A White House official also outlined how federal agency leaders will be held accountable for network breaches.
The State Department will remain the lead agency negotiating international rules of the road in cyberspace even if the State Department cyber coordinator’s office is moved or restructured, a top White House cyber official said Wednesday.
White House Cyber Coordinator Rob Joyce also defended the government’s hard line against Russian anti-virus maker Kaspersky Lab, detailed White House plans to make agency leaders more accountable for cyber lapses and endorsed a call by Sen. Ron Wyden, D-Ore., to make it harder to spoof government emails during a wide-ranging discussion with reporters outside an industry event.
Secretary of State Rex Tillerson is reportedly considering folding the cyber coordinator’s office into the department’s Bureau of Economic and Business Affairs after Cyber Coordinator Chris Painter leaves his post at the end of this month.
Painter, a decades-long government cyber hand, has been in the post since former Secretary Hillary Clinton created it in 2011.
There is no final decision about the fate of the office yet, Joyce told reporters on the sidelines of the USTelecom Cybersecurity Policy Forum, but the State Department will retain primary responsibility for most major cyber negotiations.
“I’m certainly counting on the State Department to carry out a lot of the mission [going] forward in doing those norms and doing those international agreements,” Joyce said. “I am confident that Secretary Tillerson is not going to impair cybersecurity.”
Painter’s office represented the U.S. at a series of United Nations Group of Governmental Experts meetings on cybersecurity where representatives from 20 nations, including the U.S., Russia and China, debated how international law should apply in cyberspace and sought agreements on nation state cyber activities that aren’t covered by international law.
The most recent round of those meetings closed last month without consensus among members. In the wake of that outcome, White House Homeland Security Adviser Tom Bossert said the U.S. would pivot to seeking more bilateral agreements on international cyber norms with like-minded nations.
The U.S. also plans to work with allies to hold nations that violate those norms accountable, Joyce said, not mentioning any nations by name. Russia, China, Iran and North Korea have typically topped intelligence leaders’ lists of the United States’ top cyber adversaries.
Joyce didn’t detail precisely how that accountability would work, saying he wants to wait for a report on cyber deterrence that was called for in President Donald Trump’s May cybersecurity executive order and due in August.
Joyce described the government’s deterrence posture more broadly as a “whole of government approach,” echoing a common line from Obama-era cyber officials.
The components of that whole of government approach included Justice Department indictments against key Russian, Iranian and Chinese military and intelligence officials in the wake of cyber strikes and breaches; imposing economic sanctions on Russia and North Korea, and intense diplomatic lobbying of China over its hacking U.S. companies for economic gain. The Obama administration also implied it might have made cyber counterstrikes against Russia and North Korea but never confirmed that.
The Obama administration successfully reached an agreement with China that neither nation would hack the other’s companies for economic gain—an agreement China has at least partially abided by, cybersecurity firms say. Other elements of the Obama administration’s cyber deterrence plan were less successful and congressional Republicans regularly called for a more muscular deterrence policy.
A Hard Call on Kaspersky
Joyce applauded a decision by the General Services Administration to remove Kaspersky anti-virus from its schedule of approved vendors making it more difficult for federal agencies to purchase tools from the Moscow-based firm. Intelligence leaders have suggested Kaspersky is too cozy with the Kremlin, a charge founder Eugene Kaspersky and company leaders have vehemently denied.
“I think GSA made a really important hard call based on national security to move forward with that decision,” Joyce said. He declined to say what prompted the decision, saying he could not discuss classified intelligence.
Some elements of industry and the Commerce Department worry the move could prompt other nations to bar U.S. products from their government systems, Joyce acknowledged.
Such a move would not be unprecedented. Germany canceled a government contract with Verizon in the wake of revelations about broad National Security Agency spying by leaker Edward Snowden.
Anti-virus is an immensely powerful tool, which makes intelligence leaders especially nervous about it being used for nefarious purposes.
White House Agrees with Wyden on DMARC
Joyce praised a letter Wyden sent to Homeland Security Department cyber lead Jeanette Manfra Tuesday urging the department to adopt a Domain-based Message Authentication, Reporting and Conformance, or DMARC, system to make it more difficult for fraudsters to spoof department emails.
“I agree with the senator,” Joyce said. “We had talked to DHS about that and they were under way to do DMARC.”
There are also automated tools that will allow DHS to track what portions of the agency have implemented DMARC and which haven’t, Joyce said.
Here’s What Accountability Looks Like
Trump’s May executive order called for top officials to be held accountable for their departments' and agencies’ cybersecurity, but that doesn’t mean those officials will be fired after a breach, Joyce said.
Instead, the White House will focus on whether appropriate safeguards were put in place before the breach, what decisions the department made about acceptable risk and how the department reacted to minimize damage from the breach, he said.
“There will be breaches in the future,” he said. “The important thing is not ‘have we or have we not been breached.’”
FISMA Far from Finished
Another portion of that order required agencies to adopt a cybersecurity framework the National Institute of Standards and Technology developed for the private sector. However, that requirement won’t supersede existing cyber checklists required by the Federal Information Security Management Act, or FISMA, Joyce said.
“A lot of it will be built off the existing FISMA framework… the existing activities that the [Office of Management and Budget] and [agency inspectors general] do will be the primary mechanism,” he said.
The primary goal of upgrades to the reviews will be focused on ensuring top levels of government understand and are adequately measuring how much cyber risk agencies have decided to accept in exchange for performance and other priorities, he said.
The War Game Just Got Bigger
The Trump administration also plans to broaden the way it manages cyber war gaming exercises so that planners in government and industry can work out how a catastrophic cyberattack against one sector would affect others, Joyce said during an address at the USTelecom event.
If a major cyberattack against the financial sector disrupted banking transactions, for example, that would likely affect numerous other industries even if they weren’t direct victims of the attack, Joyce said. Cyberattacks against the telecom and energy sectors would be similarly disruptive, he said.
“We [want to] think in a more realistic way about how one sector impacts another,” he said. “We’ll start to work those playbooks, so the day you have a cyber disaster it’s not the first time we’re all talking to each other across sectors.”