The choice of Rob Joyce, former head of the National Security Agencys Tailored Access Operations unit as cyber security coordinator puts an experienced offensive cyber operator at the nexus of the nations cyber policy and strategy at a time when nation-state cyber interference is at the forefront of public consciousness.
Joyce succeeds Michael Daniel, who had a public policy, economist and finance background and spent nearly a decade in cyber policy at the Office of Management and Budget and the White House. Joyces background, by contrast, is as an operator in the cyber realm, bringing an intimate understanding of the threat to the forefront of national cyber policy.
As cyber coordinator, Joyce is not the federal chief information security officer (CISO). That post is largely focused on securing the federal enterprise; the cyber coordinator drives policy beyond the federal government. The cyber coordinator is also interested in cybersecurity across the entire digital ecosystem, including private industry, state and local governments and foreign governments, as well. So its a much broader role than what the federal CISO focuses on, says Daniel, who is now president of the Cyber Threat Alliance, a non-profit focused on cyber threat sharing across the industry. There is some degree of overlap and complementarity obviously the cybersecurity coordinator has to care about the security of federal networks but the cybersecurity coordinator has a broader mandate than that.
Little is publicly known about NSAs offensive cyber activities. But in a rare public appearance last August at the USENIX 2016 conference, Joyce described the five steps to a successful cyber intrusion initial exploitation, establish presence, install tools, move laterally and collect/ex-filtrate/exploit and then walked through the weaknesses he and his hackers came across and exploited each day.
If you really want to protect your network, he said then, you really have to know your network. You have to know the devices, the security technologies, and the things inside it. His clear message: His team often knew better than the networks managers. Indeed, while NSA hackers might not understand products and technologies as well as the people who design them, Joyce said they learn to understand the security aspects of those products and technologies better than the people who created them.
You know the technologies you intended to use in that network, he said. We know the technologies that are actually in use in that network. [Theres a] subtle difference. Youd be surprised at the things that are running on a network versus the things you think are supposed to be there.
Penetration-testing is essential, as is follow-up. Joyces OTA regularly conducted Red Team testing against government networks. Well inevitably find things that are misconfigured, things that shouldnt be set up within that network, holes and flaws, he said. The unit reported its findings, telling the network owner what to fix.
Then a few years later, it would be time to test that network again. It is not uncommon for us to find the same security flaws that were in the original report, Joyce said. Inexcusable, inconceivable, but returning a couple of years later, the same vulnerabilities continue to exist. Ive seen it in the corporate sector too. Ive seen it in our targets.
Laziness is a risk factor all its own. People tell you youre vulnerable in a space, close it down and lock it down, Joyce said, reflecting on the fact that network administrators frequently dont take all threats and risks seriously enough. Dont assume a crack is too small to be noted or too small to be exploited. Theres a reason its called advanced persistent threats: Because well poke and well poke and well wait and well wait and well wait, because were looking for that opportunity to [get in and] finish the mission.
As an offensive cyber practitioner, Joyce sought to identify and, when needed, exploit the seams in government and enemy networks. He focused on the sometimes amorphous boundaries where the crack in the security picture might come from getting inside a personal device, an unsecured piece of operational security, such as a security camera or a network-enabled air conditioning system, or even an application in the cloud. Cloud computing is really just another name for somebody elses computer, he said. If you have your data in the cloud, you are trusting your security protocols the physical security and all of the other elements of trust to an outside entity.
Most networks are well protected, at least on the surface. They have high castle walls and a hard crusty shell, he said. But inside theres a soft gooey core.
Figuring out how to protect that core from a national security and policy perspective will be Joyces new focus, and if Daniels experience is any indicator, it will be a challenge.
From his perspective, cybersecurity is only partly about technology. Adversaries tend to get into networks through known, fixable vulnerabilities, Daniel says. So the reason those vulnerabilities still exist is not a technical problem because we know how to fix it its an incentive problem an economics problem. That is, network owners either fail to recognize the full extent of the risks they face or, if they do, may be willing to accept those risks rather than invest in mitigating them.
The challenge, then, is formulating policy in an environment in which the true level of risk is not generally understood. In that sense, Joyces ability to communicate the extent to which hackers can exploit weaknesses could be valuable in elevating cyber awareness throughout the White House.
The NSC is about managing the policy process for the national security issues affecting the US government, Daniel explains. You dont have any direct formal authority over anyone. But you do have the power to convene. You have the power to raise issues to people in the White House. You have the ability to try to persuade and cajole. The background he brings will obviously color what he prioritizes and what he puts his time against. But the role itself will not be dramatically different. understanding how to get decisions keyed up in a way that you can actually get them approved.
