“The trend is going the wrong way,” Mr. Joyce told security experts and other enterprise information-technology officials Tuesday at the WSJ Pro Cybersecurity Executive Forum in New York.
“It’s not getting better, it’s getting worse,” he said, urging firms to be more vigilant in protecting applications, systems and infrastructure.
While some security threats have been known for a long time, responding to them has been a slow process, he said.
“We’ve put a lot of important things into technology and we may not have done everything necessary to protect that technology,” he said, citing baked-in security features, stronger passwords and other measures.
In the corporate world, he said protective measures need to start with greater oversight of approved access to secure networks: “You need to think about the people you give the keys to your kingdom.” That should be followed by critically evaluating sources of a company’s software and apps, hardware and other tools.
Mr. Joyce returned to the NSA in April after serving as President Trump’s cybersecurity coordinator over the previous six months.
Before joining the White House, he served at the NSA for more than 27 years in senior positions including a stint as head of the agency’s elite hacker unit, the Tailored Access Operations group. He was also deputy director of the Information Assurance Directorate, overseeing efforts to protect key national security systems.
Federal lawmakers on both sides of the aisle have raised concerns about the growing risk of cyberattacks, such as those targeting critical infrastructure or data in federal IT systems, along with more coordinated attacks, such as election interference.
High-profile attacks have included breaches to the Democratic National Committee, Equifax Inc., Facebook Inc. and Under Armour Inc.
Mr. Joyce said Russia, China, North Korea and Iran pose the biggest threat among foreign actors. “It really is those four countries that are outside the norm that the rest of us are living with,” he said.
In September, the White House confirmed plans to boost its offensive cyber capabilities, in part by lifting government constraints on when the U.S. can deploy cyber weaponry against its adversaries. It also directed federal agencies to work with state and local governments, as well as private-sector security firms, to better safeguard government systems.
John Bolton, national security adviser, said at the time the new strategy was necessary because Americans and its allies are “under attack every day in cyberspace.”
Mr. Joyce said this year’s relatively smooth midterm elections were a good indication that lessons were learned from cyber disruptions in the 2016 presidential elections, though he called it a “constant cat and mouse game.”
Mr. Joyce also called for coordination of public- and private-sector efforts to protect critical systems.