Live from RSAC 2025: Cyber Threats, Red Lines, and the China Challenge with Rob Joyce
Season 2 Episode 16 •Show Notes
On this episode of Cyber Focus, host Frank Cilluffo sits down with Rob Joyce, former NSA Cybersecurity Director and longtime leader in national cyber operations, to unpack some of the most pressing cybersecurity threats facing the United States today. Recorded live at RSA, the discussion ranges from Chinese pre-positioning in critical infrastructure to the blurred lines between espionage and cyber warfare. Joyce lays out a three-pronged framework for national cyber strategy, reflects on lessons from the counterterrorism playbook, and warns about the shifting attack surface—from endpoints to network infrastructure and cloud identity. The conversation closes with a call for better coordination, clearer definitions, and a whole-of-nation approach to impose real cost on adversaries.
Main Topics Covered
- AI’s emergence as both opportunity and attack surface
- China’s Volt Typhoon campaign and the need for deterrence
- Offensive cyber operations, NSPM-13, and defining “defend forward”
- Counterterrorism lessons applied to cyber strategy
- Supply chain risks and the influence of foreign-controlled software
- The shift in attack surface toward identity, cloud, and network infrastructure
Key Quotes
“If China were running around and strapping Semtex to bridges, we wouldn’t tolerate that. But they’re strapping digital Semtex to our energy grid, to our pipelines, to our airlines. And we’ve got to stop that.” — Rob Joyce
“Those who use AI will outperform those who don’t. Period.” — Rob Joyce
“The attackers are now moving to the network devices and into the cloud, taking identity and just going up into your authenticated cloud.” — Rob Joyce
“This isn’t just a cyber issue, it’s a China issue, it’s a Russia issue, it’s a Iran issue, it’s a DPRK issue. So you can’t just look at cyber means in itself.” — Rob Joyce
“If [Chinese spies] had broken into an office and stolen papers, we would have done diplomatic expulsions from their embassy… Why don’t we…reduce the footprint of their embassy and consulate in the US because they’re not behaving in a normative fashion. Those are the tools that are outside the cyber toolbox that we’re not using. — Rob Joyce
Relevant Links and Resources:
NSA Cybersecurity Directorate
https://www.nsa.gov/what-we-do/cybersecurity/
Cybersecurity and Infrastructure Security Agency (CISA)
https://www.cisa.gov/
Volt Typhoon Advisory (NSA/FBI/CISA)
https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-144a
Guest Bio:
Rob Joyce is a longtime national security and cybersecurity leader with more than 34 years of federal service. He served as Director of the NSA’s Cybersecurity Directorate, Special Assistant to the President and Cybersecurity Coordinator at the White House, and Chief of Tailored Access Operations, the NSA’s elite offensive cyber unit. Throughout his career, he helped shape U.S. cybersecurity strategy, led efforts to counter nation-state threats, and forged deep partnerships across government and industry.
Transcript
1
00:00:00,000 –> 00:00:01,000
Rob Joyce (00:00)
We had the Chinese going after some of the most senior government officials in the salt typhoon case, right? Going after their cell phones. If they had broken into an office and stolen papers, we would have done diplomatic expulsions. Why does it need to be a cyber equivalent? Why don’t we PNG their top diplomats?
2
00:00:01,000 –> 00:00:02,000
Frank Cilluffo (00:21)
Well said.
3
00:00:02,000 –> 00:00:03,000
Welcome to Cyber Focus from the McCrary Institute, where we explore the people and ideas shaping and defending our digital world. I’m your host, Frank Salufo, and this week we’re on location. We’re at RSA for Cyber Prom, and I have the privilege to sit down with one of the best minds in cybersecurity and a very, very popular speaker at RSA, Rob Joyce. Rob Joyce is known to everyone of our listeners, I’m sure, but he was a former ⁓
4
00:00:03,000 –> 00:00:04,000
Ran the Cyber Security Directorate at the National Security Agency, served as a Special Assistant to the President on cyber matters, and was also head of the Tailored Access Operations Office, TAO at NSA. So, Rob, great to have you. Thanks for joining us today. So let’s start with sort of a general question. This is Madness at RSA. ⁓
5
00:00:04,000 –> 00:00:05,000
Rob Joyce (01:12)
Awesome to talk again, Frank. Thanks.
