×

Exclusive: The Aspen Institute and Morrison & Foerster’s John Carlin Speaks with White House Cybersecurity Coordinator Rob Joyce from the Cambridge Cyber Summit Today

WHEN: Today, Wednesday, October 4th

Following is the unofficial transcript of an EXCLUSIVE interview with Rob Joyce, White House Cybersecurity Coordinator, live from the Cambridge Cyber Summit hosted by CNBC and The Aspen Institute on Wednesday, October 4th.

Mandatory credit: The Cambridge Cyber Summit hosted by CNBC and The Aspen Institute.

JOHN CARLIN: My questions are going to be a little more focused on cyber issues here at the Cyber Summit. And we have with us today Rob the cyber czar. And so I thought I'd start with, as the cyber czar, the lead official in the White House, responsible for our cybersecurity efforts, how are we doing? Are we safe?

ROB JOYCE: So I think we're safe, but by any measure you want to use, John, trend line is going the wrong way. Whether you look at breaches, whether you look at criminal activity, whether you look at nation-state activity or even, you know, the sanctity of our elections, we've got to worry.

JOHN CARLIN: And so we get this question a lot. I'm a CEO of a company, and I also get this question from my mom as a consumer of these services. They hear they're not safe. They hear things are getting worse. They hear about billions of records lost here, hundreds of millions of records lost there by the very agencies that are there to protect them from identity theft.

By the Securities and Exchange Commission itself. What are they supposed to do? What is your guidance?

ROB JOYCE: So I think at the company level, it really comes down to doing the basics. So much of this -- these intrusions can be handled by addressing the basic blocking and tackling of security, whether it's patching, having a good architecture, understanding in advance where the threats are, having logs, monitoring, watching, and dealing with it.

In our personal lives, the best thing you can do is not to reuse passwords. As you hear about these breaches, what that means is you've been compromised at that company. But what they often have is your account and the password you used. And so your account is often your email and the password, if you are reusing it at other sites, has now been breached to the point they can access you at those other sites.

JOHN CARLIN: Do you think the password/username system is a good one for security?

ROB JOYCE: It's clear we need to move beyond it and where you can use two-factor authentication. Businesses are moving that way. Companies are offering that for people to be able to use it in our personal lives, for two-factor authentication. Having a thing you possess and a thing you know is a really powerful tool band of protection.

JOHN CARLIN: And from your perch at the White House, what is government -- if that's what people should be doing and that's what companies should be doing, what's the government doing to push people away from the username/password system to dual-factor authentication?

ROB JOYCE: So what you'll see as we modernize government is the ability to use those strong authenticators inside your interactions with the government. And that's becoming the best practice for both industry and government. So we'll be adopting two.

JOHN CARLIN: And what are you doing to force the private sector to adopt? What makes cyber so unique? As for the variety of consumers that are getting harmed, it's not because the information is held by the government. It's because of their transactions in the private sector.

ROB JOYCE: I think the market pressures and the technology that commercial entities are making available is going to drive that change.

The problem with forcing it through government regulation is you snap a chalk line today and this industry moves fast. You may snap that chalk line and you impede good security because people have to do the thing to regulate it instead of doing the thing that's right.

JOHN CARLIN: We've been hearing for over a decade that the password/username is a dumb system for security and it's not fixed. Are market forces doing it on their own?

ROB JOYCE: I think they're moving there, yeah.

JOHN CARLIN: What about the Social Security number? That's something that is in government control. From the date Social Security numbers were rolled out, they were never meant to be used for identity. What are your views of the use of the Social Security number?

ROB JOYCE: So I feel really strongly that the Social Security number as an identity or even worse as an access control is just a horrific idea. It evolved that way over time and it puts us all at risk. If you think about it, a Social Security number, it is an identifier that when you use, you're actually putting yourself at greater risk because now people who steal that identity, that Social Security number, have access to your financial capabilities. Why should something you have to write down on a form and give to third parties transmit openly, allowed to be stored in filing cabinets and in records all over the country, even all over the globe -- why should that be the thing that allows access to your financial records? We've got to move beyond it. We've got to find a better way to preplace it.

