The White House Loses Rob Joyce and Tom Bossert, Its Cybersecurity Brain Trust
Today, the White House confirmed that cybersecurity coordinator Rob Joyce will head back to the National Security Agency, where he previously ran the nation’s top hacking team. His departure comes just a week after Tom Bossert, Trump’s cybersecurity czar and Joyce’s boss, was forced out—and leaves the administration without two trusted voices on one of the most important challenges the US faces going forward.
While Bossert’s exit appears to have been engineered by recently installed national security advisor John Bolton, Reuters reports that Joyce will leave of his own accord. But whatever the reasons for their respective absences, losing them will slow the ability of the US to think about big-picture cybersecurity concerns. And replacing them may not be easy.
‘Even though no one should be surprised, it doesn’t mean it shouldn’t be an outrage.
Jason Healey, Columbia University
To understand the impact of losing both Bossert and Joyce, it’s important to understand exactly what it is they do. As homeland security adviser, Bossert’s purview extended beyond cybersecurity specifically, but America’s security from digital threats has nonetheless been an area of particular focus for him since he served as deputy homeland security advisor in George W. Bush’s second term. It was Bossert who called out North Korea for the WannaCry ransomware that threatened to seize up computers around the world in a recent Wall Street Journal editorial, and who briefed the nation on Trump’s cybersecurity executive order last fall. He was also seen as a potentially stabilizing force in a freewheeling administration.
Joyce, meanwhile, brought serious hacker bona fides to the White House earned after years of running the NSA’s elite hacking team known as Tailored Access Operations. That experience helped navigate everything from if and when US spy agencies disclose valuable vulnerabilities to the country’s deterrence strategy in an increasingly combative online world.
And combined, the two appear to have led the US reversal in its stance on Russian hacking. Previously, Trump had refused even to acknowledge that Russia had interfered in the 2016 election. Presumably under Bossert and Joyce’s guidance, the administration leveled serious sanctions just last month against the country for its cyber misdeeds. After they go, it’s unclear what line the US might take against Putin’s hackers.
In a statement, White House press secretary Sarah Sanders said that Joyce has “has agreed to stay on as needed to provide continuity and facilitate the transition with his replacement.”
Staff upheaval when a new national security advisor comes in isn’t uncommon. But losing the two top people responsible for US cybersecurity policy in short succession—without having replacements lined up—concerns close observers.
“Even though no one should be surprised, it doesn’t mean it shouldn’t be an outrage,” says Jason Healey, a cyberconflict researcher at Columbia University who served the George W. Bush administration as the director of cyber infrastructure protection. “Right when the cyber challenges are going to be significantly picking up, we just don’t have any team there.”
The impact won’t be felt as acutely day to day, says J. Michael Daniel, who served in Joyce’s role under President Barack Obama and currently heads up the Cyber Threat Alliance nonprofit. “On the incident side, if something bad happens and we need to respond, that can be done and will continue to happen, and I have confidence in our ability to respond to that,” Daniel says.
But until Bolton finds suitable replacements, expect big-picture progress to come to a standstill. “You would have to expect that there’s going to be a slowdown in the policy process,” says Daniel. “It would be foolish to think otherwise.”
‘You would have to expect that there’s going to be a slowdown in the policy process.’
J. Michael Daniel, Cyber Threat Alliance
There’s never a good moment to be without cybersecurity policy leadership—well, OK, maybe the 19th century—but these happen to be especially fraught times. Russia has been poking at the US grid and routers worldwide. Trump seems determined to decertify the nuclear deal with Iran, a country that has seen its share of brazen hacks recently. And North Korea remains a geopolitical wild card with impressive cybercapabilities. Strategies need to be formed. Decisions need to be made. With Bossert gone and Joyce on the way out?
“I guess they just don’t get made,” says Healey.
Finding qualified people to replace Bossert and Joyce also seems daunting. The Trump administration in general has had difficult filling important roles; it has failed to even put forth a nominee for 213 of the 656 key positions requiring a Senate confirmation, per a tracker from The Washington Post and Partnership for Public Service. It has gotten well fewer than half confirmed. And the curriculum vitae required of a White House cybersecurity guru makes for a fairly limited pool of potential candidates. Especially, Healey argues, given the unceremonious manner in which Bossert was ousted.
“Who’s going to take the job after this,” says Healey. “I have a lot of difficulty imagining anyone else that they bring in is either going to know very much or be very well-respected.”
It helps, at least, that Joyce will remain on hand for now. But it doesn’t change the fact that the White House is staring at a big blanks space where its cybersecurity policy blueprint should be, with no apparently plan to sketch it in.