6
00:00:05,000 –> 00:00:06,000
Frank Cilluffo (01:20)
How are you doing? What are you thinking? What are you hearing? And what are you saying, most importantly, on some of these issues?
7
00:00:06,000 –> 00:00:07,000
Rob Joyce (01:25)
What I’m hearing is AI all the time.
8
00:00:07,000 –> 00:00:08,000
Frank Cilluffo (01:28)
24 by 7
9
00:00:08,000 –> 00:00:09,000
Rob Joyce (01:29)
And it’s interesting, I’m having great conversations, not only on what AI can do, what it can’t do, but thinking about agents, because we’re about to give agency to these digital employees and ask them to do things on our behalf, and I am convinced that it’s going to be an attack surface that is not ready for the criminals and nation states that are going to come at it. So thinking about what does it mean in both the attack surface and then what do we have
10
00:00:09,000 –> 00:00:10,000
to do to trust these agents has been a lot of conversation.
11
00:00:10,000 –> 00:00:11,000
Frank Cilluffo (02:02)
That’s a great point and I just have to foot stomp something. When you start thinking about AI dominance, you also have to be energy dominant, which means you’re adding a new attack surface to a traditional critical infrastructure that’s already sort of at the top of the list, right? So when it comes to data centers and energy and the like.
12
00:00:11,000 –> 00:00:12,000
Rob Joyce (02:19)
They’re
13
00:00:12,000 –> 00:00:13,000
very energy hungry.
14
00:00:13,000 –> 00:00:14,000
Frank Cilluffo (02:22)
Yeah, no kidding, no kidding. And new risk, new threat, new vulnerability, and new opportunity. ⁓ So let’s jump into, obviously, ⁓ lot of discussion around the Communist Party of China, their intentions in cyber, looking at all the typhoons, whether it’s volt typhoon, salt typhoon, flax typhoon, silk typhoon, and whatever typhoon is gonna come up tomorrow.
15
00:00:14,000 –> 00:00:15,000
You’ve done a lot of creative work. You’ve testified before the CCP committee on Capitol Hill. Where are your thoughts? How should we be thinking about China today?
16
00:00:15,000 –> 00:00:16,000
Rob Joyce (02:57)
Yeah, so a few thoughts on that. The first is… ⁓
17
00:00:16,000 –> 00:00:17,000
The work of Volt Typhoon to pre-position in critical infrastructure, that’s something that we have to use every tool we have to push back and stop their willingness to do that. The director of FBI, director NSA, CISA, all testified to the Hill that their intent in doing that is to cause societal panic. Translated that word is terrorism. They want people in the US afraid at the time and place of their choosing when
18
00:00:17,000 –> 00:00:18,000
we’re entering a conflict with China or there’s escalating tensions. And that just isn’t something we should accept, right? If China were running around and strapping Semtex to bridges, we wouldn’t tolerate that. But they’re strapping digital Semtex to our energy grid, to our pipelines, to our airlines. And we’ve got to stop that.
19
00:00:18,000 –> 00:00:19,000
Frank Cilluffo (03:45)
and arms, right?
20
00:00:19,000 –> 00:00:20,000
And you know, that’s very different than the intentions behind, Salt Typhoon, which was arguably the biggest national, biggest cyber espionage campaign the U.S. has ever seen. But Volt clearly was intended to pre-position at the time of their choosing. Do we need red lines? Are we finally at the point? So I agree, there have been a lot of outspoken leaders talking about this, but I haven’t seen the imposition of cost or consequence.
21
00:00:20,000 –> 00:00:21,000
Rob Joyce (04:23)
Yeah, people ask me what should we be doing? And you know, for me, it is about the cost and consequence dials have to be turned up to the point that it is painful and they decide the cost is not worth the outcome potential. ⁓ I think we can get there in the case of critical infrastructure threats. ⁓ In the case of salt typhoon, you’re completely right, Frank, that that is a different
22
00:00:21,000 –> 00:00:22,000
for beast, is espionage, right?
23
00:00:22,000 –> 00:00:23,000
Frank Cilluffo (04:56)
And there’s
24
00:00:23,000 –> 00:00:24,000
gambling going on in casinos, right?
