Trump Cyber Czar Brings Deep Expertise but Maybe Some Baggage, Too

Pablo Martinez Monsivais/AP

Rob Joyce led hacking operations at NSA, which may turn off some businesses wary of post-Snowden links to the intel community.

President Donald Trump’s pick to lead White House cybersecurity policy efforts brings a wealth of experience defending and exploiting computer networks, but he also brings three letters that could make him a tough sell to industry and privacy advocates: N-S-A.

Trump plans to appoint Rob Joyce, chief of the National Security Agency's elite hacking group known as Tailored Access Operations, to manage governmentwide cybersecurity policy and initiatives, two sources with knowledge of the appointment confirmed Monday to Nextgov. The sources requested anonymity because the White House has not made an official announcement.

The appointment will give someone with years of experience penetrating other nations’ cyber defenses a leading role in ensuring U.S. government networks are secured against nation-state attacks.

» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.

It will also elevate a former intelligence official into a prominent cyber policy role during a time when industry—which owns the vast majority of the nation’s exploitable digital targets—is increasingly wary of being seen as cooperating with intelligence agencies.

Joyce’s background in intelligence operations won’t be an unconquerable hurdle when working with industry and the privacy and civil liberties community, but it will take some work, those groups said.

“There’s going to be a natural skepticism and social distrust of anyone who comes from NSA and from an intelligence background,” said Tony Sager, senior vice president at the cyber standards and analysis nonprofit CIS, which was formerly known as the Center for Internet Security.

“The only way to get over that is to be engaged so people can see where you’re coming from and that’s what Rob is going to have to do,” said Sager, who knows Joyce and worked in cyber defense at NSA for more than three decades.

Joyce’s appointment was previously reported by Inside Cybersecurity and Politico. The White House did not respond to a Nextgov query about the appointment.

As an NSA official, Joyce likely spent significantly less time in the sort of interagency disputes over funding and priorities that have bedeviled previous cyber coordinators.

And as a technologist, he may also face a longer learning curve on policy issues, Sager said, though he described Joyce as smart, capable and eager to bring multiple different parties to the table and flesh out compromises.

Joyce will also join an administration heavy with Pentagon brass but comparatively short on experience in the civilian government where many debates about the tradeoffs between security and privacy happen.

Other top Trump officials with cyber responsibilities include Homeland Security Secretary Gen. John Kelly, Defense Secretary Gen. James Mattis and National Security Adviser Lt. Gen. H.R. McMaster.

Trump’s homeland security adviser is Tom Bossert, who previously served as deputy homeland security adviser during the George W. Bush Administration.

Some in the privacy and internet security communities are taking a “wait and see” approach on Joyce, said Drew Mitnick, a policy counsel at Access Now who works on cybersecurity and privacy issues.

Joyce’s more than 20-year history at NSA also included a stint as leader of the Information Assurance Directorate, the agency’s top cyber defense wing, giving him a broad background in both network defense and offense.

That deep expertise in network defense could be a great asset in the job, Mitnick said, but NSA’s reputation for secrecy—prior to leaker Edward Snowden’s 2013 release of a trove of NSA documents, the agency’s acronym was often jokingly rendered “No Such Agency”—gives some pause.

“There’s a lack of transparency when it comes to operations at NSA and certainly at TAO,” Mitnick said. “So, to the extent we don’t know all that much about what Rob Joyce did on a daily basis, I’d say there’s certainly a level of uncertainty about it.”

Joyce is perhaps best known to the wider cybersecurity community for a 35-minute presentation at a 2016 conference hosted by the USENIX computing association—an exceedingly rare public appearance for someone in his post.

During that speech, Joyce described the methods nation-states use to hack into each other’s networks as an arduous and fairly boring process of comprehensive research and investigation of adversary networks and nearly nonstop probing.

“Why are we successful? We put the time in to know that network, to know it better than the people who designed it and the people who are securing it, and that’s the bottom line,” he said.

The key for companies and others defending against Joyce’s Russian and Chinese counterparts, he said, also comes down to hard work: knowing their networks better than the attackers do.

That sort of hard work could give Joyce a leg up helping the civilian government secure its networks and advising the private sector—both key attributes of the cyber coordinator’s job during the Obama administration—said Amit Yoran, CEO of Tenable Network Security and former director of the government’s cyber rapid response team, U.S. Computer Emergency Readiness Team.

“Knowing and being informed on how cyber operations work, knowing the art of what is possible, is extremely valuable in helping to develop cyber strategies and inform a successful cyber defense,” Yoran said.

Joyce also downplayed the government’s reliance on otherwise unknown vulnerabilities known as “zero days,” during his speech, saying NSA relies much more frequently on persistence and grunt work along with a store of known vulnerabilities and human weaknesses to do its work.

“A lot of people think … you go out with your master skeleton key and unlock the door and you’re in,” Joyce said of NSA hacking operations. “It’s not that. Any large network, I will tell you that persistence and focus will get you in, will achieve that exploitation without the zero days.”

That assertion seems to have been partially stood up by a recent WikiLeaks release of documents describing CIA hacking tools.

Cyber and privacy advocates have long complained the government isn’t transparent enough about how it decides whether to alert companies when it discovers zero-day vulnerabilities so they can patch their systems or to save those zero days to spy on adversaries.

The government has said it vets zero days with a bias toward disclosure and that it informs companies about more than 90 percent of vulnerabilities.

Access Now’s Mitnick called Joyce’s USENIX speech “a positive step” and a sign NSA and the government more generally might become more transparent about cyber operations and vulnerabilities.

Whether that means a clearer zero-day policy under Joyce’s tenure remains to be seen, he said.

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.