President Donald Trump’s “cyber czar” said Monday he was surprised that the recent WannaCry global ransomware attack had not compromised federal government computer systems, and he said he worries about future attacks on power grids and hospitals.
Rob Joyce, who worked for 27 years at the National Security Agency before joining the Trump White House, said that financial firms have greater “agility” to invest in cybersecurity than heavily regulated utilities.
“In a regulated industry you only have so much you can invest,” said Joyce, who visited Boston for the launch of CyberMA, a platform for collaboration that was promoted by the Massachusetts Technology Leadership Council.
At a talk held at the law firm Foley Hoag, Joyce said he was “amazed” that the ransomware that held data hostage in outdated and unlicensed computer systems around the globe did not compromise federal systems. He credited federal policies requiring relatively swift installation of critical software patches with helping to defend against the malware.
“I was amazed that across the federal government we don’t know of a single occurrence of the WannaCry ransomware encrypting a box,” Joyce told reporters. “So if you told me that a week ago that we’d have some massive worm and it it would be pervasive on old technology and effective in that space – that it would have occurred and hit us – I would have told you, ‘We’ll absolutely suffer under that.'”
Joyce, who is the special assistant to the president and cybersecurity coordinator for the White House, told reporters the disruption caused by the ransomware was “preventable” if people used the most up-to-date operating systems, and he said the U.S. government also got “a little lucky” in avoiding the ill effects. He said even though the outdated Windows XP operating system isn’t allowed on federal government computers, it is still used on some.
Last year, hackers allegedly tied to the Russian government broke into the Democratic National Committee’s computer network as part of a campaign to harm Democratic nominee Hillary Clinton’s political prospects and aid Trump’s candidacy, the outgoing Obama administration announced after the breach.
Joyce said that one of his takeaways from the hack of the party’s computers was that victims of cyber-intrusions “don’t understand when they’re a target.” He also said it is basically impossible to completely defend against a well-resourced hacker determined to break into a system.
Former FBI Director Robert Mueller was appointed by the Department of Justice last week to lead an investigation into any possible links between Trump’s campaign and the Russian government.
Despite publicly aired suspicions of North Korea’s involvement in WannaCry, Joyce said he did not think there has been “attribution” for that ransomware yet, and he said that when the U.S. government does attribute a cyber-attack to another country it does so with high confidence even if officials withhold from the public some of the evidence that goes into that assessment.
There have also been reports that the WannaCry perpetrators relied on code developed by Joyce’s former employer, the NSA, obtained by a group known as Shadow Brokers.
Cameron Kerry, an attorney at the firm Sidley Austin and a former official in the Commerce Department, asked Joyce about the federal government’s decisions about whether to alert companies to software vulnerabilities that could be exploited by American intelligence agencies or outside hackers.
Joyce said he chairs the Vulnerabilities Equities Board that considers those types of questions, and said the board favors “defense” against vulnerabilities, but in some some circumstances the government needs the capability to use the discovered weak point for intelligence-gathering purposes.
“There will be occasions where for national security we need a capability to go out and do some collection, and so that’s where we make non-black-and-white decisions about where a vulnerability needs to be withheld,” Joyce told the audience. He said officials are in discussion with members of Congress about proposals to codify some of those internal processes in federal law.
Health facilities can be vulnerable to cyber-attacks because a complicated piece of medical equipment that took years to develop might rely on an older operating system, Joyce said. He said hospitals also sometimes face the tough choice between upgrading operating systems throughout the facility or hiring more health professionals.
Hans Olson, assistant undersecretary for homeland security in Massachusetts, asked Joyce what role he sees states playing in cyber-security.
“States have an important role, especially as it relates to our critical infrastructure. Much of the critical infrastructure is supported or regulated by the states,” Joyce responded, saying he “worries” about the power industry. He said, “Get to intimately know the critical infrastructure folks and ask them what they need in terms of state support, state regulation or even regulation relief.”
Gov. Charlie Baker has said he worries about cyber-security and the Senate recently created a cyber-security committee led by Millbury Sen. Michael Moore.
Throughout the federal government, lower profile agencies such as the Bureau of Reclamation, which manages hydropower, can have more difficulty recruiting people to work on the security of their computer systems than the bigger departments, Joyce said. He said he is working on a way to share cyber-security resources across federal agencies.
Even the best cyber-security technology can be undermined by people using the systems, Joyce pointed out.
“You can make a system so secure that it’s insecure because people won’t use it,” Joyce said.