25
00:00:24,000 –> 00:00:25,000
Rob Joyce (04:58)
For years, we’ve been expelling spies and diplomats in response to ⁓ human espionage. it still goes on, because as nations, you need to know the plans and intentions of your adversaries. But again, the strapping digital semtex, that’s not something we accept. And so there’s a lot of levers we’ve got to be using. I talked to Congress, and my point was, we have not turned all the dials to 11. We’ve done a lot of things on the menu, but we’ve done
26
00:00:25,000 –> 00:00:26,000
them timidly and we’ve never done them in grand concert and with aggression and vigor. That’s one of the things about the new administration I think is good is they are willing to do strong decisions and push back hard and I’m hoping they choose to do that in the cyber world.
27
00:00:26,000 –> 00:00:27,000
Frank Cilluffo (05:45)
And I definitely want to pull on that thread momentarily, but again, I’m wondering in terms of Volt Typhoon, we do need to lean forward. What that looks like obviously entails all instruments of statecraft, but not to put a fine point on it, but it’s not just…
28
00:00:27,000 –> 00:00:28,000
the Communist Party of China, it’s everyone else watching, learning, listening. And if there’s not a commensurate response or a response, it’s just going to invite more, right? So the question is, do we need these red lines? And I think around critical infrastructure, we probably do. And I’m with you, not across everything. So let’s talk offense. So I’ve been pretty outspoken on this. We’re never going to firewall.
29
00:00:28,000 –> 00:00:29,000
our way out of this problem, we have to impose consequence on bad behavior, or you’re just going to see the same bad behavior. How do we translate some of these nouns into verbs? And on this podcast, we’ve discussed NSPM 13 in an unclassified way in terms of what the implications were around that. what does that look like in practice in your eyes?
30
00:00:29,000 –> 00:00:30,000
Rob Joyce (06:56)
Yeah, so let me back up one step though. I really believe there’s a three-legged stool needed. You need to improve your defense. We’ve made it too easy, defense will never stop them from trying and it’s never going to be completely successful.
31
00:00:30,000 –> 00:00:31,000
Frank Cilluffo (07:09)
win you can at best stay
32
00:00:31,000 –> 00:00:32,000
Rob Joyce (07:12)
So you need the cost imposition and for me, cost imposition is again a toolbox of things, offensive cyber and, but we definitely need to up the offensive cyber to impose costs. And the third is resilience, right? That when somebody does get something through, that we understand how to ⁓ recover and ride through it. But to your specific question on the offensive cyber, ⁓
33
00:00:32,000 –> 00:00:33,000
I think we’ve not done a good job with definitions yet. What is defend forward? What is persistent engagement? And you talk to different people, whether it’s in industry, in government, on the hill, executive branch or legislative, and they have different views. And if we all have our own mental model, but they’re different, we’re not communicating.
34
00:00:33,000 –> 00:00:34,000
Frank Cilluffo (07:48)
persist and engage.
35
00:00:34,000 –> 00:00:35,000
Rob Joyce (08:06)
So I want people to be much more specific about what are we asking people to do, right? So there’s definitely a desire for more offense. So the first question I’d ask is have we enabled ⁓ Cybercom, CIA, and others to do that on behalf of the government in an inherently governmental function? Right, I don’t want somebody authorizing letters of mark and reprisal to industry
36
00:00:35,000 –> 00:00:36,000
that has the bar down here and Cybercom still has the bar up here. So let’s first take the government’s professional cyber forces and make them more effective. NSPM 13 was the first step in that.
37
00:00:36,000 –> 00:00:37,000
Frank Cilluffo (08:49)
dealt with some deconfliction too, which is important,
38
00:00:37,000 –> 00:00:38,000
Rob Joyce (08:52)
Yeah, but there’s still a ways to go right there’s still more to be done Where you know I I call the mission type orders where you give a mission to the cyber force and say you were going to execute this on our behalf and at that point those professionals You know do the deconfliction that’s required, but they have the agility to operate in cyber speed and do maneuver warfare and cyber the way You know we we would expect in a kinetic fight, you
39
00:00:38,000 –> 00:00:39,000
You don’t have an attack plan, find out that the enemy is in a different position, or you have some success and you’ve got the opportunity to continue to push, and then stop and phone home and they write papers and coordinate across the interagency to think about what they do next. So that would be my first thing, is let’s…
40
00:00:39,000 –> 00:00:40,000
Frank Cilluffo (09:42)
And the Title X mission here is very important, but like you said, it’s cyber and, so there are going to be other agencies that can play a significant role. So you do need to expand that a little bit, right? I mean, I’m reminded of the old counterterrorism discussion, and I would argue the greatest breakthrough since 9-11 was really standing up JSOC to the point that Title X, Title 50, it was seamless. It should have been before, but it wasn’t. But that took a lot of blood, and tears, figuratively and literally.
