.

In Virginia, the McAuliffe Administration – I've got to mention that because my wife is his Secretary of Education, my wife Anne – they're also doing major work in this workforce area to expand the cyber workforce; the redesign of high school curriculum to include more CTE and cyber courses; the effort to designate community colleges around the state as National Centers of Academic Excellence in Cyber. Tidewater Community College, down in Hampton Roads, just became the third Virginia community college to receive that designation.

We have to have both the federal and the private sector workforce necessary to meet that challenge and some of that is going to be integrally tied up with our work on Perkins and Higher Ed Act reauthorization to promote this work force. In addition to the work force we’ve just got to shore up our investments in technologies and platforms.

I visited FireEye, one of the cosponsors of today, and they're a wonderful powerful leader in this field in Virginia and I visited their office in Reston last fall and we had an extensive discussion about the problematic reliance of many federal agencies on unsecure systems that are legacy systems, but they're unsecure because there hasn't been the dollars available to purchase the upgrades, to either make upgrades that can be made or to find new systems that would be more secure and largely this has been because of the budgetary uncertainty sequester budgetary caps.

So if we can find the path out of BCA and sequester, and I’m not talking about just for – I am kind of a budget hawk – I do believe in the management of debt and deficit, I just don't believe you do it by across the board gaps, I think that's foolish. I think you have to manage that through targeted strategies that involve both sides of the balance sheets, revenues and expenditures, but across the board reductions that hit accounts that are so important in the cyber world are very foolish given the needs we have.

I'll conclude, maybe take a couple of questions. The information sharing bill that we did was sort of in law, we call it necessary but not sufficient. It was very important that we do that and it was good to kind of have some discussion with folks working on this issue as the implementation was underway, companies are kind of starting to get used to the notion of sharing. Companies are starting to get used to the notion if they do share, they get helpful tips back about things they should prepare for or watch for, but there's a lot more of that to do and we hope that will ramp up, we'll talk about implementing it.

But I do think these areas of further development of doctrine grappling in the correct way with the privacy-security balance and then getting over some of these budgetary malpractices so that we can make the investments we need to do and people and systems are the next beyond information sharing issues that Congress should tackle.