Rob Joyce, cybersecurity coordinator for the White House, has the opportunity to heal tensions between the intelligence community and the technology industry in the wake of the WannaCry ransomware attack.
Joyce began serving as the chief of the National Security Agency’s Tailored Access Operations (TAO) organization in April 2013 and now focuses on cybersecurity policy on the National Security Council for the Trump administration.
Joyce has served at the NSA for more than 25 years as chief of TAO as well as the deputy director of the Information Assurance Directorate (IAD), where he led efforts to protect the county’s critical security systems.
Tensions between the public and the NSA have mounted since contractor Edward Snowden leaked information about the NSA’s surveillance powers, handled by the TAO team. This term, Congress will have a chance to renew and revise the NSA’s surveillance powers under the Foreign Intelligence Surveillance Act. The NSA’s TAO rarely opens up to the public about what they’re working on, making it a mysterious part of the agency.
“I’m from Tailored Access Operations and I will admit that it is very strange–right–to be in that position up here on a stage, in front of a group of people. It’s not something often done,” Joyce said, when he presented in front of an audience at a USENIX conference in 2016.
Industry leaders have argued that the NSA, CIA, and other spy agencies need to be more open with companies by disclosing the cyber vulnerabilities that they find so that companies can fix them and build stronger networks.
A bipartisan group of senators proposed a bill that would require the NSA to notify a board of experts whenever the agency finds security flaws in a company’s networks. The bill follows a major global cyberattack, which exploited a vulnerability that the NSA found in an old version of Microsoft’s systems.
Joyce said on May 22 he was “amazed” that the ransomware attack did not compromise Federal systems.
“It is essential that government agencies make zero-day vulnerabilities known to vendors whenever possible, and the PATCH Act requires the government to swiftly balance the need to disclose vulnerabilities with other national security interests while increasing transparency and accountability to maintain public trust in the process,” said Sen. Ron Johnson, R-Wis.
The board would be made up of the secretary of Homeland Security, the director of the FBI, the director of the CIA, and other experts. Joyce’s expertise from the NSA and the White House would make him a good candidate for this board.
The NSA finds “zero-day vulnerabilities,” which are flaws in technology that are unknown to the technology company. Usually the government discloses these vulnerabilities to the company so that they can be fixed, but sometimes it retains them in order to exploit them for national security purposes.
Joyce said that the NSA has guidelines available for the best ways to protect private networks that can help companies close off vulnerabilities.
“There’s not the secret sauce that goes beyond that inside the protection of classified material for the U.S. government,” Joyce said. “Look at that guide. It really is solid.”
Joyce also played an influential role in the Cybersecurity Executive Order, which was signed earlier this month. The first section of the order stresses the importance of protecting data held within Federal networks, and says that agency heads will be held accountable by the president for implementing risk management measures. The order also mandates that agencies use the previously voluntary NIST cybersecurity framework.
Active in multiple theaters across the cyber ward, Joyce may have the tonic for government and industry.