41
00:00:40,000 –> 00:00:41,000
Rob Joyce (10:13)
So Frank, I led counter-terrorism at NSA post-9-11. And that shaped me, watching J Sock, Admiral McChrystal, General McChrystal, Admiral McRaven, and what they were able to do because they brought the interagency together. There was NSA, CIA, FBI, but there was also Treasury people in the middle of that operational jock. So they were part of the fight.
42
00:00:41,000 –> 00:00:42,000
So, ⁓ you know, we need to think about how State Department, Treasury, Commerce, FBI, NSA, CIA, CISA, all the other elements of DHS use their authorities to the maximum extent possible for that cost imposition.
43
00:00:42,000 –> 00:00:43,000
Frank Cilluffo (10:58)
And I want to, because I think you framed it exceedingly well. It is all instruments of statecraft, all instruments of government. But the thing that I would also add to that equation is when you look at…
44
00:00:43,000 –> 00:00:44,000
it’s not only bringing the agencies into the fight, but industry. I think there’s another ⁓ piece of the puzzle that this isn’t just a cyber issue, it’s a China issue, it’s a Russia issue, it’s a Iran issue, it’s a DPRK issue. So you can’t just look at cyber means in itself, right? So it has to be looked at even beyond just the cyber community. Is that fair?
45
00:00:44,000 –> 00:00:45,000
And you think we can do that? you think that’s gonna be a pretty big house that you’re gonna have to build?
46
00:00:45,000 –> 00:00:46,000
Rob Joyce (11:47)
We’ve come a long way.
47
00:00:46,000 –> 00:00:47,000
gone all the way on that journey, but I look at what the hyper-scale cloud providers can see inside their own enterprise. And then you combine that with what the government can reach out and see inside the classified protected networks of our adversary, and the marriage of those two things is that all-source picture that the counter-terrorism fight wanted.
48
00:00:47,000 –> 00:00:48,000
Frank Cilluffo (12:16)
It’s called Rich Picture. You have some experience with the Brits
49
00:00:48,000 –> 00:00:49,000
Rob Joyce (12:20)
I think we need to understand that discussion about the Chinese plans and intention didn’t come because of an incident response firm catching the Chinese inside critical infrastructure. Now you could see that it walked like a Chinese duck, it quacked like a Chinese duck, you could attribute it as a Chinese duck. The intelligence said
50
00:00:49,000 –> 00:00:50,000
Frank Cilluffo (12:45)
But you need other sources.
51
00:00:50,000 –> 00:00:51,000
Rob Joyce (12:49)
it was their intent to cause societal panic. And that actually informs the policymakers to say, ⁓ my gosh, this is a real threat. This is beyond the red lines. know, ⁓ the incident response folks could say there’s no good intelligence here. There’s not commercial value. So they could intuit some of it. But to really set and hold a red line, now you’ve informed and that’s what’s gonna drive resources, new authorities and the changes we need to do.
52
00:00:51,000 –> 00:00:52,000
Frank Cilluffo (13:18)
And I think that concept gets lost sometimes that government brings more than just cyber capabilities. It’s all source that can verify, corroborate, or prove otherwise. So I think that is an important element in that discussion.
53
00:00:52,000 –> 00:00:53,000
Rob Joyce (13:34)
And even in cost imposition, right? You know, again, I’m going to make another analogy. We had the Chinese going after some of the most senior government officials in the salt typhoon case, right? Going after their cell phones, right?
54
00:00:53,000 –> 00:00:54,000
Frank Cilluffo (13:56)
Pretty critical time too.
55
00:00:54,000 –> 00:00:55,000
Rob Joyce (13:57)
If they had broken into an office and stolen papers, we would have done diplomatic expulsions from their embassy.
56
00:00:55,000 –> 00:00:56,000
Frank Cilluffo (14:06)
What is the cyber equivalent of PNG?
57
00:00:56,000 –> 00:00:57,000
Rob Joyce (14:08)
Why does it need to be a cyber equivalent? Why don’t we PNG their top diplomats? Well said. said. That is cost imposition. Reduce the footprint of their embassy and consulate in the US because they’re not behaving in a normative fashion. Those are the tools that are outside the cyber toolbox that we’re not using. And I really think we’ve got to bring all those to the table.