Joyces background could affect how this administration views commercial technologies, such as cloud services, mobile technology and other advances that, while ubiquitous in our daily lives, are not yet standard across the federal government.
Trust boundaries now extended to partners, Joyce said a year ago. Personal devices youre trusting those on to the network. So what are you doing to really shore up the trust boundary around the things you absolutely must defend? That for me is what it comes down to: Do you really know what the keys to the kingdom are that you must defend?
National security cyber policy is not just defensive, however, and having a coordinator with a keen insiders understanding of offensive cyber capabilities could have a significant long-term impact on national cyber strategy.
Just as Daniel sees cybersecurity as an incentives, or economics problem, Kevin Mandia, chief executive at the cyber security firm FireEye and founder of Mandiant, its breach-prevention and mitigation arm, sees incentives and disincentives as playing a critical role for cyber criminals and nation-state attackers, alike. Simply put, he says, the risk-reward ratio tilts in their favor, because the consequences of an attack do not inflict enough pain.
Mandia agrees that the first priority for U.S. cyber policy should be self-defense. Every U.S. citizen believes the government has a responsibility to defend itself, he said at the FireEye Government Forum March 15. So first and foremost, our mission security folks must defend our networks. But the second thing the private sector wants is deterrence. We need deterrence for cyber activities.
And in order to develop an effective deterrence policy, he argues, the nation needs fast, reliable attribution the ability to unequivocally identify who is responsible for a cyber attack.
Id take nothing off the table to make sure we have positive attribution on every single cyber attack that happens against U.S. resources, Mandia says. Because you cant deter unless you know who did it. You have to have proportional response alternatives, and you have to know where to direct that proportionate response.
Where Joyce stands on deterrence and attribution is not yet clear, but what is clear is that sealing off the cracks in federal network security is sure to get more intense.
A lot of people think the nation states are running on this engine of zero-days, Joyce said a year ago, referring to unreported, unpatched vulnerabilities. Its not that. Take any large network and I will tell you that persistence and focus will get you in, will achieve that exploitation without the zero days. There are so many more vectors that are easier, less risky and quite often more productive than going down that route.
Closing off those vectors forces threat actors to assume more risk, expose zero-day exploits and operate with less cover. When that happens, the balance of cyber power could finally start to tilt away from the hackers.
Tobias Naegele is the editor in chief of GovTechWorks. He has covered defense, military, and technology issues as an editor and reporter for more than 25 years, most of that time as editor-in-chief at Defense News and Military Times.
See the original post:
What to Expect from the NSA Hacker Turned White House Cyber ... - GovTechWorks
- WikiLeaks' Julian Assange: NSA critics got lucky because agency had no PR strategy [Last Updated On: April 26th, 2014] [Originally Added On: April 26th, 2014]
- National Speakers Association New Jersey Chapter NSA [Last Updated On: April 26th, 2014] [Originally Added On: April 26th, 2014]
- National Security Agency - Wikipedia, the free encyclopedia [Last Updated On: April 26th, 2014] [Originally Added On: April 26th, 2014]
- NSA - Satu Hari Di Bulan Juni (TULUS) (COVER) - Video [Last Updated On: April 26th, 2014] [Originally Added On: April 26th, 2014]
- Full Show: Disband The NSA or; Corruption in the Capitol FO SHIZZLE {aTV002} - Video [Last Updated On: April 26th, 2014] [Originally Added On: April 26th, 2014]
- Hong Kong: Protesters blow whistles for NSA whistle blower - Video [Last Updated On: April 26th, 2014] [Originally Added On: April 26th, 2014]
- An Inside Look at the NSA With Whistleblower William Binney (Part 2 of 2) - Video [Last Updated On: April 26th, 2014] [Originally Added On: April 26th, 2014]
- USA: NSA leaker Snowden is a hero, say Washington protesters - Video [Last Updated On: April 26th, 2014] [Originally Added On: April 26th, 2014]
- ShmooCon 2014: The NSA: Capabilities and Countermeasures - Video [Last Updated On: April 26th, 2014] [Originally Added On: April 26th, 2014]