We have good technologies today, two-factor authentication, public-private key technologies, where we can use a public key to verify you are the person that needs to do that transaction but safeguard the secret that's behind the Social Security number.

JOHN CARLIN: And what's your view -- what's the role of the government? What's the role of the private sector if the Social Security number is horrific? What should they be doing to get rid of it? How can we make that move faster?

ROB JOYCE: So my team at the White House has actually called for the inner agency to bring forward those ideas as to what the technologies are that could change and replace these identifiers.

We're also reaching out to industry. There's a whole bunch of industry work and, in fact, NIST, who does identity authentication standards, has been working across the financial infrastructure. A lot of the technologists in academia, there's good ideas out there. We got to pick the best one and then start moving to implementation. It's not going to be easy, but if we keep talking about it, we'll still be talking about breaches in ten years.

JOHN CARLIN: And what's your -- do you have a time line in mind? When do you expect to come out with an announcement as to a best practice? Are you going to set an end goal as to when it should be adopted?

ROB JOYCE: Yeah, I don't have a specific time line, John. But I think if you look at the problem, I personally know of four times my Social Security number has been breached.

I really have no recourse, right? There is a process to issue a new Social Security number. Show of hands here, how many people had your Social Security number reissued knowing that it was breached in Equifax? Anybody? So the idea that we can't replace a compromised credential shows how flawed that is.

You know, there are great technologies that will allow us to supersede an exposed piece of data. We've got to get on with that.

JOHN CARLIN: And there's an array of bad guys out there, from crooks; we hear about activities by Russia, by North Korea, China. And we also hear day in day out of companies being breached. Now, a lot of the companies say: Are you kidding me? What else -- is it my responsibility to defend myself against all the resources of a nation state? What do you say to those companies?

ROB JOYCE: If they're entrusted with our personal information, if they're entrusted with national security information, yeah, it's their obligation. They've got to do the right things.

But I also am not going to completely go the victim-blaming game. You know, in the end, there are criminal actions going on. Those intrusions are crimes. Whether they're perpetrated by nation states, whether they're perpetrated by economic criminals, they're still crimes. And so the government's got to get to the point where we're changing the cost-benefit ratio. We've got to impose more costs. Today the criminals, nation states see more benefit from doing these cyber actions than they worry about the costs imposed against them.

JOHN CARLIN: When I was in government, we brought a case originally against five members of the People's Liberation Army, Unit 61398. You were in another part of the government at the time. It was considered controversial because they were people in uniform. Is that an approach that's still endorsed using the criminal justice system, regardless of whether it's a nation state or not?

ROB JOYCE: It is. So, you know, when there's crimes occur, it's really their responsibility, Department of Justice, FBI, the government, to pursue those. And I think we send a strong message with those indictments. I think even though there wasn't an expectation those criminals would wind up in jail, I think it changed the foreign policy of China. I think it emboldened the response of what we were going to do in the U.S., and it galvanized people to pay attention to that problem. So we'll continue, absolutely, to use criminal justice tools.

JOHN CARLIN: Another thing we saw is after the North Korean attacks on Sony, then-President Obama used an executive order that had to do with North Korea but not cyber to place sanctions on North Korean actors. And later that year -- April 1st, I believe, of the following year -- there was a new executive order in place on cyber sanctions. There's at least one commentator who started calling it the April Fool's Day order because it wasn't used that often after it was passed. Have you used it in the new administration? And what role do you see sanctions playing in deterring cyber actors?

ROB JOYCE: We absolutely believe in using all elements of government power and that includes sanctions, law enforcement, diplomatic channels, the intel community, the military capabilities. We've renewed sanctions under the -- under a cyber executive order. We haven't deployed any sanctions yet, but Treasury, DOJ, and others are working hard on several cases right now.

JOHN CARLIN: So when you say you haven't used them yet, is that a policy choice? Or does that have to do with executing operationally? Holding people accountable?

ROB JOYCE: It's more getting the campaign lined up. It's important to use tools for maximum effectiveness so that timing of things is very critical. You want to roll out sanctions at the same time you've got a good diplomatic plan, at the same time you've got an optimal posture from the intel community to understand the reactions. If you can do it in conjunction with law enforcement activities, you'll do that as well.

