Today, the White House confirmed that cybersecurity coordinator Rob Joyce will head back to the National Security Agency, where he previously ran the nationâ€™s top hacking team. His departure comes just a week after Tom Bossert, Trumpâ€™s cybersecurity czar and Joyceâ€™s boss, was forced outâ€”and leaves the administration without two trusted voices on one of the most important challenges the US faces going forward.
While Bossertâ€™s exit appears to have been engineered by recently installed national security advisor John Bolton, Reuters reports that Joyce will leave of his own accord. But whatever the reasons for their respective absences, losing them will slow the ability of the US to think about big-picture cybersecurity concerns. And replacing them may not be easy.
To understand the impact of losing both Bossert and Joyce, itâ€™s important to understand exactly what it is they do. As homeland security adviser, Bossertâ€™s purview extended beyond cybersecurity specifically, but America’s security from digital threats has nonetheless been an area of particular focus for him since he served as deputy homeland security advisor in George W. Bushâ€™s second term. It was Bossert who called out North Korea for the WannaCry ransomware that threatened to seize up computers around the world in a recent Wall Street Journal editorial, and who briefed the nation on Trumpâ€™s cybersecurity executive order last fall. He was also seen as a potentially stabilizing force in a freewheeling administration.
Joyce, meanwhile, brought serious hacker bona fides to the White House earned after years of running the NSA’s elite hacking team known as Tailored Access Operations. That experience helped navigate everything from if and when US spy agencies disclose valuable vulnerabilities to the countryâ€™s deterrence strategy in an increasingly combative online world.
And combined, the two appear to have led the US reversal in its stance on Russian hacking. Previously, Trump had refused even to acknowledge that Russia had interfered in the 2016 election. Presumably under Bossert and Joyce’s guidance, the administration leveled serious sanctions just last month against the country for its cyber misdeeds. After they go, it’s unclear what line the US might take against Putin’s hackers.
In a statement, White House press secretary Sarah Sanders said that Joyce has â€œhas agreed to stay on as needed to provide continuity and facilitate the transition with his replacement.â€�
Staff upheaval when a new national security advisor comes in isnâ€™t uncommon. But losing the two top people responsible for US cybersecurity policy in short successionâ€”without having replacements lined upâ€”concerns close observers.
â€œEven though no one should be surprised, it doesnâ€™t mean it shouldnâ€™t be an outrage,â€� says Jason Healey, a cyberconflict researcher at Columbia University who served the George W. Bush administration as the director of cyber infrastructure protection. â€œRight when the cyber challenges are going to be significantly picking up, we just donâ€™t have any team there.â€�
The impact wonâ€™t be felt as acutely day to day, says J. Michael Daniel, who served in Joyceâ€™s role under President Barack Obama and currently heads up the Cyber Threat Alliance nonprofit. â€œOn the incident side, if something bad happens and we need to respond, that can be done and will continue to happen, and I have confidence in our ability to respond to that,â€� Daniel says.
But until Bolton finds suitable replacements, expect big-picture progress to come to a standstill. â€œYou would have to expect that thereâ€™s going to be a slowdown in the policy process,â€� says Daniel. â€œIt would be foolish to think otherwise.â€�
Thereâ€™s never a good moment to be without cybersecurity policy leadershipâ€”well, OK, maybe the 19th centuryâ€”but these happen to be especially fraught times. Russia has been poking at the US grid and routers worldwide. Trump seems determined to decertify the nuclear deal with Iran, a country that has seen its share of brazen hacks recently. And North Korea remains a geopolitical wild card with impressive cybercapabilities. Strategies need to be formed. Decisions need to be made. With Bossert gone and Joyce on the way out?
â€œI guess they just donâ€™t get made,â€� says Healey.
Finding qualified people to replace Bossert and Joyce also seems daunting. The Trump administration in general has had difficult filling important roles; it has failed to even put forth a nominee for 213 of the 656 key positions requiring a Senate confirmation, per a tracker from The Washington Post and Partnership for Public Service. It has gotten well fewer than half confirmed. And the curriculum vitae required of a White House cybersecurity guru makes for a fairly limited pool of potential candidates. Especially, Healey argues, given the unceremonious manner in which Bossert was ousted.
â€œWhoâ€™s going to take the job after this,â€� says Healey. â€œI have a lot of difficulty imagining anyone else that they bring in is either going to know very much or be very well-respected.â€�
It helps, at least, that Joyce will remain on hand for now. But it doesnâ€™t change the fact that the White House is staring at a big blanks space where its cybersecurity policy blueprint should be, with no apparently plan to sketch it in.