People

‘Begin with the assumption of breach’: Rep. Will Hurd on COVID-19 cyber threats

The Texas Republican talks tensions with China, the risks of remote work, and the coming tech brain drain on Capitol Hill.

Will Hurd

U.S. Rep. Will Hurd, pictured here during the impeachment inquiry in 2019, says the federal government and the business sector can improve information-sharing on cyber threats: "Unfortunately, right now, when it comes to information-sharing, we still think like my old world in the intelligence community."

Photo: Samuel Corum — Pool/Getty Images

With millions of Americans working remotely from unsecured devices, China facing accusations that it is seeking to steal research on COVID-19 vaccines, and a presidential election just months away, the United States is facing an onslaught of cyber threats. In Congress, few lawmakers have as deep an understanding of those threats as Rep. Will Hurd, the Texas Republican.

Before taking office in 2015, Hurd spent several years as a CIA officer and several more as a private cybersecurity consultant. As a lawmaker, he's continually pressed for legislation to improve America's cyber defenses and modernize government technology. Now, as Hurd prepares to leave Congress at the end of 2020, his technical expertise is arguably more needed than ever.

Protocol spoke with Hurd about rising tensions between the U.S. and China, why businesses should "begin with the assumption of breach," and whether he's concerned about a brain drain of tech experts on Capitol Hill.

This interview has been edited and condensed for clarity. It was adapted from a virtual Protocol meetup with Hurd on May 21.

What new, urgent cybersecurity threats have been raised by this virus, and what is Congress doing to address them?

There's going to be another phase of support. And one of the things I think it should be used for is strengthening digital infrastructure and making sure we have the cybersecurity around it. We know right now that we're seeing advanced persistent threats going after hospitals and trying to learn about what's happening in some major cities. It's happening in my hometown of San Antonio. So, how do we make sure that we can provide federal dollars to allow these folks to work on that?

That's something I'm actually working on right now. It's basically a state and local modernization fund, where it would probably be one-time money, and if it's going to protect infrastructure, and it already has a federal connection, then you may be able to apply for this fund. When people talk infrastructure, it's no longer just bridges, roads … and dams, it's your computers and your telecommunications infrastructure as well.

That covers the government side of the equation, but what about all these companies whose entire workforce is working from home? What should they be doing to secure their internal infrastructure?

Begin with the assumption of breach. An attacker is going to be able to get in. And so the question is: How quickly can you detect? How quickly can you quarantine? And how quickly can you push people off?

Because of "bring your own device," you don't know what's on that endpoint. So you have to assume that endpoint is corrupted. Trust protocols from a technical perspective are something that businesses are going to have to think through. As an employee, I expect to be able to use my device, but then there's some company responsibilities that come with that.

The good thing is if you do the basics — patch your software, have a 14-character password, and don't click on something if you don't know who it's from — you protect yourself from 86% of the threats. But the other area where I think the federal government and the business sector can improve is information-sharing on cyber threats. Unfortunately, right now, when it comes to information-sharing, we still think like my old world in the intelligence community, and we don't appreciate how perishable cybersecurity information is or information on an attack may be.

One thing we heard from the federal government recently was that we're seeing cyber threats out of China related to COVID-19 vaccines. What can you tell us about those attacks and the administration's response?

This is based on the Chinese belief that there's going to be a first-mover advantage for whoever gets the vaccine first. And so, just like the Chinese for the last number of years, if not decades, have stolen information when it comes to our great technology companies, they're stealing it now, and they have been stealing IP when it comes to the pharmaceutical space as well. That's the end motivation: Getting to that vaccine first.

They're trying to erode trust between the United States and all of our allies in other parts of the world. Early on, they said that coronavirus started in the U.S. and started in Italy and that the U.S. can't respond. They're still lying about some of the responses that are happening in the United States, because the Chinese want to be seen as the ones that can help you after this. And right now the Chinese are concerned about their own population's view on how they handled the crisis internally, but they're also looking at this as an opportunity to supercharge their efforts to become the sole hegemon by 2049. 2049 is 100 years of communist rule in mainland China, and they have said that they want to become the world's superpower. And so they're using the chaos that's been created on COVID-19 to supercharge those efforts. You've seen them become even more aggressive with their disinformation campaigns.