58
00:00:57,000 –> 00:00:58,000
Frank Cilluffo (14:29)
and demonstrate that cyber does meet the bar. It’s means to an end anyway. It’s really about their intentions. you brought up letters of mark. and historically looking at the broader active cyber defense sets of questions, I think it immediately goes to hack back. There’s so much between put up a firewall and ⁓ hack back. And that should be a role that perhaps industry plays. I’d be curious what your thoughts are.
59
00:00:58,000 –> 00:00:59,000
Rob Joyce (14:59)
Yeah, I’m still of the old school that you know it’s an inherently governmental function, right? ⁓
60
00:00:59,000 –> 00:01:00,000
Frank Cilluffo (15:05)
about operational
61
00:01:00,000 –> 00:01:01,000
collaboration.
62
00:01:01,000 –> 00:01:02,000
Rob Joyce (15:07)
It’s
63
00:01:02,000 –> 00:01:03,000
not a no-roll, right, because we do campaigns where the government does some things in the hacking space. Cybercom may take down things in foreign environments, while the FBI has a warrant to do things domestically. ⁓ I also think, again, going back to my earlier comments, we’ve got to define what hack back means. Are you talking about the botnet infrastructure that was enabling the theft of
64
00:01:03,000 –> 00:01:04,000
Are you talking about the repository of information that came out of a business that sits in a server somewhere? And what are you allowed to do? Are you allowed to burn down that server? what if it is just a…
65
00:01:04,000 –> 00:01:05,000
Frank Cilluffo (15:53)
We might
66
00:01:05,000 –> 00:01:06,000
Rob Joyce (15:55)
in
67
00:01:06,000 –> 00:01:07,000
business, right? And even further than that, I talked to some of the policy makers, whether it’s executive branch or ⁓ Congress, and they want to see the lights go off in Beijing. And is that in bounds for the commercial entities to decide, choose, and execute? Or is that something that…
68
00:01:07,000 –> 00:01:08,000
Frank Cilluffo (16:18)
But if there’s
69
00:01:08,000 –> 00:01:09,000
a collaborative where it’s got an operational, that’s a different, because at the end of the day, maybe one does the action, the other helps inform the action.
70
00:01:09,000 –> 00:01:10,000
Rob Joyce (16:27)
Yeah,
71
00:01:10,000 –> 00:01:11,000
and we’ve had that for years. NSA has no Title X authorities, but we will often plan and supply the vital information that then, in a collaborative sense, CyberCom executes, right? And it is cheek to jowl together. And that actually happens with industry at times.
72
00:01:11,000 –> 00:01:12,000
Frank Cilluffo (16:50)
And
73
00:01:12,000 –> 00:01:13,000
Rob, you’ve been very eloquent in making the case to lean forward. What do we do, say, with ransomware gangs that are provided safe haven in largely Russia or some of the former Soviet republics? How do we square that circle? I don’t think we’ve exhausted our creative ways of getting them to travel to cool places where we do have extradition treaty, but how do we get around that challenge?
74
00:01:13,000 –> 00:01:14,000
Rob Joyce (17:18)
Yeah,
75
00:01:14,000 –> 00:01:15,000
the Bureau’s done great work with their partners in international law enforcement, but they’re only going to get to small.
76
00:01:15,000 –> 00:01:16,000
Frank Cilluffo (17:24)
One Z’s and two Z’s.
77
00:01:16,000 –> 00:01:17,000
Rob Joyce (17:26)
⁓
78
00:01:17,000 –> 00:01:18,000
But again, I think it is a national concern and you’ve got to use all elements of national power, right? You’ve got to convince Russia, China, North Korea, Iran that it is not in their national best interest to be allowing these activities to emanate from their borders and you know, you do that with pain points that probably aren’t cyber in most cases. I’m not saying give up on the cyber things. It’s yes and.
79
00:01:18,000 –> 00:01:19,000
Frank Cilluffo (17:54)
in reason, yeah, absolutely. We touched on AI to begin with, and that’s, you can’t go two feet without having an AI discussion here. What are some of your thoughts, and I’ve asked most of our guests, does AI benefit blue, red, the defender, those on offense? What are your thoughts on that?
