By B.L. Wilson
When you look at the 2015 hacking of the United States Office of Personnel Management, in which the personal data of 20 million Americans was stolen,
Rob Joyce, the new cyber coordinator at the National Security Agency, said anyone who does information technology understands the government needs to put more effort into security and modernization.
“This year, the trend line continues the advantage going to offense,” Mr. Joyce said. The power grid, communications and financial systems are all vunerable to attack, he said. “That’s a scary thing when you think about critical infrastructure.”
The remarks came Friday at the George Washington University’s Center for Cyber and Homeland Security conference on U.S. cyber policy, called “Today’s Challenges, Tomorrow’s Solutions,” co-sponsored by Northrop Grumman. Mr. Joyce stood in for Thomas Bossert, assistant to the president for homeland security and counterterrorism, who was called away to deal with the devastating effects of Hurricane Maria in Puerto Rico.
A May 2017 executive order calls for the strengthening and modernization of government networks against cyber security risks. Critical infrastructure resiliency, Mr. Joyce emphasized, is very important.
“You can’t assume that offense won’t get through the defenses we put up. So you have to have capabilities to find and cover intrusions as fast as you can, minimize and localize the impact of those intrusions and then,” he said, “recover and recover quickly.”
In a wide-ranging discussion with GW’s CCHS Associate Vice President and Director Frank Ciluffo that covered cyber policy, deterrence and the sharing of information with the private sector and U.S. allies, Mr. Joyce explained that major sectors of the infrastructure had priority, such as power grids on which communications, energy and financial services all depend.
Many of these entities involve collaboration with commercial and private industry that have called for more sharing of government information that is often constrained by the intelligence sources and methods government agencies use.
New technology presents both an opportunity and a threat, he said, and the administration comes down the middle in allowing market forces to drive innovations in the Internet of Things, botnets and encryption devices that protect privacy and national security, even though he said he would like to see standards put in place.
“Strong encryption is good for the nation. We need it for business, our personal privacy, and we need it for protections of the national security side,” he said. That has to be balanced with providing access to information when a court orders it. “There is a really important part for the rule of law.”
As a deterrent, Mr. Joyce said, the U.S. government will not hesitate to impose costs against bad actors beyond U.S. borders. “You will continue to see us indict even when at times we can’t bring people to justice,” he said. “It is a powerful diplomatic message.”
He acknowledged that there is a growing problem with the misuse of social media but is encouraged that companies such as Twitter and Facebook appear to be responding to the threat.
The conversation in the City View Room at the Elliott School of International Affairs was followed by a discussion with George Barnes, the deputy director of the National Security Agency. Mr. Ciluffo noted that the NSA has been “doing cyber long before it was cool.”
The NSA is undergoing an overhaul to break down boundaries between its foreign intelligence component and the information assurance authority, which protects against hacking—a separation that Mr. Barnes said created weaknesses.
“When [people like Rob Joyce] went from being on the intelligence side to the information assurance side,” Mr. Barnes said, “a lot of the intelligence stream they had become conditioned to receive just routinely was shut off.”
When Mr. Barnes joined the NSA 30 years ago, he had few counterparts in the commercial sector. That’s changed. However, the United States is not graduating enough people with degrees in computer science, engineering and mathematics at rates comparable to a country such as China.
“It is a national security risk,” he said.
Mr. Ciluffo said that the GW conference made clear cyber security policies need to keep up with constantly advancing technology. “Right now [U.S. security agencies] are behind,” he said.
While the government is catching up, he said, “It should create the right environment to allow the private sector on the front line of this battle to get their jobs done.”
