President Donald Trump’s pick to lead White House cybersecurity policy efforts brings a wealth of experience defending and exploiting computer networks, but he also brings three letters that could make him a tough sell to industry and privacy advocates: N-S-A.
Trump plans to appoint Rob Joyce, chief of the National Security Agency's elite hacking group known as Tailored Access Operations, to manage governmentwide cybersecurity policy and initiatives, two sources with knowledge of the appointment confirmed Monday to Nextgov. The sources requested anonymity because the White House has not made an official announcement.
The appointment will give someone with years of experience penetrating other nations’ cyber defenses a leading role in ensuring U.S. government networks are secured against nation-state attacks.
» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.
It will also elevate a former intelligence official into a prominent cyber policy role during a time when industry—which owns the vast majority of the nation’s exploitable digital targets—is increasingly wary of being seen as cooperating with intelligence agencies.
Joyce’s background in intelligence operations won’t be an unconquerable hurdle when working with industry and the privacy and civil liberties community, but it will take some work, those groups said.
“There’s going to be a natural skepticism and social distrust of anyone who comes from NSA and from an intelligence background,” said Tony Sager, senior vice president at the cyber standards and analysis nonprofit CIS, which was formerly known as the Center for Internet Security.
“The only way to get over that is to be engaged so people can see where you’re coming from and that’s what Rob is going to have to do,” said Sager, who knows Joyce and worked in cyber defense at NSA for more than three decades.
As an NSA official, Joyce likely spent significantly less time in the sort of interagency disputes over funding and priorities that have bedeviled previous cyber coordinators.
And as a technologist, he may also face a longer learning curve on policy issues, Sager said, though he described Joyce as smart, capable and eager to bring multiple different parties to the table and flesh out compromises.
Joyce will also join an administration heavy with Pentagon brass but comparatively short on experience in the civilian government where many debates about the tradeoffs between security and privacy happen.
Other top Trump officials with cyber responsibilities include Homeland Security Secretary Gen. John Kelly, Defense Secretary Gen. James Mattis and National Security Adviser Lt. Gen. H.R. McMaster.
Trump’s homeland security adviser is Tom Bossert, who previously served as deputy homeland security adviser during the George W. Bush Administration.
Some in the privacy and internet security communities are taking a “wait and see” approach on Joyce, said Drew Mitnick, a policy counsel at Access Now who works on cybersecurity and privacy issues.
Joyce’s more than 20-year history at NSA also included a stint as leader of the Information Assurance Directorate, the agency’s top cyber defense wing, giving him a broad background in both network defense and offense.
That deep expertise in network defense could be a great asset in the job, Mitnick said, but NSA’s reputation for secrecy—prior to leaker Edward Snowden’s 2013 release of a trove of NSA documents, the agency’s acronym was often jokingly rendered “No Such Agency”—gives some pause.
“There’s a lack of transparency when it comes to operations at NSA and certainly at TAO,” Mitnick said. “So, to the extent we don’t know all that much about what Rob Joyce did on a daily basis, I’d say there’s certainly a level of uncertainty about it.”
Joyce is perhaps best known to the wider cybersecurity community for a 35-minute presentation at a 2016 conference hosted by the USENIX computing association—an exceedingly rare public appearance for someone in his post.
During that speech, Joyce described the methods nation-states use to hack into each other’s networks as an arduous and fairly boring process of comprehensive research and investigation of adversary networks and nearly nonstop probing.
“Why are we successful? We put the time in to know that network, to know it better than the people who designed it and the people who are securing it, and that’s the bottom line,” he said.
The key for companies and others defending against Joyce’s Russian and Chinese counterparts, he said, also comes down to hard work: knowing their networks better than the attackers do.
That sort of hard work could give Joyce a leg up helping the civilian government secure its networks and advising the private sector—both key attributes of the cyber coordinator’s job during the Obama administration—said Amit Yoran, CEO of Tenable Network Security and former director of the government’s cyber rapid response team, U.S. Computer Emergency Readiness Team.
“Knowing and being informed on how cyber operations work, knowing the art of what is possible, is extremely valuable in helping to develop cyber strategies and inform a successful cyber defense,” Yoran said.
Joyce also downplayed the government’s reliance on otherwise unknown vulnerabilities known as “zero days,” during his speech, saying NSA relies much more frequently on persistence and grunt work along with a store of known vulnerabilities and human weaknesses to do its work.
“A lot of people think … you go out with your master skeleton key and unlock the door and you’re in,” Joyce said of NSA hacking operations. “It’s not that. Any large network, I will tell you that persistence and focus will get you in, will achieve that exploitation without the zero days.”
That assertion seems to have been partially stood up by a recent WikiLeaks release of documents describing CIA hacking tools.
Cyber and privacy advocates have long complained the government isn’t transparent enough about how it decides whether to alert companies when it discovers zero-day vulnerabilities so they can patch their systems or to save those zero days to spy on adversaries.
The government has said it vets zero days with a bias toward disclosure and that it informs companies about more than 90 percent of vulnerabilities.
Access Now’s Mitnick called Joyce’s USENIX speech “a positive step” and a sign NSA and the government more generally might become more transparent about cyber operations and vulnerabilities.
Whether that means a clearer zero-day policy under Joyce’s tenure remains to be seen, he said.