80
00:01:19,000 –> 00:01:20,000
Rob Joyce (18:15)
Yeah, my strong belief is those who use AI will outperform those who don’t. Period. For whatever purpose it is. It’s both sides. do think that… So it’s purple? Yeah, the living off the land techniques that are kind of the in vogue for the highest end actors again, ⁓ those things, AI can help us at scope and scale. Because if you can get an unblinking AI to look at your network and your digital terrain and
81
00:01:20,000 –> 00:01:21,000
Frank Cilluffo (18:21)
whatever their
82
00:01:21,000 –> 00:01:22,000
Rob Joyce (18:45)
understand what normal is and somebody comes in and steals Frank’s identity, digital identity, and then all of a sudden Frank’s machine is talking to six machines you’ve never talked to before or you’re moving data ⁓ in ways and on time periods that you never moved data before. Somebody needs to look at you and your account and it may be that you were just promoted into a new job. It may be you’ve been given a task force that you’re doing unusual things.
83
00:01:22,000 –> 00:01:23,000
But most of the time I think it’s going to illuminate the bad actors ⁓ manipulating and abusing identity. And so I think that’s the strength in the AI near term. ⁓ I’m also watching the service areas. know, the AI lets you do things at speed and scale. And that is so hard to defend against.
84
00:01:23,000 –> 00:01:24,000
Frank Cilluffo (19:36)
It
85
00:01:24,000 –> 00:01:25,000
really lowers, the bar was already low vis-a-vis some of the more traditional projections of power and military and economic and the like for cyber actors but it’s been lowered even, it’s down to the ground pretty much ⁓ when you start looking at AI.
86
00:01:25,000 –> 00:01:26,000
Rob Joyce (19:53)
further but
87
00:01:26,000 –> 00:01:27,000
I do think it’s kind of like coding. You can now talk to an LLM and have it generate some pretty sophisticated coding. But if you are not even a programmer, ⁓ at some point you hit an error that’s unrecoverable. But in the hands of a real programmer, those same tools 10 or 100 XU, so in the hands of somebody who is a skilled hacker, using ⁓
88
00:01:27,000 –> 00:01:28,000
and the sophistication, they will go farther, faster, wider.
89
00:01:28,000 –> 00:01:29,000
Frank Cilluffo (20:24)
Enabler and to all
90
00:01:29,000 –> 00:01:30,000
You
91
00:01:30,000 –> 00:01:31,000
know, and I do think last year I had Phil Venables on and he made a very strong case that it’s going to benefit the defender. And I think he’s right, but I also think he’s wrong because I think it’s not as simple as ⁓ either or, black and white set of matters, because the defender has to be right all the time, right? And I think you touched on this in a different way and forgive me if I framed it wrong and disagree with me, but the cyber hygiene initiatives, that’s where AI can really have
92
00:01:31,000 –> 00:01:32,000
the critical controls that we all know, whether it’s the 20 or whether it’s 25, list we’re going to be working on, that can be very helpful and should be utilized, right, from a blue perspective.
93
00:01:32,000 –> 00:01:33,000
Rob Joyce (21:13)
Got to do the basics first and you know I have a quote going back more than a decade now where I said NSA was successful in our hacking operations because we knew the terrain, the network better than the defenders. We knew the devices better than the people who them because we spent the time to worry the details. And so now you’ve got artificial intelligence that can sweat details and you watch and Open AIs now
94
00:01:33,000 –> 00:01:34,000
They’ve their high-end models that are better than the best competitive programmers on the planet. All of them are capable. I think the American frontier models continue to excel. The innovation is still coming out of the US. Cannot. the difficulty in a lot of these AI conversations is that
95
00:01:34,000 –> 00:01:35,000
Frank Cilluffo (21:50)
Absolutely.
96
00:01:35,000 –> 00:01:36,000
We can’t take it for granted, right?
97
00:01:36,000 –> 00:01:37,000
Rob Joyce (22:11)
the breakthrough concept, like if you think chain of thought reasoning, the 01 model that came out of OpenAI.
98
00:01:37,000 –> 00:01:38,000
It can be kind of described in two or three sentences. And so if you can have that conversation about what is the concept between a chain of thought model, between two researchers that already are in the field, that other researcher now has the seed plan and is able to grow that plant. ⁓ And a lot of the AI, it’s a continual evolution where the breakthrough is not something that’s going to be ⁓ a unique tech lead for 10 years.
