The Trump administration’s plan for strengthening the nation’s cyber defenses is starting to come into focus.
Rob Joyce, a special assistant to the president and the White House’s cybersecurity coordinator, spoke in Boston Monday at an event promoting the launch of CyberMA, a Massachusetts affiliate of the national CyberUSA initiative. CyberMA is a MassTLC-led group that aims to boost local cybersecurity innovation, education and workforce development, and readiness against cyber attacks.
Joyce’s visit was timely. Eleven days ago, President Donald Trump signed an executive order laying out a strategy for improving data security for federal agencies and critical U.S. infrastructure, such as the power grid. The next day, a massive ransomware attack, executed via software dubbed WannaCry, affected hospitals, companies, and government entities across the globe.
The WannaCry attack is the latest reminder of the persistent cyber threats that organizations and individuals face every day. Interestingly, Joyce noted after his speech that it appears no U.S. government computers have been affected by WannaCry.
“I was amazed,” he admitted. He said the feds came away unscathed (so far) thanks to government policies requiring prompt software updates and phasing out outdated operating systems—as well as a bit of luck.
Joyce gave an overview of the executive order, and one thing that stood out was he thinks the federal government needs to do more work preparing its response to major cybersecurity breaches, meaning training exercises and crafting a detailed “playbook” that establishes protocols in the event of a cyber attack.
“The federal government does really well in thinking about natural hazards like flood, fire, tornado, hurricanes. We even do a lot on biohazards [and] nuclear hazards,” he said. “We’ve run exercises on cyber, but I don’t think they’re sufficient yet. I don’t think we practice like we’re going to play.”
Joyce, formerly of the National Security Agency, said an initial focus of the executive order will be on working with technology companies to fight distributed denial of service attacks delivered via the growing number of Internet-connected devices.
“We’re going to launch an effort jointly with industry, on a voluntary basis, where we look at driving botnets down and out,” Joyce said. He suggested that when Internet service providers and other industry partners detect malicious traffic, they would “squash” it. “And that’ll be a big deal in protecting our infrastructure.”
After his speech, Joyce took questions from the audience and local journalists. Here are some of the highlights:
—How will the Trump administration’s approach to cybersecurity differ from the Obama administration’s?
“I think the biggest difference is if you look over the last eight years, and even continue to 10 years, there’s been some awesome brainpower put on cybersecurity. There are still some great recommendations [that were] never enacted. I think what you’re going to see is we’re going to have an emphasis toward execution. That’s going to be the difference.”
—Will there be any new ways that the federal government will work with cybersecurity companies, besides grants and customer relationships?
“There is a new effort in this administration called the Office of American Innovation. And inside that, Chris Liddell and Reed Cordish are pulling together a group from industry next month. And so I’m not going to steal their thunder, but I think that will be an excellent place to understand what we’re doing to try to shake some of the bureaucracy and procurement methodology of the past and be a little more into the technology lifecycle that commercial industry is able to propose. And by doing that it does mean that we’ll have to have new vehicles and new ways of working with commercial industry.”
—Will there be any consideration given to companies’ possible ties to foreign countries, such as Russia?
“Make no mistake, the federal government and our critical infrastructure are part of our national security apparatus. In doing commercial inclusion, we have to be very confident that we’re doing the right thing by national security. And so, at times that will mean decisions that we have to focus in on the threats a company may bring.”
—Will the Trump administration’s cybersecurity agenda include pushing legislative action by Congress, or will it be mainly focused on executive orders?
“I think you’ll see both. … We’ll have a good partnership with Congress.”
—Are there any particular sectors that you worry about being vulnerable to cyber attacks?
“I worry about the healthcare industry. Not because they don’t put an emphasis … on this, but because of the pressures they have. If you can invest in replacing all the Windows XP machines throughout a hospital, do you do that or do you hire three additional doctors? It’s a hard trade, and I think there’ll be discussions after the recent ransomware [attack] as to where they set that needle.
“But in the end, we need to consider the lifecycle of cybersecurity. It’s not just about buying those machines, but how do you plan to maintain them, and when do you plan to replace them?”
