Connect with us

Hi, what are you looking for?


Incident Response

NSA’s Rob Joyce Explains ‘Sand and Friction’ Security Strategy

News Analysis: The newly minted director of cybersecurity at NSA offers a candid assessment of the nation-state threat landscape and argues that adding “sand and friction” to adversary operations is a winning strategy.

News Analysis: The newly minted director of cybersecurity at NSA offers a candid assessment of the nation-state threat landscape and argues that adding “sand and friction” to adversary operations is a winning strategy.

Rob Joyce has always been known for speaking candidly about malicious hacker activity and trends in the nation-state APT landscape. 

Back in 2016, the NSA’s top hacker raised eyebrows with a plain-spoken presentation on exactly how high-end hacking teams break into computer networks, concluding that defenders hardly stand a chance against nation-state hacking teams.

“We put the time in …to know [that network] better than the people who designed it and the people who are securing it,” Joyce said matter-of-factly. “There’s a reason it’s called advanced persistent threats. Because we’ll poke and we’ll poke and we’ll wait and we’ll wait and we’ll wait, right? We’re looking for that opening and that opportunity to finish the mission.”

Rob Joyce NSA

It was a sobering conference talk that underscored why there is a certain defeatist mindset among the folks tasked with repelling cyberattacks. The message was clear: If a nation-state hacking group wants to break into your machine, you don’t stand much of a chance.

Since that presentation, Joyce has been named director of cybersecurity at the NSA and tasked with defending U.S. digital assets during a massive ransomware-driven wealth transfer to Russian cybercriminals, a noticeable surge in zero-day exploit usage, and documented nation-state APT activity at an all-time high.

[ READ: US Gov Warning: VPN, Network Perimeter Product Flaws Under Constant Attack ]

He assumes the post amidst public calls for the U.S. government to respond more aggressively to the ransomware epidemic with some even advocating for an offensive, hack-back strategy to find and expose ransomware gangs.

Advertisement. Scroll to continue reading.

Instead of traditional offensive hacking-back, Joyce used the spotlight of the recent Aspen Cyber Summit to promote a “sand and friction” strategy to disrupt apex predators.

“Across a number of these nation state activities, defense is really important, but you also have to work to disrupt [them] before they are successful,” Joyce said, describing it as a “continuous engagement strategy” aimed at putting sand and friction in high-end malware operations.

“They don’t just get free shots on goal to keep trying and trying until they score,” Joyce said, pointing to a wave of prominent joint advisories issued by the NSA alongside partners at the Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA).

“We need to find those ways to expose their tools and infrastructure. We’re establishing the expectation that these things won’t be tolerated,” Joyce declared.

In addition to joint advisories and urgent warnings on signs of nation-state software exploitation, the U.S. government has also used social media to share IOCs on North Korea cryptocurrency hacks and step-by-step software mitigation guidance to help organizations reduce exposed attack surface.

READ: NSA: Russian Hackers Exploiting VPN Vulnerabilities – Patch Now ]

“We’ve got to continue to understand, disrupt, and then find ways to push back. If we just let them keep shooting on goal and the goal is undefended, eventually, they’re going to score,” Joyce said.

Joyce was characteristically forthcoming when asked to discuss the threat from specific countries, describing the scale and scope of attacks from China as “off the charts.”

“The amount of Chinese cyber activity dwarfs the rest of the world, combined. They have scale,” Joyce said. “They have a [hacker] resource base that’s large and the elite in that group really are really elite. At the high end, the sophistication [of Chinese APTs] is really good.”

He spent time breaking down the players in the APT threat landscape, identifying China, Russia, Iran and North Korea as the “big four” capable of major hacking operations.  

Joyce described Russia as a “disruptive” force that has shown evidence of pre-positioning against U.S. critical infrastructure.

“The SolarWinds supply chain attack shows that they are looking to add scale, achieve and maintain presence, both for intelligence but also for operational activity,” he said.

The NSA security chief stressed that “almost every nation in the world” has invested in offensive cyber capabilities for intelligence gathering operations but warned that some smaller nations are also “dabbling” in advanced offensive cyber outcomes.

Now, he’s hoping that an aggressive and visible information-sharing “sand-and-friction” strategy can tip the scale back in favor of defenders.

Related: Rob Joyce Appointed Director of Cybersecurity at NSA

Related: White House Cyber Chief Provides Transparency Into Zero-Day Disclosure

Related:  Rob Joyce: Out-of-Band Network Taps an NSA Nightmare

Written By

Ryan Naraine is Editor-at-Large at SecurityWeek and host of the popular Security Conversations podcast series. He is a security community engagement expert who has built programs at major global brands, including Intel Corp., Bishop Fox and GReAT. Ryan is a founding-director of the Security Tinkerers non-profit, an advisor to early-stage entrepreneurs, and a regular speaker at security conferences around the world.

Click to comment


Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.


SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.


People on the Move

Kim Larsen is new Chief Information Security Officer at Keepit

Professional services company Slalom has appointed Christopher Burger as its first CISO.

Allied Universal announced that Deanna Steele has joined the company as CIO for North America.

More People On The Move

Expert Insights

Related Content


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Data Breaches

LastPass DevOp engineer's home computer hacked and implanted with keylogging malware as part of a sustained cyberattack that exfiltrated corporate data from the cloud...

Incident Response

Microsoft has rolled out a preview version of Security Copilot, a ChatGPT-powered tool to help organizations automate cybersecurity tasks.

Data Breaches

GoTo said an unidentified threat actor stole encrypted backups and an encryption key for a portion of that data during a 2022 breach.

Application Security

GitHub this week announced the revocation of three certificates used for the GitHub Desktop and Atom applications.

Incident Response

Meta has developed a ten-phase cyber kill chain model that it believes will be more inclusive and more effective than the existing range of...

Cloud Security

VMware described the bug as an out-of-bounds write issue in its implementation of the DCE/RPC protocol. CVSS severity score of 9.8/10.