NBC "Meet the Press" - Transcript: Interview with Mark Warner
Interview
BREAK IN TRANSCRIPT
CHUCK TODD:
And joining me now is Democratic Senator Mark Warner of Virginia. He is, of course, the chair of the Senate Intelligence Committee. Senator Warner, welcome back to Meet the Press. The FBI Director Christopher Wray in a Wall Street Journal interview essentially invoked 9/11 in sort of how to deal with these asymmetrical groups, these cells. Well, we called them terrorist cells in 2001 and 2002. Are these cybercriminals terrorists?
SEN. MARK WARNER:
Well, Chuck, let's step back and look at this problem. We've been talking about cyber for a long time, but finally the American public is starting to wake up to the ramifications of these attacks. There's generally been two types of cyber incidents. One, where a nation-state steals information. Two, where cybercriminals come in and threaten to shut down a system and demand ransomware. We've seen these individual attacks against pipeline companies, ferry companies, meat packing companies. What I'm really worried about is if we saw the kind of massive, across-the-system attack that took place last year, the SolarWinds attack. There Russians got into 18,000 different companies. If that attack had been an effort to shut down our system, our economy would have come to a halt the way when Russia attacked Ukraine. So, I think we ought to do three things. One, we ought to put in place, we've got bipartisan legislation to do this, to require that when companies get attacked, they notify the government. There is no requirement right now. Second, we do need international norms, so that when cyber groups out of Russia, because they're not just attacking us, they shut down the Irish healthcare system, we need international norms. And third, we need to have more transparency. There's going to be a debate about whether these companies should pay ransomware. But there ought to be more transparency, if a company does pay, so we can go after the bad guys.
CHUCK TODD:
All right. You have pre-answered a couple of questions I had, but I'm going to pick up on that last point. Should we make it illegal to pay ransoms? I mean it's a simple -- many people think this is a simple solution, right? You don't pay the ransoms, the attacks will stop coming.
SEN. MARK WARNER:
Well, I think that's a debate worth having. I'm not sure what the answer is at this point. Because the alternative, if you shut down a system, and in the case of Colonial Pipeline, we saw even after they paid the ransom it took five days. But what we should make sure, as we have that debate, let's make sure if companies do pay, there is transparency to those payments. Last year, I worked on legislation that became law to tighten up our, you know, illegal cash payments, the use of dummy corporations. America was frankly not even at international standards. We need more transparency. Because right now what's happening around ransomware, not only are the companies often not reporting that they are attacked, but they're not reporting the ransomware payments.
CHUCK TODD:
Look, I want to get to the ransomware payment issue in a second, but I want to talk about -- you said you want to make it basically illegal to not report a ransomware attack, if you're a company based in the United States. What about a step further where you mandate a minimum level of security? If you want to be a defense contractor, you have to prove your ability to handle classified information. You know this very well. At some point, is that how Colonial has to be treated? JBS? Anybody that sells essentially goods and services in the United States?
SEN. MARK WARNER:
Chuck, here's the challenge. We do need higher cybersecurity standards. There ought to be penalties. I think many of us remember a few years back when Equifax lost all our information. In that case, it was to the Chinese. They were totally negligent. So, there does need to be, I believe, some level of liability for companies that don't hit these standards. But the truth is when you've got a tier one adversary like Russia or China, not so much these cybercriminals but a tier one adversary in terms of their spy services, it's tough to be 100 percent perfect all the time. That's why if we have an incident reporting requirement mid-attack and I give the company some limited liability protection, and that needs to come into the government but also share with the private sector. Microsoft, Amazon, the Cloud providers, the other cybersecurity companies. We need to have a public-private response team to this, and that's going to require that mandatory reporting.
CHUCK TODD:
Look, there's another idea that's out there. Simply this, in the Wall Street Journal: ban cryptocurrency to fight ransomware. The fact of the matter is without the ability of the anonymity of crypto we would not have this intense situation now. I know how popular it is. There's, like, a rave going down in Miami this weekend for people wanting crypto. But crypto's popularity is its anonymity, and it seems as if why people like it is they get to hide where their money came from. Sounds like an illegal enterprise to me.
SEN. MARK WARNER:
Well, Chuck, I've got a lot of questions about crypto. There was some good things coming out of distributed ledger technology, but we are seeing now some of the dark underbelly, the challenge is, and that's why I'm focusing more on transparency. The truth is there are ways that we can break through some of these systems, but if we don't have a trans -- if a company is paying, if there's not some transparency of that payment, the bad guys will simply find another way to hide it. So, this is an area where, frankly, again, our country has been behind the international norms. We've gotten better on bipartisan legislation last year, but this debate about crypto and ransomware is just starting. So, that's why in the meantime, let's put in place these transparency requirements.
CHUCK TODD:
All right, there's one other idea out there and it's about going on, more on the offensive against Russia for being a safe harbor and for doing what they did. But I want to show you something here, I hope you can see this graphic. These are all the different ways the United States has tried to confront Russian aggression, going back to 2014. We've ejected them from the, from the G7, right, it's not the G8 anymore. Plenty of sanctions. There have been import restrictions. We've expelled diplomats. We've seized their assets. We've had indictments. None of it has stopped this behavior. What, what would it take, do you think, to curtail Putin's behavior here?
SEN. MARK WARNER:
Well, two things, Chuck. One, I do think we need to have the ability to use some of our offensive capabilities. And we have done a better job on that, if we look at our ability to cut back on some of the Russian election interference. That was because we were willing to punch back. But what we also need and this is why I say we need these level of international norms, so that a country like Russia would know if they are harboring cybercriminals and you're shutting down a healthcare system, for example, the way these cybercriminals did in Ireland recently, there needs to be international repercussions, not simply one off, the United States acting alone. That's why President Biden going and rallying the democracies at the G7 meeting is so important.
CHUCK TODD:
Senator Mark Warner, I'm going to have to leave it there. Chair of the Senate Intel Committee. We will find out in about ten days how well Biden's confrontation goes with Putin. Much appreciated. But I want to continue this conversation --
SEN. MARK WARNER:
Thank you.
BREAK IN TRANSCRIPT
Source