JOHN CARLIN: We've heard from some: Hey, we're the United States. We're the best in the world at cyber. If they're hitting us through cyber-enabled means to do an attack, why aren't we whacking them back through cyber-enabled means? Where do you see cyber versus cyber in the playbook of retaliatory actions versus other tools?

ROB JOYCE: I think it is one of our elements of national power. The issue with cyber back on cyber is I think we know how to message with cyber. You can poke somebody with cyber. What we don't know how to do is knock them down and stand on their chest, try to hold them down and continue to, you know, impress our will in that space.

And so the people that imagined cyber as a solution, a complete solution, I think it's a little overblown. Cyber begets cyber, so it's important that we're judicious as to when we use the cyber tools and when we use the other tools. Absolutely something we've got to have as an option, but it's not "the" solution.

JOHN CARLIN: Are there -- in terms of tools you need and the statutes that enable them, in order to detect who's committing cyber-enabled intrusions or collection or in order to respond to it, are there any critical tools you need from Congress?

ROB JOYCE: Yeah. So there's one coming up, and that's the renewal of the FISA 702 Act. That's the capability that informs law enforcement for terrorism. But we also use it for cyber defense. That gives us tremendous insights into foreign malfeasance, things that are going on on the Internet, and it's about sunset. And it's one of the most powerful tools we have.

Understanding that a foreign actor is using a U.S. infrastructure and we don't have a tool to serve the warrant and get that information is a shortcoming. And if it lapses, we'll be in a pretty hard place.

JOHN CARLIN: Let's talk about norms for a second. So some have said -- and it was controversial for a period of time in Europe -- that essentially what 702 does is it allows the U.S. to commit cyber intrusions in order to collect information, because they're collecting information overseas, not necessarily with witting permission of the nation states overseas.

And at the same time, the United States is saying, with cyber attacks, you know, stop attacking our elections, stop attacking our banks. How do you balance the need to collect information at the same time with sending a message that cyberspace shouldn't be the Wild West and that there are rules?

ROB JOYCE: Yeah. So I would say 702 is one of the most important rule-based tools we have, all right, that's overseen by the courts. It's overseen by Congress. There's an Inspector General regime. And it is not an intrusive capability. It is actually one where we go to a provider and ask them to produce the information. So we're not reaching out and hacking into those accounts to do 702-based authorities. So we think it's actually a pretty reasonable tool.

JOHN CARLIN: So for those who say the intrusions are confusing, what the authority allows?

ROB JOYCE: Absolutely.

JOHN CARLIN: Let me go to another balance of what the government's role should be. You heard, particularly after WannaCry, a ransom worm attack that self-propagated to hit companies throughout the world and demand -- encrypt their content and then demand payment, there were many who said -- and I'll ask you to confirm this -- that that was an NSA tool that had been stolen and used by a criminal organization. And so they said: Hey, is it right for the government to know about a vulnerability in a software system, in an operating system, and not tell everyone about the vulnerability so they can fix it?

How do you weigh the balance between needing that information for intel purposes versus needing it so people can defend their system.

ROB JOYCE: So great question. A couple points on WannaCry. You know, if you look at that tool, the tool was ransomware. So they took ransomware, they took an exploit, they took a propagation method, they took a whole bunch of different pieces and assembled it. And, again, I go back to that was a wanton act by a criminal to intentionally cause damage, to intentionally inflict some malware out there.

The other thing you need to understand is that vulnerability was patched, right? There was a patch from Microsoft available at the time, actually a couple months before the worm spread. So the idea of withholding or releasing, in that case, the release was out there.

The reality is, it's really hard to patch and it goes back to one of my earlier statements of the things companies can do to make us safer is the basic blocking and tackling. They've got to have the ability to do those patches. They've got to have the ability to understand the vulnerabilities that have been disclosed and to act on them.

So to your question of, you know, what's the role in government in that, we in the U.S. have a process known as the Vulnerabilities Equities Process. We're very unique in that case. You don't find China and Russia and North Korea, Iran. We're also looking at that same software, those same Windows operating systems, those same browsers. You don't see them developing vulnerabilities and then sharing them back to industry.

