On Point: Q&A With Rob Joyce

As the National Security Agency’s (NSA’s) cybersecurity director, Rob Joyce oversees the agency’s Cybersecurity Directorate, which was established to prevent and eradicate cyber threats to the Defense Department, national security systems and the defense industrial base. He has served in both the cybersecurity and signals intelligence missions at NSA since 1989 and worked as the cybersecurity coordinator and acting homeland security advisor at the White House.

What would you say are your—or your team’s—greatest achievements since you started this job?

Our teams have pushed the boundaries of taking our classified insights and our operational cyber tradecraft and sharing it with partners, better defending cyberspace. The Cybersecurity Collaboration Center (CCC) forged new relationships with defense industrial base (DIB) companies and their service providers, entering into ongoing analytic collaboration. The NSA formed an unclassified space that encourages collaboration with industry and goes beyond information sharing and into operational collaboration—goal accomplished. In the first year, we held over 4,000 analytical exchanges with more than 100 partners. The number of partnerships continues to grow because of the value we are providing. We are sharing valuable threat intelligence to all of our partners and are offering no-cost services—such as Protective DNS—to small and medium-sized DIB companies through our DIB cybersecurity program. None of this is compelled, and every single partner engages because we help them secure their company or an even wider swath of their customers. While we take action to secure the DIB, the ripples of the collaboration spread far and improve many other sectors.

What are the most important projects on your desk right now that you can talk about publicly?

Without question, it is the implementation of National Security Memorandum (NSM) 8, “Improving the Cybersecurity of National Security, Department of Defense and Intelligence Community Systems.” NSM-8 provides the NSA with enhanced authorities to protect national security systems, which are systems that contain classified information or are otherwise critical to military or intelligence operations. The new authorities will provide the NSA with greater visibility into the cybersecurity posture of these key systems and will allow us to modernize cybersecurity solutions across the U.S. government. We can push the community toward zero-trust architecture and cloud, increase multifactor authentication and ensure the latest cryptographic algorithms are used for both data-in-transit and data-at-rest encryption.

When the president signed NSM-8, it kicked off a thoughtful, highly coordinated effort at the NSA to deliver on the various implementation tasks that are specified or implied through the memorandum. NSM-8 implementation requires extensive coordination across the U.S. government to develop and communicate roles and responsibilities, processes, recommendations and requirements. Overall, the effort focuses on shining light on areas of insecurity and finding the means to do what we know must be done.

What do you consider the top lessons learned regarding ransomware?

First, we learned that cybersecurity is national security. When criminals in Russia can impact the supply of gasoline to major parts of our country, or the operations of a major meat supplier are disrupted, that is significant. While they may not have intended this scale of disruption, they have demonstrated our vulnerability to those that may seek to hold us at risk.  

Second, we clearly see most ransomware actors are not utilizing overly sophisticated tactics or capabilities to gain access to victim networks. These actors typically rely on methods such as phishing campaigns, stolen or weak passwords and exploiting common vulnerabilities or misconfigurations. Once they gain access, actors often transition to common commercial tools used by cybersecurity penetration testers, such as Cobalt Strike or Metasploit. This tradecraft enables relatively low-skilled actors to quickly infect and encrypt a large number of systems. Most ransomware attacks are opportunistic and motivated by financial gain but are largely ineffective against organizations that have robust cybersecurity mechanisms such as those outlined on the CISA StopRansomware.gov website.

Finally, we observed that we are a force multiplier to others in the ransomware fight. Whether it is foreign partners, FBI, U.S. CYBERCOM [Cyber Command], CISA [Cybersecurity and Infrastructure Security Agency], Treasury, commercial industry and others, our intelligence and technical support can be game-changing. Those close-working partnerships where everyone is bringing capabilities to the table have really helped us counter ransomware efforts.

If you could implement one change to improve cybersecurity of critical infrastructure, what would it be?

If I could wave a magic wand, I would want every company that operates critical infrastructure to appropriately resource their cybersecurity efforts. This includes both having enough capable personnel as well as funding efforts to remove technical debt. Of course, having those trained and experienced personnel means we need a development pipeline of people who can not only defend IT networks, but also have a specialized element that have both operational and cybersecurity knowledge to run and protect ICS/SCADA/OT systems controlling critical infrastructure. Cybersecurity is about people (who operate/manage the system); processes (that people use to monitor/maintain/manage/update the system); and technology (used to compose the system). Often owners and operators know what needs to be done but lack the resources to do the right thing.

What are the most significant trends influencing the future of cyber?

Technology advances will consistently challenge cyber defenders. I would highlight a few different areas that I am tracking as they develop:

The exponential growth and interconnectivity of IoT [Internet of Things] devices, combined with a lack of patching/updating makes them a growing liability.
The integration and centralization inherent in cloud computing offer agility in rapidly closing vulnerabilities but also provides an increased risk for compromise at scale.
Machine learning, AI [artificial intelligence] and big-data analysis will shape opportunities for both attackers and defenders.

Complementing the technology areas are the operational trends:

Rapid operationalization of new public vulnerabilities at scale, especially if aproof-of-concept is available (e.g., log4j)
Specialization of access brokers seeking to penetrate networks and sell the access to those that will monetize it.
The dividing of the Internet into countries seeking free and open exchange of ideas and those countries that seek to control and suppress communication.