- NSA ~ (Autodidactism) Whistleblowing - Video [Last Updated On: April 27th, 2014] [Originally Added On: April 27th, 2014]
- The Mises View: Our NSA Economy | Mark Thornton - Video [Last Updated On: April 27th, 2014] [Originally Added On: April 27th, 2014]
- George Galloway's Sputnik: Ewen MacAskill on Guardian / Edward Snowden NSA leaks (26Apr14) - Video [Last Updated On: April 27th, 2014] [Originally Added On: April 27th, 2014]
- Dropping #NSA Knowledge Like a Clumsy Librarian - Video [Last Updated On: April 27th, 2014] [Originally Added On: April 27th, 2014]
- NSA DOCUMENTARY SIX YEARS BEFORE SNOWDEN - Video [Last Updated On: April 27th, 2014] [Originally Added On: April 27th, 2014]
- NSA Knew Of Heartbleed Bug, Refused To Protect Americans - Video [Last Updated On: April 27th, 2014] [Originally Added On: April 27th, 2014]
- Former NSA Head To Become Columnist For Conservative Paper To Discuss Intelligence - Video [Last Updated On: April 27th, 2014] [Originally Added On: April 27th, 2014]
- An Inside Look at the NSA With Whistleblower William Binney (Part 1 of 2) - Video [Last Updated On: April 27th, 2014] [Originally Added On: April 27th, 2014]
- Keynote Address by Shri Shivshankar Menon, NSA at International Seminar on Kautilya - Video [Last Updated On: April 27th, 2014] [Originally Added On: April 27th, 2014]
- NSA WHISTLEBLOWER - TOM DRAKE - Video [Last Updated On: April 27th, 2014] [Originally Added On: April 27th, 2014]
- NSA Wiretapping: A 4th Amendment Violation?: Blake Norvell at TEDxSMU - Video [Last Updated On: April 27th, 2014] [Originally Added On: April 27th, 2014]
- Rucka Rucka Ali Blurred Lines Parody Obama Been Watchin' NSA - Video [Last Updated On: April 27th, 2014] [Originally Added On: April 27th, 2014]
- Hang with Rand: Email Privacy, NSA Spying, and Defending Our Civil Liberties - Video [Last Updated On: April 27th, 2014] [Originally Added On: April 27th, 2014]
- NSA Surveillance and What To Do About It - Bruce Schneier - Video [Last Updated On: April 27th, 2014] [Originally Added On: April 27th, 2014]
- Umfrage: NSA-Spionage und die Bundesregierung | Politik direkt - So ticken die Deutschen - Video [Last Updated On: April 28th, 2014] [Originally Added On: April 28th, 2014]
- CIA & NSA DIRECTED ENERGY WEAPON ATTACK ON WHISTLE BLOWER - Video [Last Updated On: April 28th, 2014] [Originally Added On: April 28th, 2014]
- NSA TARGETED OBAMA, CONGRESS, SUPREME COURT, & THEIR SPOUSES, CHILDREN - Video [Last Updated On: April 28th, 2014] [Originally Added On: April 28th, 2014]
- Book TV - 2014 San Antonio Book Festival: Panel on the NSA, Big Brother, and Democracy - Video [Last Updated On: April 28th, 2014] [Originally Added On: April 28th, 2014]
- READER SUBMITTED: NSA CT April 2014 Meeting [Last Updated On: April 28th, 2014] [Originally Added On: April 28th, 2014]
- NSA Throwdown: John Oliver v. 60 Minutes [Last Updated On: April 28th, 2014] [Originally Added On: April 28th, 2014]
- New water records show NSA Utah Data Center likely behind schedule [Last Updated On: April 28th, 2014] [Originally Added On: April 28th, 2014]
- German opposition says US should destroy Merkel's NSA file - Video [Last Updated On: April 28th, 2014] [Originally Added On: April 28th, 2014]
- MVI 1847 Obama's NSA Denies FOIA About MH 370! - Video [Last Updated On: April 28th, 2014] [Originally Added On: April 28th, 2014]
- NSA Surveillance 2 - Video [Last Updated On: April 28th, 2014] [Originally Added On: April 28th, 2014]
- NSA Surveillance Panel 1 - Video [Last Updated On: April 28th, 2014] [Originally Added On: April 28th, 2014]
- NSA reveals some cyber security flaws are left secret [Last Updated On: April 30th, 2014] [Originally Added On: April 30th, 2014]
- NSA data center uses less water than expected [Last Updated On: April 30th, 2014] [Originally Added On: April 30th, 2014]
- April 2014 Breaking News Do you use Google or Yahoo? NSA Intercepts Google And Yahoo Traffic - Video [Last Updated On: April 30th, 2014] [Originally Added On: April 30th, 2014]
- Rand Paul My Reaction To Judge Ruling NSA Spying On Americans Illegal Is He's Exactly Right - Video [Last Updated On: April 30th, 2014] [Originally Added On: April 30th, 2014]
- Views from the Street on NSA Activities and Liberty (6/6) - Video [Last Updated On: April 30th, 2014] [Originally Added On: April 30th, 2014]
- Views from the Street on NSA Activities and Liberty (3/6) - Video [Last Updated On: April 30th, 2014] [Originally Added On: April 30th, 2014]
- Views from the Street on NSA Activities and Liberty (5/6) - Video [Last Updated On: April 30th, 2014] [Originally Added On: April 30th, 2014]
- Views from the Street on NSA Activities and Liberty (1/6) - Video [Last Updated On: April 30th, 2014] [Originally Added On: April 30th, 2014]