You go to Silicon Valley, there's a long history of us sharing vulnerabilities and closing down, for defensive purposes, those holes.

So the vet process, it's been one that's been a little misunderstood. It's not been discussed openly and publicly that much.

One of the things I'm pushing as a policy consideration is the opening of the depth charter, completely unclassified, so that people understand who's involved, what we look at, how we decide and make these decisions to expose a vulnerability or retain it for national security purposes.

And then on top of that, the idea that we continue to review it, it's not a one-and-done decision. They get rereviewed on a periodic basis. And the voices in the room include people like the Department of Commerce, the Department of Homeland Security. US-CERT is in there. So it's a really thoughtful dialogue that goes on.

JOHN CARLIN: And the declassification of that charter to make it publicly available, do you have an expectation on time frame? What do you think we'd see that.

ROB JOYCE: I'm hoping within the month. We actually have written it. We are in the process of a policy decision-making group that's reviewing it, endorsing it, and then we will be able to push it out. But I think the communications on the topic is so important. There's a lot of misinformation. And we are doing really important work in that group, so understanding the criteria and even the outcomes.

I think NSA was on record saying something north of 90% of the vulnerabilities discovered are actually disclosed and patched. That's important. There are vital uses for national security that we have to have some of those capabilities. And there's some good reasons for it. But it's not a decision we make lightly, and there's a lot of thoughtful dialogue that goes into it.

JOHN CARLIN: Can you put some meat on that bone? Why is it ever necessary for the government to keep a vulnerability secret for a period of time?

ROB JOYCE: So we have -- we have an intelligence collection need, right? There's a state responsibility to help protect our people. And one of the ways we do that is through the collection of foreign intelligence through online cyber penetrations. So there has to be some amount of tool set to be able to do that. And so what we're trying to carefully weigh is having those capabilities, to be able to use them for national security, while at the same time making sure that it's not a major liability for our economy, for the international community, for our national security.

JOHN CARLIN: Let me flip it the other way for a second. So you said maybe roughly 90% or upwards of 90% are disclosed back to the private sector, but also that the United States is the only country doing this. Is it a mistake to be taking all of those tools out of the government's arsenal when Russia, China, Iran, North Korea and others are not following that same playbook?

ROB JOYCE: You're getting right to the heart of that debate, and that's one we have at each one of these vulnerability meetings.

It's really important when we've got a vicious vulnerability, you know, that lays open something we're using to protect our economy. That's got to be closed, right? It can be a sexy capability that will give us a lot of intelligence power, but on the scale of cost versus gain, those liabilities are closed. We have a defensive emphasis.

JOHN CARLIN: What's the seeking as how they're disclosed? Because they're not always -- you don't read the newspaper and the front line is "new vulnerability, here's how to patch it." Sometimes they're disclosed more discretely to the manufacturer of the product. How do you weigh who gets told what?

ROB JOYCE: So our general policy is to go back to the manufacturer, because they have equities in it. There's a responsible disclosure policy. The way we do disclosures is to give the company a chance to, one, understand the problem; two, fix it; and then, three, get the problem deployed and fixed before people understood it. If we went out directly publicly and said, "There's a huge flaw in your operating system, you know, Company X go ahead and fix that," I can tell you that the hackers going after that flaw would go much faster than the ability of the company to respond and then deploy and then the businesses to patch.

JOHN CARLIN: Backing up a little bit, you said earlier essentially you expect things -- we're in a scary time and it's going to get worse over the short-term in terms of intrusion.

I've heard from companies who have been hacked or breached who are not tech companies. And what they say is, I hear from the government and they're telling me I need to patch my systems. And if we get breached, we're the ones who get sued. The hearings are about us. And the regulators are coming our way.

What about the guys who make the software? Now I have to buy -- it didn't work. It didn't work because the bad guy can get into my system. What's your view and are you considering policy as to who should be liable, who should be responsible if a breach occurs; the person that made the product or the company that's using it?

ROB JOYCE: Yeah, Rob Joyce's opinion: I would walk one step farther up that chain, and again, it's the criminal that took that action. They're the ultimate responsible party.

