When Rob Joyce, head of the National Security Agency’s top hacking outfit, made an appearance at the brand new Usenix Enigma security conference in San Francisco this week, he didn’t strike the casual onlooker as an alpha predator. He had neatly parted dark brown hair with slightly graying sideburns, and he wore a light blue button-down shirt tucked into slacks. His demeanor more resembled that of a high school physics teacher than a dogged hunter.
Don’t be fooled though—the man should not be underestimated. Joyce leads the NSA’s euphemistically labeled “tailored access operations” unit, or TAO. Despite having a moniker that recalls the harmony of the universe in a similarly named ancient Chinese philosophy, Joyce’s team is all yang and no yin. It consists of the nation’s greatest and most indefatigable digital attackers. (Joyce took the reins in April 2013, shortly before Edward Snowden leaked a trove of government documents that, among other things, revealed the existence of TAO.)
On Wednesday the hacker-in-chief, as Wired has dubbed him, delivered a rare talk at the event. In case there’s any doubt, when the nation’s top information infiltrator dishes on the dark arts of breaking into and entering computer networks, cybersecurity wonks stop whatever they’re doing. Ears perk up. People pay attention. His presentation was easily the confab’s main attraction.
In this case, Joyce put on full display the awkward dual role of his employer: defending national computer systems, and exploiting the weaknesses in foreign ones. “I will admit it is very strange to be in that position up here on a stage in front of a group of people. It’s not something often done,” Joyce said, motioning toward his surrounding upon taking the floor. “My talk today is to tell you, as a nation state exploiter, what can you do to defend yourself to make my life hard,” he added.
Joyce proceeded to unload a bevy of insights upon an attentive batch of listeners. “The key to our success is knowing that network better than the people who set it up”; “don’t assume a crack is too small to be noticed or too small to be exploited”; “consider that you’re already penetrated.” He also refuted a popularly held belief that the NSA, as well as other nation state adversaries, favor zero-day vulnerabilities—previously unknown coding flaws—when compromising targets. It’s easier and less risky, he said, just to lie in wait and then to pounce on common bugs in un-patched systems.
Joyce’s advice—part common sense, part reaffirmation of IT pros’ suspicions—was made doubtlessly more interesting given that the tips were coming straight from the horse’s—or should I say lion’s—mouth. The magician did not reveal all his tricks, however. No one can say for sure how many details he may have left out; for instance, Joyce made no mention of his team’s formidable packet injection technique—stealthily inserting spoofed code into regular Internet traffic to hack users. Astute audience members noted this omission on Twitter during the closing session.
For more on hacking, watch:
At the talk’s conclusion, Joyce projected a QR Code bearing the NSA’s insignia on his final slide. He pointed at the checkered box, reassuring attendees that it was indeed a real link to a website containing more information—not a trick designed to infect anyone audacious enough to scan the grid with malicious software. “Trust me,” he said with a wide grin.
Even raptors have a sense of humor.