LAS VEGAS—It wasn’t so long ago that DefCon attendees enthusiastically engaged in the conference pastime “Spot the Fed”—clearly separating themselves from employees of federal organizations like the National Security Agency, if not demonizing them.
Today, however—five years after the period following Edward Snowden’s whistleblowing leaks of classified NSA documents, a clear low point in the relationship between hackers and the agency—a romance appears to be in bloom.
In front of a packed room of more than 1,000 hackers here on August 10, veteran NSA leader Rob Joyce took the stage at DefCon to explain the agency’s leading concerns. At the heart of his message: The agency’s ability to monitor and counteract international cyberattacks depends on new blood joining its efforts.
READ MORE ON THE NSA
Nunes memo promotes intelligence distrust, not surveillance reform
As reform fails, back to business as usual for NSA surveillance
Jennifer Granick on spying: ‘The more we collect, the less we know’ (Q&A)
Lawmakers to spar over sunsetting spy law
Comic book illustrates ex-NSA analyst’s outlook on online security (Q&A)
Joyce, who has led the agency’s elite Office of Tailored Access Operations and until May served as President Donald Trump’s lead cybersecurity adviser, is expected to become the NSA’s top representative to England, which, despite recently strained relations, remains a strong U.S. ally—notably on the intelligence front.
“Cybersecurity really is a team sport. We, in government, absolutely recognize we can’t do this alone,” he said. “If you look at strengthening cybersecurity, it can’t be something driven out of Washington, D.C. The greatest progress happens from the bottom up, not the top down.”
Joyce has a sober assessment of the issues the NSA deems most important. The agency, he says, is worried about three realms of cyberattacks that often overlap: Nation-state hacking from Russia, China, Iran, and North Korea; cyberattacks against critical infrastructure; and large-scale cybertheft, often in the tens or hundreds of millions of dollars.
“The key aspect for me is in the nation-state arena. The focus has moved from using the realm of cyber to steal secrets, to using that realm to impose national power,” he said. The Office of Personnel Management breach in 2015, which was attributed to China, as well as Russia’s use of VPNFilter to attack infrastructure and its hacking of U.S. elections, he said, are three “notable, big” examples of countries with significant Internet operations using the Internet to demonstrate strength.
Joyce credits diplomatic maneuvers such as the Obama administration’s agreement with China, following the OPM breach, with reducing Chinese cyberattacks against the United States. But as hacking costs drop, he said, organizations and government agencies that never before have had the resources to invest in hacking are becoming able to do so with ease.
That said, Joyce claimed that the agency, long reputed to employ and develop cutting-edge technology, is now as beholden to the whims of Silicon Valley as consumers are. Working within the same digital framework, and on the same intricately connected networks, as commercial organizations means prioritizing the use of commonly recommended security tools, such as two-factor authentication.
“In the past, the U.S. government used to build black boxes, used to have isolated government networks,” he said. “We now live on that same commercial technology that tags industry-critical infrastructures and [that] we, as citizens, live on.”
Joyce did not take audience questions, nor did he address privacy advocates’ criticism of the NSA’s surveillance tactics or the reauthorization earlier this year of Section 702 of the Foreign Intelligence Surveillance Act, the legal underpinning for surveillance programs like Prism and Upstream.
“If you look at strengthening cybersecurity, it can’t be something driven out of Washington, D.C. The greatest progress happens from the bottom up, not the top down.”—Rob Joyce, NSA
His omissions underscore two of the agency’s biggest current problems, says Richard Forno, director of the Graduate Cybersecurity Program at the University of Maryland at Baltimore County.
“The NSA has been fairly consistent in how they deal with the cyberthreat,” he says. “They know how to engage with industry, with the public, and cyber is a huge part of their success. They’re better than other government agencies.”
However, Forno says, “a presidential candidate requesting the aid of a foreign power is mind-blowing…How must the NSA feel to have had that happen under their watch?” Never mind the president’s habit (with the support of his own party) of publicly undermining U.S. intelligence agencies’ work.
Forno says the agency’s other major challenge is to clearly communicate with other U.S. government agencies about cyberthreats they detect or predict. The separate directives of the Department of Homeland Security, Federal Bureau of Investigation, Central Intelligence Agency, and National Security Agency—and each agency’s desire to take credit for a perceived victory—presents a roadblock to better cybersecurity.
“You never want to be in a situation where the left hand doesn’t know what the right hand is doing. There’s a fair amount of rice bowl guarding, and making it worse is federal leadership that blunders from one hiccup to the next,” Forno says.
Joyce wasn’t hard-pressed to come up with a current example of groups with separate directives working well together. Look no further than how hackers at the DefCon Vote Hacking Village are helping U.S. politicians grasp threats to U.S. elections, barely into its second year.
“Believe me, there are people who’re going to attempt to find flaws in those machines, whether we do it here publicly or not. So, I think it’s much more important that we get out, look at those things, and pull on them,” Joyce said. “One of the reasons I’ve really tried to stay connected with [the] DefCon crowd, and come here every year, is to be a part of some of the creative ideas, the innovation, and the things that are uncovered and learned here.”