And the response by the administration? Look, they're attributing. Under the previous administration, I always had some disagreements about attribution.

You've been talking for a while about China engaging in a global disinformation campaign around the coronavirus and where it came from. What do you think should be the role of social media companies in mediating that kind of disinformation? How do you think they've done so far? What more can they do, and then is there a role for Congress to step in?

This is the reason this debate on disinformation is so hard, because of First Amendment responsibilities and rights. I'm a firm believer that you shouldn't have the federal government telling news entities what is truth or what is not. Each [platform] is making a decision on what is a political ad or what isn't a political ad. Those are debates for everybody.

But when it comes to speech, it's hard for me to say. There is some basic education that needs to be happening at all levels of our society to make us better consumers of information.

Your House Republican colleagues put out this expansive package of bills aimed at giving the U.S. a leg up in the tech race with China. The issue is that China has an advantage because its technological initiatives are backed by the government. What do you think Congress and the broader administration needs to prioritize right now to ensure that the U.S. has a real shot at winning this so-called race?

It is a race. The Chinese have made it very clear their goal is to become the world leader in 10 of the future technology spaces. It's artificial intelligence, it's quantum, it's machine learning, advanced optics, things like this. And they can move all their factors of production in one direction.

So, what should the U.S. do? If a U.S. company, or investor, can't do something in China, why are we allowing a Chinese company or an investor to do that here in the United States of America? If we treat Alibaba in the United States as an American company, but Amazon or Salesforce is not treated as a Chinese company in China, then why are we not allowing that reciprocity? I think it starts with that. There is legislation that passed the Senate that said if you can't follow U.S. accounting practices, guess what? You can't be listed on the U.S. exchanges.

I think a good example of this is what we should be doing around 5G specifically. The Chinese are ahead with Huawei because it's backed by the federal government. There's only three other providers that we all know: Samsung, Nokia and Ericsson. So how can we be working with our other allies to make sure that there's a true competitor against Huawei?

That's where we should be going, and we're not. It's all kind of haphazard. And the Chinese, you know, that's what happens when you have an authoritarian government. But I always say this: They may be able to get somewhere first, but American creativity, entrepreneurship, openness is always gonna win the day.

Are you frustrated that the Trump administration's approach on 5G and on creating a so-called Huawei competitor has been somewhat scattershot and complicated by internal fights?

You can't put 5G at his feet, because this 5G debate should have happened 20 years ago. We should have had the foresight back then. I've disagreed on some of the China policy, but the threat of China, I do agree with.

You can create a tax code that helps any American in the 5G space, in order to make sure we're being competitive. Then that's going to come into a debate about using our tax code for policy. So it's broader than just what the executive branch is doing. It's some of these debates that we're having in Congress as well.

I would say, best-case scenario, we're tied. More likely, they're more advanced. I've had senior cyber security officials from our European allies basically saying: Guys, y'all lost the battle on 5G. Y'all need to be thinking about 6G.

Let's talk about data privacy. It seems like for the last couple of years we've seen this shift toward embracing data privacy in Congress and the states with the passage of CCPA, and even some tech companies have been calling for federal privacy legislation. But now this crisis seems to be reversing a lot of that and sparking a new willingness to use technology and data to stop the spread of the virus. What role do you think is appropriate for tech companies and for data to play in contact tracing and in monitoring employees when they go back to the workplace?

Our public health system in the United States is actually a local system. What happens here in Bexar County or San Antonio is very different to what happens in Boston. And so, that tool that Google and Apple just came out with is going to be a tool that other people adopt. I think it starts with: My information needs to reside on my device, and I need to have the ability to share that information in a secure way with who I want to share that with, whether that's to get on a plane or not. We can achieve the use of data, and the protection of privacy at the same time. We need to stop acting like these are two things that are mutually exclusive.

