At an industry event in Hanover, Maryland last week, former National Security Council cybersecurity policy coordinator and acting Homeland Security Advisor Rob Joyce—now back at the National Security Agency as senior advisor to NSA Director General Paul Nakasone—warned that the US government needs to do more than just counter cyber attacks launched against the US. “We have to impose costs in a visible way to start deterrence,” Joyce told attendees of a February 28 Armed Forces Communications and Electronics Association (AFCEA) chapter meeting, according to a report by CyberScoop’s Sean Lyngaas. “We have to go out and try to make those operations less successful and harder to do.”
Citing the WannaCry and NotPetya malware attacks (attributed to North Korea and Russia, respectively, by US intelligence), along with the Russian hacking and disinformation campaigns in the run-up to the 2016 US presidential elections, Joyce said that state-sponsored cyberattacks have been shifting from “exploitation to disruption.” While electronic espionage continues, attackers have increasingly focused on doing economic damage to the US and its allies, he said.
Joyce spoke as President Donald Trump was bringing his summit with North Korean leader Kim Jong Un to an early close—and as North Korean hackers reportedly continued a 15-month campaign targeting US and European businesses.
The comments by Joyce on the election mirrored those of Gen. Nakasone before the Senate Intelligence Committee on January 29. Nakasone and other officials in the intelligence community and US Cyber Command have warned that the US has to start inflicting a larger cost on state actors using cyberattacks for espionage and to create economic and political disruption.
Joyce expressed the pride the NSA’s workforce took in “delivering a midterm election that was free of malfeasance and interference”—an effort that spanned multiple agencies and reportedly included US Cyber Command efforts to target and take offline individuals associated with Russian disinformation campaigns on social media. And he noted that US agencies are already working hard to prepare to defend the 2020 election.
A Trump administration executive order on cybersecurity last September removed many of the impediments placed by the Obama administration on offensive cyber operations in response to state-funded attacks against US government agencies and businesses. And an update to the Defense Department’s cyber strategy released shortly after the new executive order emphasized DOD’s intent to continuously “defend forward to disrupt or halt malicious cyber activity at its source, including activity that falls below the level of armed conflict.”
While Joyce said that efforts to defend the 2018 elections against disruption were largely successful, he acknowledged that the new strategy has not yet resulted in a change in behavior by other states. “So they’re launching unconstrained operations against us,” Joyce said at the AFCEA event, “and often, the responses come, if ever, after the costs [of those attacks] are already realized.”
Joyce also warned that “cyberspace superiority,” if it was something that could actually be achieved, is “probably fleeting” because of changes in technology, the nature of networks, and the ability of adversaries to observe, understand, and respond to the tools, techniques, and practices used against them.