The White House’s cybersecurity coordinator told an intent security conference Monday that the Trump administration won’t be expecting “international consensus” in every instance as it forges ahead with an agenda to combat hackers.
The May Wannacry ransomware attack, the June NotPetya malware attacks on Ukraine, and the Equifax data breach made 2017 an “unprecedented year of attacks” that required the administration to be on the “balls of our feet,” Rob Joyce, special assistant to the president and former head of the National Security Agency’s office of Tailored Access Operations, told the Institute for Critical Infrastructure Technology’s Winter Summit in Arlington, Va.
In May, President Trump issued an executive order to strengthen the cybersecurity of federal networks, critical infrastructure, and national stakeholders, including improving deterrence skills. The Justice Department and FBI, Joyce said, have put in a “huge amount of effort… on cyber criminals.”
“While we’re all concerned about cybercrime in the security of our networks, we’re also really concerned about other countries around the world creating this convoluted patchwork of laws and regulations that impact our ability to move data,” he said, affecting how entities interact and “what we’re expected to protect and store.”
“All of these things drive us to Balkanization … everybody builds a walled garden,” he added.
Joyce said that if “unintelligible regulations” remain unchecked “we’re going to see this as a huge global problem over the next couple of years.”
As an example, he noted that if a warrant is presented to Microsoft the company is “happy to supply data held in the U.S., but if some of that data is in a cloud in Ireland they’ll say don’t have the authority even though it’s Microsoft’s.”
“Our legal structure is now not responsive to the way the plumbing of the internet is wired,” he said.
At the same time, greater access to information needs to protect people from authoritarian regimes, Joyce acknowledged, offering as an example China trying to seek info on dissidents. The answer, he said, is the secretary of State reviewing requests to ascertain who has good human rights while starting with the 2016 U.S.-UK data sharing agreement framework and seeing “who else can pass that bar.”
“This is really an example of where U.S. leadership can change the shape of what we’re doing on the internet,” he said.
Human Rights Watch warned last year that the U.S.-UK deal could open the floodgates for increased access to private information, as U.S. law blocks internet companies from directly turning over user communications to foreign governments and those requesting the info have to prove probable cause in a lengthy process. “Internet users should assess whether their domestic system would adequately prevent their government from abusing the arrangement, and whether local law enforcement can be held accountable, given how much more data would be available to them under the deal,” the group said.
On mounting cyberattacks, Joyce posed the question of how deterrence can be most effective when “doing bad things on the internet generally brings you more value than the expected cost.”
Battling the mentality that hackers won’t face consequences for their actions requires judicial indictments, arrests, sanctions and secondary sanctions, and “naming and shaming,” the Trump adviser said.
Joyce said the U.S. will partner with other nations in the effort “where possible, but we can’t strive for international consensus in every case.” America has to “call out the bad behavior where others won’t,” he added.
Private industry can do more to address the risk, he said, likening cybersecurity to the negligence of people leaving their cars unlocked, even in a nice neighborhood, and getting valuables swiped from within. “It starts all the way down at the fundamentals,” he said, and putting the investment “in doing the things we know how to do — simple things” like two-factor authentication.
“People jiggling the doorknobs can’t come up and see the problems you have,” he said.
Offensive cyber ops have “to be used at the right place, right time” as a “sparing solution” in a time when the U.S. “can’t be certain about where these threats and capabilities are going to head,” Joyce said.