NSA Didn't Know of Meltdown, Spectre, Trump Cyber Czar Says
NEW YORK — The National Security Agency didn't know about the Meltdown or Spectre flaws, White House cybersecurity coordinator Rob Joyce said at the International Conference on Cyber Security at Fordham University Law School here today (Jan. 11).
National Security Agency headquarters in Ford Meade, Maryland. Credit: NSA / Public Domain
Joyce, who until a year ago headed the NSA's offensive hacking division, said Meltdown and Spectre — potentially devastating security flaws that affect Intel systems — would have been too much of a national-security threat to cover up, even had the NSA known about them.
"Those would have been put into our Vulnerabilities Equities Process," Joyce said, referring to the procedure whereby government agencies share knowledge of computer-security flaws with the public.
He also said the government had taken steps "both seen and unseen" to beef up electoral security ahead of this year's midterm elections, urged Congress to renew a controversial intelligence law and said he wouldn't use Kaspersky Lab's antivirus software on his own computer.
MORE: Best Antivirus Software
Following last week's premature disclosures of the Meltdown and Spectre CPU flaws, there was speculation in social media that the NSA and other government intelligence agencies might have known of the flaws beforehand.
Joyce denied that the NSA knew. He said that the flaws, which potentially date back to 20 years ago and together affect nearly all modern computer and smartphone hardware, would have been too big for the NSA to keep a secret. Instead, he said the agency would have put its knowledge of such flaws into the Vulnerabilities Equities Process for rapid disclosure.
Urges Renewal of NSA Surveillance Authority
Asked about Section 702 of the Foreign Intelligence Surveillance Act, which is in the process of being renewed for another 6 years by Congress, Joyce called it a "vital national security tool."
Section 702 permits surveillance without a warrant of communications by foreign nationals outside the U.S., but U.S. citizens and non-citizen U.S. residents (who are all "U.S. persons" with constitutional protections) have fallen under its purview if they are communicating with persons overseas.
Joyce also came out against an amendment to the 702 renewal bill being proposed by Rep. Justin Amash, R-Michigan.
The Amash amendment would exclude information about U.S. persons "incidentally" collected under Section 702 from being used as evidence in court cases, and would also forbid targeting foreigners overseas with the aim of collecting information about U.S. persons.
Right now, the NSA, or other foreign-oriented intelligence agencies such as the CIA, can pass such information easily to domestic law-enforcement agencies, such as the FBI.
Joyce said the Amash amendment would have a "chilling effect" on the way these agencies apply Section 702.
"We need to have connective tissue between the intelligence side and the law-enforcement side," Joyce said, alluding to the CIA-FBI communications problems that let some of the 9/11 hijackers slip through the system's cracks and enter the United States.
(As this story was being published, the House voted to renew Section 702 without the Amash amendment. The bill now goes to the Senate.)
Told that President Trump had tweeted earlier in the day that Section 702 was "the act that may have been used ... to so badly surveil and abuse the Trump Campaign," Joyce said that the White House was fully on board with renewal of 702.
"There have been no cases of 702 used for political purposes," Joyce said. (Trump himself said in a follow-up tweet that Section 702 "is about foreign surveillance of foreign bad guys on foreign land. We need it!")
Says Trump Aware of Russian Threat
Reminded that Democrats had stated that the White House had failed to protect U.S. elections from Russian meddling, Joyce said that both the White House and Congress were fully aware of the threat to the upcoming congressional midterm elections, as well as to the 2020 presidential elections.
"The intelligence community understands the threat," Joyce said, adding that so does Congress, and that "we've taken actions both seen and unseen" to counter the threat.
Addressing the problem of beefing up American cybersecurity capabilities, Joyce said that the country was short about 300,000 cybersecurity professionals. He also said he wanted to see more diversity in the industry.
"We need females and minorities in the same percentages that we have white males in the cybersecurity community," Joyce said.
In his prepared speech, Joyce mentioned running Russia's Kaspersky antivirus software — which was at the center of an international cybersecurity kerfuffle — on government computers as an example of an "unacceptable risk." Joyce was asked whether he would consider Kaspersky antivirus software, which Tom's Guide rates as among the best consumer AV brands, an acceptable risk for civilian use.
"I wouldn't use Kaspersky on my own computer," Joyce replied. "But you have to make your own risk assessment."