- Germany: NSA may have accidentally outed secret base - Video [Last Updated On: April 30th, 2014] [Originally Added On: April 30th, 2014]
- Dick Cheney Gets Awkward On Fox & Friends Over NSA Spying - Video [Last Updated On: April 30th, 2014] [Originally Added On: April 30th, 2014]
- February 2014 Breaking News Barack Obama Gun control NSA worldwide people control last day - Video [Last Updated On: April 30th, 2014] [Originally Added On: April 30th, 2014]
- MVI 1871 NSA Might Be OnTo Me! - Video [Last Updated On: April 30th, 2014] [Originally Added On: April 30th, 2014]
- ZyXEL NSA 325 v2 Installations-Wizard - Deutsch / German notebooksbilliger.de - Video [Last Updated On: April 30th, 2014] [Originally Added On: April 30th, 2014]
- ZyXEL NSA 325 v2 Hands On - Deutsch / German notebooksbilliger.de - Video [Last Updated On: April 30th, 2014] [Originally Added On: April 30th, 2014]
- CNET Update NSA spy games targeted World of Warcraft ! Byy Adana - Video [Last Updated On: April 30th, 2014] [Originally Added On: April 30th, 2014]
- Supreme Court could weigh in on NSA case, justice says [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- New NSA chief: Agency has lost trust [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- NSA on Heartbleed: 'We're not legally allowed to lie to you' [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- What's The NSA Doing Now? Training More Cyberwarriors [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- Anonymous NSA - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- Cutting off H2O to the NSA - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- Brazil: Greenwald slams US media, shares tips to avoid NSA - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- NSA Interception: Spy malware installed on laptops bought online - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- NSA IS TRYINGG 2 KILL ME FAMS - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- Hacking is NSA's 'growth area,' Times says in agency profile! - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- Judge Napolitano 'It's Time for Congress to Clip the NSA's Wings' - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- Global Economic Crisis 2013 Economic Terrorism, NSA CIA - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- What was more popular on Twitter, NSA, NRA or NBA..today? - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- THE CIA , FBI and NSA Spying Technology is Free and out in the open , DOWNLOAD IT NOW - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- CIS111: NSA Uncovered - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- Views from the Street on NSA Activities and Liberty (4/6) - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- Views from the Street on NSA Activities and Liberty (2/6) - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- Budget 2014 Malaysia mystery NSA listening in - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- NSA misrepresented the scope of its data collection - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- NSA whistleblower Edward Snowden: 'I don't want to live in a society that does these sort - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- NSA: the story of the summer - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- Thinkerview - Interview B Bayart - Neutralit du net, CSA NSA - Video [Last Updated On: May 1st, 2014] [Originally Added On: May 1st, 2014]
- German Chancellor Angela Merkel visits US, after the NSA eavesdropping scandal - Video [Last Updated On: May 2nd, 2014] [Originally Added On: May 2nd, 2014]
- NSA Reveals Planned Police State - US to enter MARTIAL LAW - Video [Last Updated On: May 2nd, 2014] [Originally Added On: May 2nd, 2014]
- NSA spies on more US citizens than Russians Snowden [Last Updated On: May 3rd, 2014] [Originally Added On: May 3rd, 2014]
- THE NEXT NSA?Police under scrutiny for using spying technology [Last Updated On: May 3rd, 2014] [Originally Added On: May 3rd, 2014]
- Ukraine and NSA will test Merkel - Video [Last Updated On: May 3rd, 2014] [Originally Added On: May 3rd, 2014]
- Civil liberty activists say Obama's curb on NSA don't go far enough - Video [Last Updated On: May 3rd, 2014] [Originally Added On: May 3rd, 2014]
- The Latest Attacks On NSA Whistleblower Edward Snowden - Kevin Gosztola Discusses - Video [Last Updated On: May 3rd, 2014] [Originally Added On: May 3rd, 2014]
- NSA proof phone Case - Video [Last Updated On: May 4th, 2014] [Originally Added On: May 4th, 2014]
- Still Report #246 - NSA Classifies MH370 Material - Video [Last Updated On: May 4th, 2014] [Originally Added On: May 4th, 2014]