I think it's really important that through market forces we drive better security through all elements of that chain. The companies who interact with us, the companies that hold our data, as well as those who make the products and services with those companies depend on. It's really clear that if you don't pay attention to cybersecurity and you're a manufacturer, you're a vendor, you are going to quickly lose your market share. So I think the market is doing the right thing in those cases.

JOHN CARLIN: Let me press you on that, because that's actually a fairly controversial point, that the marketplace is working here and particularly on the Internet of Things. So we have billions and billions of new devices being rolled out, many of which don't have any encryption at all, from baby -- the video cameras that we use to monitor our babies, originally the pacemakers that literally went into people's hearts before patches were put out. A case you are very familiar with that resulted in 1.4 million recalls of Jeeps because you could hack in through the entertainment system and the steering and braking system.

Do you think markets -- are you confident -- let me phrase it this way -- that five years from now the way the market is currently working without any change that the products that are delivered into our hands are actually going to have security baked in by design, or is there something we need to do that's different?

ROB JOYCE: I think that five years from today, there will be a few different forks in those roads. One is the products that have critical infrastructure implications, right? You talked about the pacemakers and the health care industry. Some activities of things that go on in the financial networks, those are subject to regulation, and rightly so.

But when you talk about the baby monitors, I think the regulation of cyber technology is likely to hamstring innovation. If you try to put too much constraint and mandatory check boxes on the security of a device, you will find that the manufacturers are going to be slowed in their ability to innovate and give us that next better product. But we've got to have the ability to drive that next better product to have some base security.

So we're doing things with NIST to -- that's the National Institute for Standards and Technology. So NIST driving those standards is putting out best practices for Internet of Things. They're putting out best practices for all sorts of activities to include passwords and identity technologies.

And so we would expect industry groups to start labeling themselves as compliant and then consumers to make smart choices about what they're buying, given the choices between something that clearly has complied with those solid-growing standards and the endorsements that come behind them, as opposed to something that is just brand-spanking new and slapped together. I'm going for something that is following the standard and endorsed.

JOHN CARLIN: To make sure I understand, so the endorsement would be come up with a certification process, and then there would be a requirement that that's transparent to the consumer? How would it end up on the labeling? In many areas, labels are required.

ROB JOYCE: Yeah. So today I'm a fan of voluntary enforcement, that companies will participate voluntarily, that we'll see industry groups rise up. They need for the safety of their industries to get this under control, and I think they can do that.

JOHN CARLIN: And you say "today." Are you monitoring -- is there -- if it's not working or if the threats are outstripping the speed at which they're voluntarily adopting, is there a threshold where you think it would be appropriate for government to play a more active role?

ROB JOYCE: I think there is. And every week those are the discussions we're having in my policy community, discussions of we look at brand-new threats, we look at industry trends, we get recommendations from committees that support the government, all the way up to academic groups who give us wise and sage counsel.

JOHN CARLIN: Sometimes this gets described as a cyber moonshot or the cyber Manhattan Project. But fundamentally -- I will ask you this question: Is there any Internet-connected system with digitally stored information that's safe from a dedicated adversary who desires to get in?

ROB JOYCE: I think Internet-connected information is really vulnerable to that well-resourced dedicated adversary. The good news for you and I, in our personal lives, we by being on good technology and well-patched, are very safe. Most of our companies as well, with technology well run, very safe. It's at the extreme edges that we see people continually chasing that new innovation that flaws and cracks appear.

JOHN CARLIN: I'm in the private sector now. But for you as a government official, a high-value target, when you say "pretty safe," don't you assume that someone has compromised and is looking at your emails?

ROB JOYCE: Yeah. So that's how I stay safe. We have classified systems. I do classified work on those classified systems. And the phone I carry in my pocket, my personal email, the devices in my home, I'm assuming somebody can access those. So you don't have conversations in places around those devices that would leave you vulnerable.

JOHN CARLIN: So given that's the case and we're moving devices that regulate our nuclear sector, our energy sector, that's hitting places like our day-to-day ability to use cars. We already talked about pacemakers. And they're all using a technology that, even if they follow best practice, a really dedicated bad guy can get in. What is the long-term solution? And this goes to the cyber moonshot or Manhattan Project. Are we using the wrong technology for some of these sectors?