There's a concern that if the federal government doesn't get behind it, digital contact tracing might not be as effective. What do you make of that?

Those debates fall on an ideological spectrum of, do you believe in local control or not? I think adoption will probably happen quicker if an enterprising head of the local health agency is able to adopt something. And then if someone shows it's working, other people can adopt it that way, rather than having this one-size-fits-all solution that comes down from someone at the Centers for Disease Control and Prevention.

Now, the CDC, even the National Institute of Standards and Technology, should be able to say: Hey, here are some of the things that a system should have. These are some of the privacy protections that you should be able to use and provide that framework. But when it comes to the implementation, I think cities and counties, all those entrepreneurial labs, should figure out how to best use it. And guess what? When somebody gets it right, it's gonna get adopted, and then we're gonna see something like that become a standard.

You are one of the tech minds in the House. I know that a few of your Republican colleagues, who like you are going to be leaving at the end of this year, have sort of been the standard-bearers for tech. How confident are you in your colleagues' ability to carry these issues forward once you're no longer there?

I appreciate the vote of confidence. But I will say this: Some people think we need to have a centralized entity on technology. No. Everybody should be involved in technology.

Robin Kelly, who is a Democrat from Illinois, and I are working with the Bipartisan Policy Center on a national strategy for artificial intelligence, and we've done a number of convenings, and we're going to be coming out with papers really soon on the things we've learned. We want to make sure every entity is focused and that technology is not a destination. It is a tool. Every oversight and regulatory agency should be focused on that. And so if you do that, and you force everybody to do it, it doesn't have to be centralized in a handful of people that may have a computer science degree.

Power

How the creators of Spligate built gaming’s newest unicorn

1047 Games is now valued at $1.5 billion after three rounds of funding since May.

1047 Games' Splitgate amassed 13 million downloads when its beta launched in July.

Image: 1047 Games

The creators of Splitgate had a problem. Their new free-to-play video game, a take on the legendary arena shooter Halo with a teleportation twist borrowed from Valve's Portal, was gaining steam during its open beta period in July. But it was happening too quickly.

Splitgate was growing so fast and unexpectedly that the entire game was starting to break, as the servers supporting the game began to, figuratively speaking, melt down. The game went from fewer than 1,000 people playing it at any given moment in time to suddenly having tens of thousands of concurrent players. Then it grew to hundreds of thousands of players, all trying to log in and play at once across PlayStation, Xbox and PC.

Keep Reading Show less
Nick Statt
Nick Statt is Protocol's video game reporter. Prior to joining Protocol, he was news editor at The Verge covering the gaming industry, mobile apps and antitrust out of San Francisco, in addition to managing coverage of Silicon Valley tech giants and startups. He now resides in Rochester, New York, home of the garbage plate and, completely coincidentally, the World Video Game Hall of Fame. He can be reached at nstatt@protocol.com.

While it's easy to get lost in the operational and technical side of a transaction, it's important to remember the third component of a payment. That is, the human behind the screen.

Over the last two years, many retailers have seen the benefit of investing in new, flexible payments. Ones that reflect the changing lifestyles of younger spenders, who are increasingly holding onto their cash — despite reports to the contrary. This means it's more important than ever for merchants to take note of the latest payment innovations so they can tap into the savings of the COVID-19 generation.

Keep Reading Show less
Antoine Nougue,Checkout.com

Antoine Nougue is Head of Europe at Checkout.com. He works with ambitious enterprise businesses to help them scale and grow their operations through payment processing services. He is responsible for leading the European sales, customer success, engineering & implementation teams and is based out of London, U.K.

Protocol | Policy

Why Twitch’s 'hate raid' lawsuit isn’t just about Twitch

When is it OK for tech companies to unmask their anonymous users? And when should a violation of terms of service get someone sued?

