NSA official: new U.S. cyberwar policy isn't the 'Wild West'

Rob Joyce, former White House cyber coordinator and a senior official at the National Security Agency, believes the new U.S. policy governing cyber warfare is more "thoughtful" than some of its critics might think.

Joyce characterized the administration's new process as an update that adds needed authorities based on the assumption that cyberspace needs to be "a contested environment," he said Oct. 23 at a conference hosted by Palo Alto Networks.

"There's the question of how often do you want everybody to get what I call free shots on goal?" said Joyce. "The ability to come in, at a time and place of their choosing, without contest, and rattle the doorknobs and probe the defenses and find out where you're strong and where you're weak."

Joyce pushed back on the idea that the Trump administration's rescission and replacement of Presidential Policy Directive 20, which detailed an interagency process to approve offensive cyber operations developed under the Obama administration, amounted to throwing out the rulebook.

"You can look at things like Presidential Policy Directive 20…we rewrote that recently," said Joyce. "It was characterized at the time as 'we've thrown out PPD-20' and people imagined this is the Wild West where everyone can hack everything. It wasn't, it was a thoughtful rewrite that puts new process and policy in place, improving what we've done for several years based on that experience and knowledge."

In September, White House National Security Advisor John Bolton confirmed that PPD-20 had been replaced but largely declined to go into detail on the new, classified directive.

"I'll just put it this way: for any nation that is taking cyber activity against the United States, they should expect … that we will respond offensively as well as defensively and beyond that, I'm just not going to go [any further] at this point," said Bolton in a conference call with reporters in September.

That general warning, coupled with a lack of details about the new policy led to speculation that the administration unshackled U.S. Cyber Command and the military to run offensive cyber operations without regards to the potential for blowback or unintended consequences.

"We are all standing knee deep in tinder and gasoline with vulnerabilities in cyberspace," said Jason Healey, who served as a cybersecurity official in the Bush White House and a senior fellow at the Atlantic Council's Cyber Statecraft Initiative, in a September conference call with reporters. "So, when I hear someone say that we have to fight fire with fire, I think of a lot of reasons for caution."

In an Oct. 23 blog for Lawfare, Bobby Chesney, a law professor at the University of Texas who specializes in cyber warfare, wrote that it seems clear from guidance Congress gave to the military in the 2018 National Defense Authorization Act "that defense forward entails enhanced escalation risk as compared to a status quo that has often been derided, with good reason, as excessively passive."

Joyce's comments came as the New York Times reported that the U.S. military had begun contacting individual Russian operatives to let them know their activities spreading disinformation in the U.S are being monitored. The story has raised eyebrows about how effective such a campaign would be in deterring malicious nation state cyber activity.

Joyce said he expects the changes announced in September will be just one step in the gradual evolution of U.S. cyber warfare policy that will be continually refined as U.S. operations mature.

"I don't expect this to be the last and best and final cyber operations policy ever," said Joyce. "What it does is it streamlines some of those operations and loosens bureaucracy and we're going to learn in a group going from there."