4 December 2022

NSA cyber director talks threats, opportunities

By JOHN SAKELLARIADIS

— Rob Joyce, director of NSA’s cybersecurity directorate, spoke with MC about his agency’s fight against ransomware, how not to defend the country’s essential infrastructure, a controversial new law in China and a whole lot more. It’s a special, Joyce-heavy edition of MC that’s tailor-made to cure your food coma.

HAPPY MONDAY, and welcome to Morning Cybersecurity! They used to say our Founding Fathers would recoil in horror if they saw modern America.

Then we played the Brits to a 0-0 tie in the group stage of the 2022 World Cup.

Enjoy a Sam Adams on us, Sam Adams. You’re welcome.

Got tips, feedback or other commentary? Send them my way at jsakellariadis@politico.com. You can also follow @POLITICOPro and @MorningCybersec on Twitter. Full team contact info is below.

Want to receive this newsletter every weekday? Subscribe to POLITICO Pro. You’ll also receive daily policy news and other intelligence you need to act on the day’s biggest stories.

RANSOMWARE

DON’T RE-JOYCE YET — The country’s top cyber warriors are dedicating “substantial resources” to combating ransomware, but attack activity is “back to as much or more than the historical norm,” Rob Joyce, director of NSA’s cybersecurity directorate, told MC in a wide-ranging interview that took place shortly before the U.S. turkey population took a sudden and entirely explicable nose-dive.

Following a string of large-scale ransomware attacks last summer, NSA and Cyber Command recognized that extortion-based cybercrime had become a national security issue. To mitigate the problem, they built a “standing organization” comprising NSA and Cyber Command personnel that is “focused exclusively on pursuing ransomware,” said Joyce.

But the government’s new counter-ransomware efforts are not having the impact many hoped, as Joyce acknowledged during the interview.

One part of the problem? — Many cyber criminals operate out of so-called “sanctuary jurisdictions,” or foreign countries that refuse to crack down on domestic cyber criminals, Joyce said.

In addition to Russia, Joyce pointed to North Korea, which “does state-sponsored ransomware,” and China and Iran, which harbor cyber criminals, as drivers of the problem.

“The safe haven that those nations provide is a big problem,” said Joyce. “That is something we’re all looking at and trying to figure out.”

And the other? — Ransomware groups “prey on the undisciplined,” or organizations that have poor cybersecurity practices.

Because the government can’t defend the undefendable, companies have to take on “some element of cyber hygiene,” said Joyce.

“Trying to get the owners of these systems to really be diligent in patching and upgrading” is essential to thwarting extortionists,” he added.

Path ahead — NSA is not planning to surge more resources to the ransomware fight, but Joyce was adamant the nation’s cyber warriors are already doing enough.

“There are plenty of other world problems I have to worry about,” said Joyce. Our ransomware work represents “a considerable effort, and it will remain so in the future.”

CRITICAL INFRASTRUCTURE

NO PLACE TO HIDE — Judging by the words of the NSA’s cyber czar, there are serious holes in a common objection to the idea of legislating new protections for the nation’s most vulnerable infrastructure: the fear that producing a list of essential networks would provide a roadmap adversaries could exploit to hold the country hostage.

That’s because foreign intelligence agencies in Russia, Iran, China and North Korea already “know enough to pose a challenge” to the country’s systemically important critical infrastructure, even though the U.S. hasn’t yet produced a definitive list of those entities, said Joyce.

Legislative context — As part of this year’s annual defense bill, Congress is weighing the idea of establishing a system of “benefits and burdens” for the private entities that own and operate SICIs — the vital, dominoes-like entities whose disruption would kick-start a cascade of downstream damage to the U.S. economy.

Due to industry opposition, Congress looks increasingly unlikely to move on that proposal this year. But it is still weighing a precursor idea of creating a shortlist of the nation’s most-critical of critical infrastructure.

Pursuant to an Obama-era executive order, DHS already maintains a similar list, though many are skeptical it goes into insufficient detail on the nation’s vulnerabilities.

The argument — “I wouldn’t expect [those adversaries] to know every piece of systemically important critical infrastructure” in the U.S., said Joyce, but “there’s a tremendous amount of information out there in open source” they could learn about so long as they have “focus or intent.”

On the flip side, the U.S. shouldn’t place its faith in “security by obscurity” — or the idea that the country can skate by if it keeps those entities hidden.

“You can’t defend a network, if you don’t know a network,” said Joyce, who believes the country still has “homework” to do when it comes to identifying its most vulnerable assets.

One side benefit? — Asked whether such a list might convey to adversaries what targets to avoid, Joyce agreed it could serve as a “useful construct” to help the U.S. establish “where we intend to have norms and red lines” in cyberspace.