99
00:01:38,000 –> 00:01:39,000
that and especially with the movement of researchers between companies, between universities, that that information wants to be free and propagate so you’ve got to continue innovating.
100
00:01:39,000 –> 00:01:40,000
Frank Cilluffo (23:02)
And
101
00:01:40,000 –> 00:01:41,000
I would argue that, I I also feel like we’re always reacting to whether it’s TikTok, Kaspersky, whether it’s Huawei, whether it’s ZTE, whether it’s DeepSeek. We’ve got a lot of lists. Commerce has their list. ⁓
102
00:01:41,000 –> 00:01:42,000
Rob Joyce (23:20)
as they’re
103
00:01:42,000 –> 00:01:43,000
Frank Cilluffo (23:25)
bound, that’s literally a whack-a-mole approach. Is there a better way to do this? And this opens up the broader supply chain issue.
104
00:01:43,000 –> 00:01:44,000
Rob Joyce (23:32)
My core focus is who writes and updates that software. Who’s in charge of the algorithm and the features? That’s where TikTok comes back to. TikTok is able to dial that algorithm.
105
00:01:44,000 –> 00:01:45,000
to emphasize or de-emphasize the topics of their choosing. They can put things in front of ⁓ millions or billions of eyes at once. Think about the campaign to call your senator, right? That was the most misguided idea ever. But in the case of TP-Link, they update the software on the most prevalent network-connected devices in the US now. today, if it’s fine,
106
00:01:45,000 –> 00:01:46,000
that’s good, but if we have a point of escalating tensions and China tells TP-Link I need them all to turn off for my volt typhoon campaign, alright.
107
00:01:46,000 –> 00:01:47,000
I need them all to have an easy known exploitable flaw for my operations. ⁓ Chinese companies can’t say no, it’s in the law. And so who owns, operates, writes your software is really important. It matters. And I thought I was pretty clear to Congress and it resonated. They get it, right? So I think we’ll see action.
108
00:01:47,000 –> 00:01:48,000
Frank Cilluffo (24:46)
Exactly.
109
00:01:48,000 –> 00:01:49,000
and to not put a fine point on it, but it’s hardware, software, firmware, and pretty much everything else in between.
110
00:01:49,000 –> 00:01:50,000
Rob Joyce (25:04)
I am up the stack, right? It’s really hard to do hardware backdoors and they’re very, you know, they’re…
111
00:01:50,000 –> 00:01:51,000
Frank Cilluffo (25:07)
How far up the stack are?
112
00:01:51,000 –> 00:01:52,000
I Hezbollah
113
00:01:52,000 –> 00:01:53,000
may have different…
114
00:01:53,000 –> 00:01:54,000
Rob Joyce (25:18)
There’s
115
00:01:54,000 –> 00:01:55,000
an evidence, Chad. You’ve got to ⁓ at your threat model. For technology we’re deploying into the White House or the embassy in Beijing, you want to make sure you understand the hardware lineage and that nothing’s been tampered. But for mass market products, if you’re expending to put a hardware back door in there, there’s much better ways to skin that cat. But the software ⁓ matters. And that’s why I differentiate. There are good American designed and up-front
116
00:01:55,000 –> 00:01:56,000
and manage products that are built in China. And I don’t have the same concerns as something that’s design engineered and especially continually updated from China. That’s the difference.
117
00:01:56,000 –> 00:01:57,000
Frank Cilluffo (26:02)
AI is here now, quantum. You can’t escape without a discussion. And certainly in your old business, whether it’s cryptography, cryptology on both sides, that could be a game changer, yes? And not to oversimplify it, but it has the potential to basically render all your secrets vulnerable and protect, and or if you’re on the other end, protect all of your secrets. What does that mean going forward? And how far away are
118
00:01:57,000 –> 00:01:58,000
Rob Joyce (26:32)
Yeah, so the government, US government, issued an executive order for the US government to have all of our systems quantum secure by 2034. So that kind of gives you a time frame. It’s not a today problem. It’s not next year.
119
00:01:58,000 –> 00:01:59,000
Frank Cilluffo (26:50)
It’s a real game changer when it comes.
