In this June 27, 2017, file photo, Secretary of State Rex Tillerson speaks at a 2017 Trafficking in Persons Report ceremony at the State Department in Washington.

In this June 27, 2017, file photo, Secretary of State Rex Tillerson speaks at a 2017 Trafficking in Persons Report ceremony at the State Department in Washington. AP Photo/Jacquelyn Martin

State Dept Will Still Run Int’l Cyber Policy, Even If It Closes Cyber Office

A White House official also outlined how federal agency leaders will be held accountable for network breaches.

The State Department will remain the lead agency negotiating international rules of the road in cyberspace even if the State Department cyber coordinator’s office is moved or restructured, a top White House cyber official said Wednesday.

White House Cyber Coordinator Rob Joyce also defended the government’s hard line against Russian anti-virus maker Kaspersky Lab, detailed White House plans to make agency leaders more accountable for cyber lapses and endorsed a call by Sen. Ron Wyden, D-Ore., to make it harder to spoof government emails during a wide-ranging discussion with reporters outside an industry event. 

Secretary of State Rex Tillerson is reportedly considering folding the cyber coordinator’s office into the department’s Bureau of Economic and Business Affairs after Cyber Coordinator Chris Painter leaves his post at the end of this month.

Painter, a decades-long government cyber hand, has been in the post since former Secretary Hillary Clinton created it in 2011.

There is no final decision about the fate of the office yet, Joyce told reporters on the sidelines of the USTelecom Cybersecurity Policy Forum, but the State Department will retain primary responsibility for most major cyber negotiations.

“I’m certainly counting on the State Department to carry out a lot of the mission [going] forward in doing those norms and doing those international agreements,” Joyce said. “I am confident that Secretary Tillerson is not going to impair cybersecurity.”

Painter’s office represented the U.S. at a series of United Nations Group of Governmental Experts meetings on cybersecurity where representatives from 20 nations, including the U.S., Russia and China, debated how international law should apply in cyberspace and sought agreements on nation state cyber activities that aren’t covered by international law.

The most recent round of those meetings closed last month without consensus among members. In the wake of that outcome, White House Homeland Security Adviser Tom Bossert said the U.S. would pivot to seeking more bilateral agreements on international cyber norms with like-minded nations.

The U.S. also plans to work with allies to hold nations that violate those norms accountable, Joyce said, not mentioning any nations by name. Russia, China, Iran and North Korea have typically topped intelligence leaders’ lists of the United States’ top cyber adversaries.

Joyce didn’t detail precisely how that accountability would work, saying he wants to wait for a report on cyber deterrence that was called for in President Donald Trump’s May cybersecurity executive order and due in August.

Joyce described the government’s deterrence posture more broadly as a “whole of government approach,” echoing a common line from Obama-era cyber officials.

The components of that whole of government approach included Justice Department indictments against key Russian, Iranian and Chinese military and intelligence officials in the wake of cyber strikes and breaches; imposing economic sanctions on Russia and North Korea, and intense diplomatic lobbying of China over its hacking U.S. companies for economic gain. The Obama administration also implied it might have made cyber counterstrikes against Russia and North Korea but never confirmed that.

The Obama administration successfully reached an agreement with China that neither nation would hack the other’s companies for economic gain—an agreement China has at least partially abided by, cybersecurity firms say. Other elements of the Obama administration’s cyber deterrence plan were less successful and congressional Republicans regularly called for a more muscular deterrence policy.

A Hard Call on Kaspersky

Joyce applauded a decision by the General Services Administration to remove Kaspersky anti-virus from its schedule of approved vendors making it more difficult for federal agencies to purchase tools from the Moscow-based firm. Intelligence leaders have suggested Kaspersky is too cozy with the Kremlin, a charge founder Eugene Kaspersky and company leaders have vehemently denied.

“I think GSA made a really important hard call based on national security to move forward with that decision,” Joyce said. He declined to say what prompted the decision, saying he could not discuss classified intelligence.

Some elements of industry and the Commerce Department worry the move could prompt other nations to bar U.S. products from their government systems, Joyce acknowledged.

Such a move would not be unprecedented. Germany canceled a government contract with Verizon in the wake of revelations about broad National Security Agency spying by leaker Edward Snowden.

Anti-virus is an immensely powerful tool, which makes intelligence leaders especially nervous about it being used for nefarious purposes.

White House Agrees with Wyden on DMARC

Joyce praised a letter Wyden sent to Homeland Security Department cyber lead Jeanette Manfra Tuesday urging the department to adopt a Domain-based Message Authentication, Reporting and Conformance, or DMARC, system to make it more difficult for fraudsters to spoof department emails.  

“I agree with the senator,” Joyce said. “We had talked to DHS about that and they were under way to do DMARC.”

There are also automated tools that will allow DHS to track what portions of the agency have implemented DMARC and which haven’t, Joyce said.

Here’s What Accountability Looks Like

Trump’s May executive order called for top officials to be held accountable for their departments' and agencies’ cybersecurity, but that doesn’t mean those officials will be fired after a breach, Joyce said.

Instead, the White House will focus on whether appropriate safeguards were put in place before the breach, what decisions the department made about acceptable risk and how the department reacted to minimize damage from the breach, he said.

“There will be breaches in the future,” he said. “The important thing is not ‘have we or have we not been breached.’”

FISMA Far from Finished

Another portion of that order required agencies to adopt a cybersecurity framework the National Institute of Standards and Technology developed for the private sector. However, that requirement won’t supersede existing cyber checklists required by the Federal Information Security Management Act, or FISMA, Joyce said.

“A lot of it will be built off the existing FISMA framework… the existing activities that the [Office of Management and Budget] and [agency inspectors general] do will be the primary mechanism,” he said.

The primary goal of upgrades to the reviews will be focused on ensuring top levels of government understand and are adequately measuring how much cyber risk agencies have decided to accept in exchange for performance and other priorities, he said.

The War Game Just Got Bigger

The Trump administration also plans to broaden the way it manages cyber war gaming exercises so that planners in government and industry can work out how a catastrophic cyberattack against one sector would affect others, Joyce said during an address at the USTelecom event.

If a major cyberattack against the financial sector disrupted banking transactions, for example, that would likely affect numerous other industries even if they weren’t direct victims of the attack, Joyce said. Cyberattacks against the telecom and energy sectors would be similarly disruptive, he said.

“We [want to] think in a more realistic way about how one sector impacts another,” he said. “We’ll start to work those playbooks, so the day you have a cyber disaster it’s not the first time we’re all talking to each other across sectors.”

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.