Though the Biden administration has warned foreign states about attacking any of the country’s 16 critical infrastructure sectors, the term is so capacious — covering everything from local schools to municipal water facilities — the White House has failed to get foreign states to take its threats seriously.

CYBER WARFARE

NORTH OF THE WALL — “What is the one thing that keeps you up at night?” is a question MC did not ask Director Joyce. Your host has some self-respect.

Nonetheless, I did get Joyce’s take on some state-backed cyber threats that might be affecting his REM cycle:

China’s new law — Joyce said he is not spending too much time worrying about a roughly year-old Chinese law that requires security researchers in China to fork over vulnerability research to the government.

While a slew of Western reports have warned about Beijing’s potential abuse of that law, Joyce argued the legislation represented something of a distraction from the “root challenge” of China’s growing hacking capabilities.

“The thing I worry about is not whether they have a law or not, it’s the capacity to generate exploitable vulnerabilities, and they certainly have that,” said Joyce, who pointed to some of the “devastating flaws” discovered in recent years at the Tianfu Cup, the premier Chinese hacking competition.

Kremlin caution in Ukraine — While it has a history of unleashing devastating cyberattacks without regard for collateral damage, the Kremlin has thus far been “pretty specific” in its offensive hacking efforts and “constrained their impacts inside Ukraine,” said Joyce.

Throughout the war, Russia’s cyber warriors have been “very focused on disrupting Ukrainian capability,” argued Joyce, who included the hack of commercial satellite operator Viasat — at least in the public eye, Russia’s most impactful of the war — as evidence of his point.

Though that attack did spill beyond Ukraine’s borders, its impact was ”very much confined to the near-abroad of the Ukrainian conflict,” he said, suggesting, in effect, it represented the (minor) exception that proves the rule.

Wormable exploits — Overall, the NSA has observed a “decline” among foreign states “in the willingness to use large-scale vulnerabilities” to wreak havoc on the internet, said Joyce.

On one hand, after the NotPetya and WannaCry worms of 2017, “I think some folks have looked at that mass exploitation, that mass destruction, as a pretty heinous outcome,” said Joyce.

On the other, it’s becoming harder for adversaries to find single vulnerabilities that can be exploited at such a broad scale. “Often, you have to intentionally chain things together to have a large cascading effect,” said Joyce, referring to the process by which hackers combine multiple exploits in a single attack.

INDUSTRY INTEL

THREAT SHARING — Not yet two years into his tenure as the NSA’s cyber czar, Joyce feels “very bullish” about the trajectory of U.S. cybersecurity policy. A central reason?

“I can’t tell you how much we’ve done in the last year-to-two years with industry,” said Joyce, who said that improved public-private threat sharing has been key to the U.S. government’s course correction on cybersecurity.

Yes, but — Earlier in the interview, Joyce argued that the maturation of CISA and NSA’s intelligence distribution efforts rendered Congress’s proposal of a new threat sharing platform superfluous.

As MC reported last week, NSA’s opposition to the idea of a so-called joint collaborative environment has dimmed chances that the platform for enhanced threat sharing will become law this year.

However, the bill’s proponents aren’t buying Joyce’s critique that the JCE would be “overly constraining” for the NSA or CISA.

Last week, Mark Montgomery, executive director of the cyberspace solarium commission and its successor, the CSC 2.0, told MC the law gives both organizations "wide latitude to develop an information exchange program.”

CYBER WORKFORCE

THE LONG GAME — To really turn things around over the long haul, the U.S. will need to make major investments in the cybersecurity talent pipeline, Joyce said.

He recommends the U.S. consider mandating secure coding courses for computer science students in bachelor’s programs in order to “raise the bar” across the country.

TWEET OF THE WEEKEND

Last week, researchers at cybersecurity firm ESET found evidence that Russia’s premier hacking group was dropping ransomware on Ukrainian critical infrastructure.

Want another reason to despise ‘em? They’re sullying the good name of a Pixar classic:



New Window

Twitter
QUICK BYTES

— With the close of the public comment period, it’s now on CISA to thread the needle in drafting the new cyber incident reporting rule for critical infrastructure. (CyberScoop)

— The review of the “dual-hat” structure ends by highlighting benefits of the arrangement, but it doesn’t offer an official recommendation. (The Record)

Experts are skeptical Musk can quickly introduce end-to-end encryption at Twitter. (CyberScoop)

— The FCC has approved new bans on Chinese surveillance and telecommunications technology. (NPR)

Chat soon.

Stay in touch with the whole team: Eric Geller (egeller@politico.com); Maggie Miller (mmiller@politico.com); John Sakellariadis (jsakellariadis@politico.com); and Heidi Vogt (hvogt@politico.com).

No comments: