The White House’s National Security team is expected to issue a report early this week outlining U.S. options for deterring adversaries in cyber space. The report, called for as part of President Donald Trump’s Cyber Executive Order issued last May, is expected to offer a range of options from economic to military measures, to be used against those who choose the fifth domain from which to launch attacks against Americans.
Figuring out a way to keep the adversary from launching an attack in the first place isn’t as easy as it sounds, partly because the range of threats is broad and the intentions of the attackers, diverse. Layer on top of that the differing cyber responsibilities and authorities spread among a handful of government agencies and you begin to see the challenge.
As the White House Cybersecurity Coordinator, Rob Joyce gets to lead the country in figuring it all out. Joyce, who hailed from a career at the National Security Agency, sat down with me recently at his office, just a stone’s throw from the White House, to talk about his new mission.
He was recruited by the National Security Agency as a college intern some thirty years ago, when ‘cyber’ wasn’t even a thing. The biggest challenge in those days was trying to get your head around the utility of IBM’s new ‘laptop’ computer or understanding what made Microsoft Windows 2.0 all that great. Scarcely anyone in the White House back then was focused on how these technological breakthroughs, occurring in the private sector, would lead to a wide array of threats to Americans today. But a career at the most secretive of the U.S. intelligence agencies has trained him well.
Before joining the White House, Joyce worked his way up through the ranks of the NSA. At one time, he was named head of the ‘Tailored Access Operations’ unit. The engineer from a one-stoplight town had become one of the world’s best hackers. Now, he’s a significant part of the country’s cyber leadership, tasked with making sure the country does a better job of protecting its secrets, among other things.
“The OPM breach showed us how heinous it is when we lose large volumes of data,” said Joyce from a conference room in the Eisenhower Executive Office Building. “Think if that were Social Security or the IRS, how much even more damaging that would be to the people.”
The threat that Joyce is most concerned about today though, on a long list of significant threats to be concerned about, is protecting the country’s critical infrastructure. And tackling that requires introducing one more partner into cyber conversations. A partner outside his alphabet soup of government agencies.
“The vast majority of the U.S. critical infrastructure isn’t run by the government, it’s run by companies, so we have to have a close partnership,” said Joyce, telling me that the USG has to make sure the private sector is “practiced and ready to be resilient in the face of both cyber threats and natural disasters.”
Joyce acknowledges that the government has to be willing and able to bring its capabilities to the table to help companies respond to the threats they face. When Joyce and I sat down to talk, he had just come from a meeting with industry CEOs who regularly come together to offer advice and counsel to the USG on issues where the government can be a better partner, and get enough traction around some of the better ideas, to turn them into policy that will protect the country. Joyce also wants to see the companies make faster progress toward sharing information with each other to better protect against threats.
“The chances are that when a threat hits one, it is going to be targeted against multiple (companies),” said Joyce.
Private sector executives have complained for years though, that working with the White House is a one-way street, saying bluntly that the government is happy to take information, but not very good at sharing much back. Some executives of global companies have thrown their hands up in exasperation, and Joyce says he understands why.
“It has to change, right? We have to respond at cyber speed. The idea that we can convene a meeting and talk back to a company about a threat or a vulnerability or something that we run through a committee, just isn’t responsive enough to defend the nation. We have to get to the point where we have come up with automated ways to share data, share capabilities, and communicate about threats in a way that equips the companies to respond.”
That means figuring out quickly what to share, how to share it and who to share it with. Joyce remains optimistic that it can be done, though realistic that it will take time to figure out a process that will stick.
There is another issue on the near horizon that Joyce is worried about. Section 702 of the Foreign Intelligence and Surveillance Act is up before Congress for renewal at the end of the year.
“It’s really important both to me and Tom Bossert, the Assistant to the President on Homeland Security and Counterterrorism,” said Joyce. “This is such an important tool for counterterrorism. You will hear him endorsing this and the administration endorsing the need for a reauthorization, and a reauthorization that doesn’t change the bill. We also think that we have shown over the course of ten years now that we have been responsible in using that authority. There has been no intentional misuse and no need to sunset it.”
What does Joyce think the morning after would look like for the country, if the bill is not reauthorized?
“The morning after, we lose a really vital intelligence production capability,” says Joyce. “We are going to be at a higher counterterrorism risk. We are going to lose a capability that informs on a number of national security issues, to include cybersecurity.”
As for the closer term, you’ll get a strong sense of Joyce’s thinking on just what will deter an adversary from launching a cyber attack against the U.S. this week, when the cyber deterrence report is released.