120
00:01:59,000 –> 00:02:00,000
Rob Joyce (26:52)
but it’s in the window, it’s a game changer. And the other thing people don’t understand often is they think about the secrets. Again, we talked about what’s your threat model, and it’s different if you’re trying to communicate out of Moscow and Beijing, as opposed to, you know, I need to protect my secrets of what I’m talking to on my orders from Amazon or my PII for my medical history. But the other thing Quantum is threatening is a lot of our authentication is based
121
00:02:00,000 –> 00:02:01,000
on public key cryptography. So the ability to log into a network, to authenticate to a system, or to sign a piece of code that is ⁓ supposed to come from Apple, Microsoft, or Google, those are all things that ⁓ the traditional public key cryptography protects today and will be vulnerable when a cryptographically relevant quantum computer exists.
122
00:02:01,000 –> 00:02:02,000
Frank Cilluffo (27:50)
Do we win this race?
123
00:02:02,000 –> 00:02:03,000
Rob Joyce (27:52)
⁓ I think so. Yep, but we’re also on the journey, right? You know, everybody’s aware of it. We’ve got to start thinking about how do you do your inventory of where is public key cryptography used in my enterprise? And that’s the first step until you know where it is. You can’t start to have the plan that will get you in 10 years to a solution where it’s out of your ecosystem.
124
00:02:03,000 –> 00:02:04,000
Frank Cilluffo (28:22)
which if you look historically…
125
00:02:04,000 –> 00:02:05,000
I mean, and I love the case you’re making for innovation, because at the end of the day, we have to out-innovate. There’s just no question in my mind. But often it’s the application and how you’re actually using that technology. And from warfare and conflict all the way through to business and industry, it’s often not the technology, it’s how you’re actually using it. And that’s one component I think is essential. Rob, we’re coming near the end of our time, and I love to ask the last question, what questions didn’t I ask that I should have asked,
126
00:02:05,000 –> 00:02:06,000
you’ve covered a whole water frontier but you know so much more than I do and I want to make sure we give our audience an opportunity to think some.
127
00:02:06,000 –> 00:02:07,000
Rob Joyce (29:03)
So you started with the RSA question about what am I hearing? What I’m talking about is the threats I’ve seen over the last year. I’m seeing trends move away from the attacks on the desktops and the servers. you know, this industry here at RSA has done a good job of building products, EDR and security products that are starting to get a good handle on protecting the endpoints. But there’s still whole classes
128
00:02:07,000 –> 00:02:08,000
of devices in carrier class routers and switches and things that are un- And it’s not even just OT, it’s the dark corners of IT.
129
00:02:08,000 –> 00:02:09,000
Frank Cilluffo (29:41)
Bring it up, please.
130
00:02:09,000 –> 00:02:10,000
Yeah.
131
00:02:10,000 –> 00:02:11,000
Rob Joyce (29:47)
that are not well logged, not well protected, and we saw that in Salt Typhoon. They didn’t go to the servers, they went to the network components, and they stole identity that didn’t have two-factor authentication. So it’s really hard, in a lot of big networks, you’ve got to have machines talk to machines. So a computer logs into another computer, a router talks to another router, and in that, they’re not doing two-factor authentication.
132
00:02:11,000 –> 00:02:12,000
So if you’ve compromised that network and you can scrape the script that
133
00:02:12,000 –> 00:02:13,000
that enables that computer to computer communication. Now you’ve got something that inside the network that is authenticated and already omnipresent throughout the communications, so it hides in the noise. So thinking about that shift of the attackers don’t use malware, they don’t like to go to endpoints that have EDR and good logging. They are now moving to the network devices and also then into the cloud, taking identity and just
134
00:02:13,000 –> 00:02:14,000
going up into your authenticated cloud and not into your devices themselves.
135
00:02:14,000 –> 00:02:15,000
Frank Cilluffo (30:59)
It’s
136
00:02:15,000 –> 00:02:16,000
very significant exposure from an attack surface perspective. Rob, thank you for spending so much time with us today and thank you for all your good work to benefit all of us in our great country and for ⁓ being a patriot and leading. So thank you, we’re a better country for it. Thank you, Rob. Thank you for joining us for this episode of Cyber Focus. If you liked what you heard, please consider subscribing. Your ratings and reviews help us reach more listeners.
137
00:02:16,000 –> 00:02:17,000
Rob Joyce (31:18)
you ⁓
138
00:02:17,000 –> 00:02:18,000
Frank Cilluffo (31:28)
Drop us a line if you have any ideas in terms of topics, themes, or individuals you’d like for us to host. Until next time, stay safe, stay informed, and stay curious.