Citing Mirai and WannaCry as recent examples, Rob Joyce, special assistant to the president and cyber security coordinator for the White House, said the global landscape of cyber threats can’t be ignored and the U.S. needs to sharpen its defenses when it comes to fending off attacks.
“If you step back and look at the trend lines for cybersecurity, they are going the wrong way. You only have to look at last week at WannaCry to understand,” Joyce said during a talk sponsored by Massachusetts Technology Leadership Council.
Last week, President Donald Trump signed an executive order that prioritizes the protection of federal networks, critical industries and works to implement the NIST Framework. It’s Joyce’s job to carry it out. Joyce, former chief of the NSA’s office of Tailored Access Operations, was tapped by Trump in March for the role.
“The Trump administration signed an executive order that allows us to get our legs underneath us in terms of cybersecurity,” he said. “With this executive order we are going to step back and we are going to manage the federal government’s IT activity as a single enterprise. Even though we are talking millions-upon-millions of assets and thousands-upon-thousands of networks, we are going to step back and try to view it as a sum total of risks.”
Joyce said Trump’s cybersecurity executive order consisted of three main pillars, or priorities. One included securing the federal networks. Joyce said that pillar shared many of the same challenges of private enterprise faces, from difficulties in finding qualified cybersecurity professionals, handling risk between agencies and being able to defend against hacks and contain breaches should they happen.
“We know we aren’t going to be able to defend against all breaches. So we need to have methods for detecting early and defend against them and compartmentalize them so that breaches don’t cascade into massive data losses… We need to able to take hits and contain damage and restore capability quickly,” he said.
The second pillar is working with private industry to make sure portions of the United States’ privately owned critical infrastructure, made of 16 sectors, can defend against attacks and rebound if it should take a hit.
“So, with those interrelated and interdependent systems, we understand our critical infrastructure is probably not in the state we need to be to survive a deliberate or natural hazard,” he said.
Part of working with private industry will include an initial focus on defending against Mirai-like DDoS attacks and mitigating against IoT botnets. “Recent events, Mirai botnet and others, showed how just how vulnerability we are to technologies that have been pushed into the ecosystem–often without really strong plans for security.”
Joyce added that much of the Trump’s cybersecurity focus would also include working with private companies to better identify APTs and improve the amount of sharing between government and private companies.
Lastly, strengthening cyber defenses and boosting deterrence was another priority along with reaching out to other countries to fight global threats.
“It’s going to take a coalition of like-minded countries to advance the global common space we have here,” he said. “We will be looking to foster an open interoperable, reliable and secure global internet that benefits the U.S. and the rest of the world. We built the internet and gave it to the world, we think it’s very important that it continues to reflect our values.”
In his hour-long address, Joyce also touched on hot button topics such as net neutrality and recent proposed changes to the Vulnerabilities Equities Process.
“When you look at net neutrality, that is one of the sticky decisions that has to be made in the regulator space… But, we have to find a balance point between what we have today and allow some changes… If you are just are going to have a pipe that lets everything straight through, you are inviting people through your unlocked door,” Joyce said.
He said that government and private service providers can’t be hamstrung in cases where internet traffic used for malicious purposes must be left alone.
When asked about the Vulnerabilities Equities Process, Joyce said he was noncommittal about pending changes, however leaned toward the status quo.
“There is a process to legislate the VEP. We are working with Congress about that right now. I do have some concerns because legislators are talking about giving authority to a non-neutral entity. I think the processes right now gives us the balance where we don’t have the offense or the defense with too much thumb on the scale.”