Security Experts:

NSA's Rob Joyce Explains 'Sand and Friction' Security Strategy

News Analysis: The newly minted director of cybersecurity at NSA offers a candid assessment of the nation-state threat landscape and argues that adding “sand and friction” to adversary operations is a winning strategy.

Rob Joyce has always been known for speaking candidly about malicious hacker activity and trends in the nation-state APT landscape. 

Back in 2016, the NSA’s top hacker raised eyebrows with a plain-spoken presentation on exactly how high-end hacking teams break into computer networks, concluding that defenders hardly stand a chance against nation-state hacking teams.

"We put the time in ...to know [that network] better than the people who designed it and the people who are securing it," Joyce said matter-of-factly. “There’s a reason it’s called advanced persistent threats. Because we’ll poke and we’ll poke and we’ll wait and we’ll wait and we’ll wait, right? We’re looking for that opening and that opportunity to finish the mission.”

Rob Joyce NSA

It was a sobering conference talk that underscored why there is a certain defeatist mindset among the folks tasked with repelling cyberattacks. The message was clear: If a nation-state hacking group wants to break into your machine, you don’t stand much of a chance.

Since that presentation, Joyce has been named director of cybersecurity at the NSA and tasked with defending U.S. digital assets during a massive ransomware-driven wealth transfer to Russian cybercriminals, a noticeable surge in zero-day exploit usage, and documented nation-state APT activity at an all-time high.

[ READ: US Gov Warning: VPN, Network Perimeter Product Flaws Under Constant Attack ]

He assumes the post amidst public calls for the U.S. government to respond more aggressively to the ransomware epidemic with some even advocating for an offensive, hack-back strategy to find and expose ransomware gangs.

Instead of traditional offensive hacking-back, Joyce used the spotlight of the recent Aspen Cyber Summit to promote a “sand and friction” strategy to disrupt apex predators.

“Across a number of these nation state activities, defense is really important, but you also have to work to disrupt [them] before they are successful,” Joyce said, describing it as a “continuous engagement strategy” aimed at putting sand and friction in high-end malware operations.

“They don’t just get free shots on goal to keep trying and trying until they score,” Joyce said, pointing to a wave of prominent joint advisories issued by the NSA alongside partners at the Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA).

“We need to find those ways to expose their tools and infrastructure. We’re establishing the expectation that these things won't be tolerated,” Joyce declared.

In addition to joint advisories and urgent warnings on signs of nation-state software exploitation, the U.S. government has also used social media to share IOCs on North Korea cryptocurrency hacks and step-by-step software mitigation guidance to help organizations reduce exposed attack surface.

READ: NSA: Russian Hackers Exploiting VPN Vulnerabilities - Patch Now ]

“We’ve got to continue to understand, disrupt, and then find ways to push back. If we just let them keep shooting on goal and the goal is undefended, eventually, they’re going to score,” Joyce said.

Joyce was characteristically forthcoming when asked to discuss the threat from specific countries, describing the scale and scope of attacks from China as “off the charts.”

“The amount of Chinese cyber activity dwarfs the rest of the world, combined. They have scale,” Joyce said. “They have a [hacker] resource base that’s large and the elite in that group really are really elite. At the high end, the sophistication [of Chinese APTs] is really good.”

He spent time breaking down the players in the APT threat landscape, identifying China, Russia, Iran and North Korea as the “big four” capable of major hacking operations.  

Joyce described Russia as a “disruptive” force that has shown evidence of pre-positioning against U.S. critical infrastructure.

“The SolarWinds supply chain attack shows that they are looking to add scale, achieve and maintain presence, both for intelligence but also for operational activity,” he said.

The NSA security chief stressed that “almost every nation in the world” has invested in offensive cyber capabilities for intelligence gathering operations but warned that some smaller nations are also “dabbling” in advanced offensive cyber outcomes.

Now, he’s hoping that an aggressive and visible information-sharing “sand-and-friction” strategy can tip the scale back in favor of defenders.

Related: Rob Joyce Appointed Director of Cybersecurity at NSA

Related: White House Cyber Chief Provides Transparency Into Zero-Day Disclosure

Related:  Rob Joyce: Out-of-Band Network Taps an NSA Nightmare

view counter
Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a journalist and cybersecurity strategist with more than 20 years experience covering IT security and technology trends. Ryan has built security engagement programs at major global brands, including Intel Corp., Bishop Fox and Kaspersky GReAT. He is a co-founder of Threatpost and the global SAS conference series. Ryan's career as a journalist includes bylines at major technology publications including Ziff Davis eWEEK, CBS Interactive's ZDNet, PCMag and PC World. Ryan is a director of the Security Tinkerers non-profit, and a regular speaker at security conferences around the world. Follow Ryan on Twitter @ryanaraine.