NSA’s ‘Hacker in Chief’ Offers Cyberprotection Advice

Rob Joyce, the NSA’s chief of tailored access operations provided tips for defending against outsiders who have unlimited resources — and, more importantly, an inexhaustible amount of focus.

by Sean Sposito, San Francisco Chronicle / January 29, 2016

(TNS) -- When the National Security Agency hacks into a computer network, it generally relies on tried-and-true methods widely known in the security industry.

Rob Joyce, the NSA’s chief of tailored access operations, said as much Wednesday to a room full of systems administrators and security engineers at the Enigma Conference at the Hyatt Regency in San Francisco.

“A lot of people think that nation-states are running on zero-days” — undisclosed vulnerabilities that serve as software skeleton keys, he said. But “there are so many more vectors that are easier, less risky than going down that route.”

Joyce added that government-employed hackers are more likely to use spear phishing attacks meant to persuade a person to download a malicious attachment, or SQL injection, a technique meant to dump data from a website or network, than zero-days.

During the roughly 30-minute presentation, Joyce referred to teams like his as “apex predators.”

He attempted to give the audience — which included privacy advocates dubious of government surveillance — tips for defending against outsiders who have unlimited resources — and, more importantly, an inexhaustible amount of focus.

“Don’t assume a crack is too small to be noticed or too small to be exploited,” said Joyce.

“We’ll poke and we’ll poke and we’ll wait and wait and wait,” said the man Wired magazine recently called the NSA’s “hacker-in-chief.” “Because we’re looking for that opportunity.”

His talk served to remind conference participants of their role in defending the United States against foreign hackers. Roughly is maintained by the private sector.

When the NSA does discover previously unreported bugs in tech products, he described the process as highly regulated.

“There is both internal and external processes to the NSA, so the overwhelming, vast majority of the vulnerabilities that we discover are reported as we find” them, said Joyce, .

“Is it important enough? Is it heinous enough a problem that it gets revealed? ... Whether we say ‘yes,’ or ‘no,’ that’s still brought to an interagency committee that’s chaired by the White House.

“We don’t get final say in what we keep or let go.”

Joyce also reiterated the NSA’s stance on encryption — a debate raging among politicians and law enforcement, but not at his agency.

“Encryption makes sense for the nation,” he said. “There is no doubt in my mind that encryption is good for the nation.”

This month, Joyce’s boss, NSA Director Michael Rogers, reportedly called the debate about that technology a “waste of time.

©2016 the San Francisco Chronicle Distributed by Tribune Content Agency, LLC.