ROB JOYCE: So we're asking those questions. So you've got to design your solutions based on the threat level. So for the nuclear industry, for example, we have mandatory gaps between the nuclear operational control and the Internet-connected technology that might be in the business systems.

For Internet-connected cars, I'm a little less worried that somebody's going to compromise my Internet-connected car and cause me a crash as I am that we're going to have some massive ransomware, right; that we all go out and turn on our computer-controlled vehicle and the display's got that ransomware up there in the morning, and I've got to make a decision do I go to work and pay the ransom or am I going to -- or am I going to wait and call my cybersecurity specialist to get it out of there. That's the problem. I think we've got to defend that, and that's the adversary threat level that the manufacturers have to think about.

JOHN CARLIN: Ransomware, is it increasing?

ROB JOYCE: No doubt.

JOHN CARLIN: It is. How big a problem do you think it is currently?

ROB JOYCE: It's a significant problem. The good news is that, you know, if you're paying attention to, again, that good hygiene, you're not going to be a victim. And it's getting harder and harder for ransomware to come at you without you actively doing something.

So if you go to that phishing site, you may choose to download ransomware. But if you understand that pop-up box saying download a piece of software from the site you thought was a new site might be a little suspicious, you're pretty safe.

JOHN CARLIN: And if it's increasing, any guidance you can give -- what's the government guidance? I have been hit by ransomware. I did click on the wrong link or someone in my hundred-thousand-person company hit the wrong link. Should I pay, not pay? What do I do?

ROB JOYCE: The guidance of the government in the past has been not to pay, and that's because we've seen a lot of people who pay and never see relief. You're dealing with a criminal already. And in a lot of cases, you are throwing good money after bad. But that's a personal decision you've got to make based on the situation.

JOHN CARLIN: Thank you very much for your time. We will do one final question. If there's one thing that keeps you up at night and, therefore, should be keeping all of us up at night when it comes to cybersecurity threats right now, what is it?

ROB JOYCE: The threat is just that overall trend line. We're the frog in the pot that's getting boiled.

I watch these breaches every day. This has been a heck of a week for companies announcing the problems they've had. It's getting to the point where we're numb, and that's a bad situation when you realize millions of Americans' private information is compromised and people are kind of shrugging, going, "Yeah, that happened again."

When I go -- fourth time my Social Security number is compromised, that's a problem. So we've got to change that curve.

JOHN CARLIN: What are we -- if there was one thing you could recommend, what do we do to get the frog to jump out of the pot?

ROB JOYCE: I think we've got to understand as a nation how we are going to change the cost-benefit for cyber malfeasance.

JOHN CARLIN: Thank you very much to Rob. Thank you for taking time from your busy schedule.

[APPLAUSE]

About CNBC:

With CNBC in the U.S., CNBC in Asia Pacific, CNBC in Europe, Middle East and Africa, and CNBC World, CNBC is the recognized world leader in business news and provides real-time financial market coverage and business information to more than 409 million homes worldwide, including more than 91 million households in the United States and Canada. CNBC also provides daily business updates to 400 million households across China. The network's 15 live hours a day of business programming in North America (weekdays from 4:00 a.m. - 7:00 p.m. ET) is produced at CNBC's global headquarters in Englewood Cliffs, N.J., and includes reports from CNBC News bureaus worldwide. CNBC at night features a mix of new reality programming, CNBC's highly successful series produced exclusively for CNBC and a number of distinctive in-house documentaries.

CNBC also has a vast portfolio of digital products which deliver real-time financial market news and information across a variety of platforms including: CNBC.com; CNBC PRO, the premium, integrated desktop/mobile service that provides live access to CNBC programming, exclusive video content and global market data and analysis; a suite of CNBC mobile products including the CNBC Apps for iOS, Android and Windows devices; and additional products such as the CNBC App for the Apple Watch and Apple TV.

Members of the media can receive more information about CNBC and its programming on the NBCUniversal Media Village Web site at http://www.nbcumv.com/programming/cnbc.

For more information about NBCUniversal, please visit http://www.NBCUniversal.com.