White House cyber chief warns on IP theft

Rob Joyce cautioned that requirements by foreign powers to review IT source code of U.S. vendors could lead to intellectual property theft.

Rob Joyce NSA/WH
 

White House Cybersecurity Coordinator Rob Joyce said that foreign laws could put U.S. vendors at risk for intellectual property theft.

White House Cybersecurity Coordinator Rob Joyce said commercial tech companies trying to expand in other countries could be putting American innovation at risk by acquiescing to government requests to see their source code.

“I’m very worried about the protectionist rules that are going up in a lot of countries” where tech companies can’t enter a nation’s market without “offering up” intellectual property, Joyce said at the Washington Post’s Oct. 3 Cybersecurity Summit in Washington, D.C.

Joyce's comments came in response to a Reuters report detailing how Hewlett Packard Enterprise allowed a Russian defense agency to review code used to protect the Pentagon’s computer networks. “It’s a problem for the free and open internet that we designed and pushed out for the world’s benefit.”

Joyce named Russia and China as some of the governments that are employing measures that require prospective tech companies to reveal their source code.

"The security aspects of those disclosures are problematic," he said, but "I’m a little more worried about it from the intellectual property point of view of our innovation than I am the security side of it…. If you give your source code to China as a condition of entering that market, you’ve got to wonder if competitors are then going to start to adapt those features, and we’ve seen some examples of that in the past. And that really concerns us.”

Joyce also addressed the recent Department of Homeland Security ban on Kaspersky anti-virus products, saying that history suggests vigilance of Russian vendors.

“We have plenty of examples of Russian companies being compelled and cooperating with Russian intelligence, and there's even a law requiring participation in intelligence activities by those communications and computer companies in Russia. So as that data comes off your machine and back to Russia, it’s vulnerable and available," he said. "We looked at that and made a risk decision that we can’t tolerate these on government networks.”

Joyce declined to comment on whether there was evidence that Russia tried to siphon information from government computers via Kaspersky, saying that using the software on sensitive government networks would be a “bad decision.”

Joyce also expounded on a plan to insert more public disclosure in the Vulnerabilities Equities Process, in which government agencies decide to stockpile or disclose flaws and bugs they have discovered in commercial systems.

"It’s clear to me from some of the public discussion on the Vulnerabilities Equities Process that that process is not well understood, and that’s our fault in the executive branch,” Joyce said. "In the previous administration, that was an executive privilege run out of the White House process, where the charter, the participants and the decision criteria weren’t made public.”

Joyce said after taking the cyber coordinator position in March he started asking "why we can't talk about this."

“There wasn’t a good reason,” he said, so the White House is finalizing a public charter that will detail the criteria used in the process, the participating agencies and the reasons why a vulnerability was patched, disclosed or withheld for intelligence purposes.

Additionally, Joyce said the White House is working with different agencies on developing alternatives to the Social Security number as an identifier in light of the Equifax breach that exposed personal and financial data on more than 145 million consumers. “The Social Security number has outlived its usefulness,” said Joyce, who noted that he’s aware of four instances when his Social Security number was compromised.

"There are technologies we can look at … a public private key, something I can use publicly but not put the information at risk, something that can be revoked if it’s known to be compromised," he suggested. "How many people here today have changed your Social Security numbers knowing the Equifax breach happened? Nobody."