White House cyber czar says push for norms will move to small group of allies

The Trump administration will continue its predecessor's push for the adoption of global norms governing state behavior in cyberspace, but is effectively back-burnering stalled efforts to do so through the United Nations, preferring instead to work with small groups of allied countries, White House cybersecurity czar Rob Joyce said Tuesday.
Rob Joyce speaks at a MassTLC event May 22 in Boston. (MassTLC)

The Trump administration will continue its predecessor’s push for the adoption of global cyber norms, but is putting efforts to do so through the United Nations on the back burner, preferring instead to work with small groups of allied countries, White House cybersecurity czar Rob Joyce said Tuesday.

This new “coalition of the willing” strategy seems at odds with the plans apparently developed last week for a joint cybersecurity framework with Russia to combat outside interference and hacking of elections.

“We’re going to be working with like-minded countries to start to enforce the norms that we’ve talked about” — like the one outlawing attacks on critical infrastructure in peacetime — Joyce told a standing-room only crowd at the Department of Homeland Security Science and Technology Directorate’s cybersecurity R&D showcase. “We’ve got to raise the cost on the attackers … [We’ve got] to start pushing at those norms we know need to be enforced and following up so that we can impose costs and start the deterrence cycle” in cyberspace.

“There’s efforts underway” — as a result of the cybersecurity executive order recently signed by President Donald Trump — “to identify and talk about the partnerships we have and the partnerships we need,” he said, noting he had just returned from Israel.


Setting and enforcing universal norms governing state behavior in cyberspace “is hard to do in a big multinational forum,” he added, apparently alluding to the failure last month of the U.N. Group of Government Experts to reach a non-binding consensus on how international law applies in cyberspace.

Joyce did not address the issue of how the strategy he outlined covers the plan discussed last week on the sidelines of the G-20 summit and tweeted out over the weekend by Trump: To form a joint commission to work with Russia — one of the main U.S. adversaries in cyberspace — on cybersecurity issues.

The plan, which was expounded upon by the secretaries of State and Treasury last week, was greeted with ridicule and derision by everyone from security experts to lawmakers.

“Discussions may still take place, but that’s as far as it is right now,” deputy White House press secretary Sarah Huckabee Sanders told reporters on Monday.

Joyce, a former senior official at NSA who headed the agency’s Tailored Access Operations team of elite hackers, did not take questions after his speech and declined a reporter’s request to expand on his comments.


Although they seem to run counter to the proposal for a cybersecurity “framework” or “unit” with Russia, Joyce’s remarks echo recent comments from other U.S. officials about the administration’s plans in the international arena.

“Norms are for the good guys,” State Department Coordinator for Cybersecurity Chris Painter told a recent conference panel at CyberWeek in Israel.

“While not abandoning our multilateral efforts, the U.S. will move forward internationally in meaningful bilateral efforts” and “will also work with smaller groups of likeminded partners to call out bad behavior and impose costs on our adversaries,” White House homeland security adviser Thomas Bossert earlier told the same event.

In wide-ranging remarks Tuesday, Joyce also addressed what he said was the most urgently looming challenge for cybersecurity — the Internet of Things.

“I tinker with stuff,” said Joyce, who is a regular participant in Punkin Chunkin — an annual contest held in Bridgeville, Delaware, where people build machines to heave pumpkins the furthest possible distance.


“Much to my wife’s chagrin, I am what’s called an early adopter,” he joked, explaining how he also built a device that sends him a text when his laundry is finished.

“Do I need it?” he asked rhetorically, “No. Is it convenient? Yes … but what it means now is, I have to patch my washing machine” to keep its software and operating system updated and safe from internet threats.

“That’s the environment we’re in,” he went on, describing IoT devices as “an amazing amount of stuff connected to the internet, connected to your lives embedded around you … and they’re going to to have security flaws.”

The challenge, he said, was: “How do we build a [technology] environment that reflects the fact that we are never going to have perfect security across this  [IoT] ecosystem and accounts for [that fact, too] — builds in the ability to defend, the ability to understand, the ability to segment and most importantly probably, to make things resilient so when we have issues we can survive and push through those?”

He said the most important element in any IoT strategy was visibility. “One of the most important things is to go ahead and figure out how do we understand what’s in your [network] environment, because one of my core beliefs is … you can’t defend that which you don’t know.”

Latest Podcasts