The case Twitch is bringing against two hate raiders is hardly black and white.

Photo: Caspar Camille Rubin/Unsplash

It isn't hard to figure out who the bad guys are in Twitch's latest lawsuit against two of its users. On one side are two anonymous "hate raiders" who have been allegedly bombarding the gaming platform with abhorrent attacks on Black and LGBTQ+ users, using armies of bots to do it. On the other side is Twitch, a company that, for all the lumps it's taken for ignoring harassment on its platform, is finally standing up to protect its users against persistent violators whom it's been unable to stop any other way.

But the case Twitch is bringing against these hate raiders is hardly black and white. For starters, the plaintiff here isn't an aggrieved user suing another user for defamation on the platform. The plaintiff is the platform itself. Complicating matters more is the fact that, according to a spokesperson, at least part of Twitch's goal in the case is to "shed light on the identity of the individuals behind these attacks," raising complicated questions about when tech companies should be able to use the courts to unmask their own anonymous users and, just as critically, when they should be able to actually sue them for violating their speech policies.

Keep Reading Show less
Issie Lapowsky

Issie Lapowsky ( @issielapowsky) is Protocol's chief correspondent, covering the intersection of technology, politics, and national affairs. She also oversees Protocol's fellowship program. Previously, she was a senior writer at Wired, where she covered the 2016 election and the Facebook beat in its aftermath. Prior to that, Issie worked as a staff writer for Inc. magazine, writing about small business and entrepreneurship. She has also worked as an on-air contributor for CBS News and taught a graduate-level course at New York University's Center for Publishing on how tech giants have affected publishing.

Protocol | Workplace

Remote work is here to stay. Here are the cybersecurity risks.

Phishing and ransomware are on the rise. Is your remote workforce prepared?

Before your company institutes work-from-home-forever plans, you need to ensure that your workforce is prepared to face the cybersecurity implications of long-term remote work.

Photo: Stefan Wermuth/Bloomberg via Getty Images

The delta variant continues to dash or delay return-to-work plans, but before your company institutes work-from-home-forever plans, you need to ensure that your workforce is prepared to face the cybersecurity implications of long-term remote work.

So far in 2021, CrowdStrike has already observed over 1,400 "big game hunting" ransomware incidents and $180 million in ransom demands averaging over $5 million each. That's due in part to the "expanded attack surface that work-from-home creates," according to CTO Michael Sentonas.

Keep Reading Show less
Michelle Ma
Michelle Ma (@himichellema) is a reporter at Protocol, where she writes about management, leadership and workplace issues in tech. Previously, she was a news editor of live journalism and special coverage for The Wall Street Journal. Prior to that, she worked as a staff writer at Wirecutter. She can be reached at mma@protocol.com.
Protocol | Fintech

When COVID rocked the insurance market, this startup saw opportunity

Ethos has outraised and outmarketed the competition in selling life insurance directly online — but there's still an $887 billion industry to transform.

Life insurance has been slow to change.

Image: courtneyk/Getty Images

Peter Colis cited a striking statistic that he said led him to launch a life insurance startup: One in twenty children will lose a parent before they turn 15.

"No one ever thinks that will happen to them, but that's the statistics," the co-CEO and co-founder of Ethos told Protocol. "If it's a breadwinning parent, the majority of those families will go bankrupt immediately, within three months. Life insurance elegantly solves this problem."

Keep Reading Show less
Benjamin Pimentel

Benjamin Pimentel ( @benpimentel) covers fintech from San Francisco. He has reported on many of the biggest tech stories over the past 20 years for the San Francisco Chronicle, Dow Jones MarketWatch and Business Insider, from the dot-com crash, the rise of cloud computing, social networking and AI to the impact of the Great Recession and the COVID crisis on Silicon Valley and beyond. He can be reached at bpimentel@protocol.com or via Signal at (510)731-8429.

Latest Stories