People

‘Begin with the assumption of breach’: Rep. Will Hurd on COVID-19 cyber threats

The Texas Republican talks tensions with China, the risks of remote work, and the coming tech brain drain on Capitol Hill.

Will Hurd

U.S. Rep. Will Hurd, pictured here during the impeachment inquiry in 2019, says the federal government and the business sector can improve information-sharing on cyber threats: "Unfortunately, right now, when it comes to information-sharing, we still think like my old world in the intelligence community."

Photo: Samuel Corum — Pool/Getty Images

With millions of Americans working remotely from unsecured devices, China facing accusations that it is seeking to steal research on COVID-19 vaccines, and a presidential election just months away, the United States is facing an onslaught of cyber threats. In Congress, few lawmakers have as deep an understanding of those threats as Rep. Will Hurd, the Texas Republican.

Before taking office in 2015, Hurd spent several years as a CIA officer and several more as a private cybersecurity consultant. As a lawmaker, he's continually pressed for legislation to improve America's cyber defenses and modernize government technology. Now, as Hurd prepares to leave Congress at the end of 2020, his technical expertise is arguably more needed than ever.

Protocol spoke with Hurd about rising tensions between the U.S. and China, why businesses should "begin with the assumption of breach," and whether he's concerned about a brain drain of tech experts on Capitol Hill.

This interview has been edited and condensed for clarity. It was adapted from a virtual Protocol meetup with Hurd on May 21.

What new, urgent cybersecurity threats have been raised by this virus, and what is Congress doing to address them?

There's going to be another phase of support. And one of the things I think it should be used for is strengthening digital infrastructure and making sure we have the cybersecurity around it. We know right now that we're seeing advanced persistent threats going after hospitals and trying to learn about what's happening in some major cities. It's happening in my hometown of San Antonio. So, how do we make sure that we can provide federal dollars to allow these folks to work on that?

That's something I'm actually working on right now. It's basically a state and local modernization fund, where it would probably be one-time money, and if it's going to protect infrastructure, and it already has a federal connection, then you may be able to apply for this fund. When people talk infrastructure, it's no longer just bridges, roads … and dams, it's your computers and your telecommunications infrastructure as well.

That covers the government side of the equation, but what about all these companies whose entire workforce is working from home? What should they be doing to secure their internal infrastructure?

Begin with the assumption of breach. An attacker is going to be able to get in. And so the question is: How quickly can you detect? How quickly can you quarantine? And how quickly can you push people off?

Because of "bring your own device," you don't know what's on that endpoint. So you have to assume that endpoint is corrupted. Trust protocols from a technical perspective are something that businesses are going to have to think through. As an employee, I expect to be able to use my device, but then there's some company responsibilities that come with that.

The good thing is if you do the basics — patch your software, have a 14-character password, and don't click on something if you don't know who it's from — you protect yourself from 86% of the threats. But the other area where I think the federal government and the business sector can improve is information-sharing on cyber threats. Unfortunately, right now, when it comes to information-sharing, we still think like my old world in the intelligence community, and we don't appreciate how perishable cybersecurity information is or information on an attack may be.

One thing we heard from the federal government recently was that we're seeing cyber threats out of China related to COVID-19 vaccines. What can you tell us about those attacks and the administration's response?

This is based on the Chinese belief that there's going to be a first-mover advantage for whoever gets the vaccine first. And so, just like the Chinese for the last number of years, if not decades, have stolen information when it comes to our great technology companies, they're stealing it now, and they have been stealing IP when it comes to the pharmaceutical space as well. That's the end motivation: Getting to that vaccine first.

They're trying to erode trust between the United States and all of our allies in other parts of the world. Early on, they said that coronavirus started in the U.S. and started in Italy and that the U.S. can't respond. They're still lying about some of the responses that are happening in the United States, because the Chinese want to be seen as the ones that can help you after this. And right now the Chinese are concerned about their own population's view on how they handled the crisis internally, but they're also looking at this as an opportunity to supercharge their efforts to become the sole hegemon by 2049. 2049 is 100 years of communist rule in mainland China, and they have said that they want to become the world's superpower. And so they're using the chaos that's been created on COVID-19 to supercharge those efforts. You've seen them become even more aggressive with their disinformation campaigns.

And the response by the administration? Look, they're attributing. Under the previous administration, I always had some disagreements about attribution.

You've been talking for a while about China engaging in a global disinformation campaign around the coronavirus and where it came from. What do you think should be the role of social media companies in mediating that kind of disinformation? How do you think they've done so far? What more can they do, and then is there a role for Congress to step in?

This is the reason this debate on disinformation is so hard, because of First Amendment responsibilities and rights. I'm a firm believer that you shouldn't have the federal government telling news entities what is truth or what is not. Each [platform] is making a decision on what is a political ad or what isn't a political ad. Those are debates for everybody.

But when it comes to speech, it's hard for me to say. There is some basic education that needs to be happening at all levels of our society to make us better consumers of information.

Your House Republican colleagues put out this expansive package of bills aimed at giving the U.S. a leg up in the tech race with China. The issue is that China has an advantage because its technological initiatives are backed by the government. What do you think Congress and the broader administration needs to prioritize right now to ensure that the U.S. has a real shot at winning this so-called race?

It is a race. The Chinese have made it very clear their goal is to become the world leader in 10 of the future technology spaces. It's artificial intelligence, it's quantum, it's machine learning, advanced optics, things like this. And they can move all their factors of production in one direction.

So, what should the U.S. do? If a U.S. company, or investor, can't do something in China, why are we allowing a Chinese company or an investor to do that here in the United States of America? If we treat Alibaba in the United States as an American company, but Amazon or Salesforce is not treated as a Chinese company in China, then why are we not allowing that reciprocity? I think it starts with that. There is legislation that passed the Senate that said if you can't follow U.S. accounting practices, guess what? You can't be listed on the U.S. exchanges.

I think a good example of this is what we should be doing around 5G specifically. The Chinese are ahead with Huawei because it's backed by the federal government. There's only three other providers that we all know: Samsung, Nokia and Ericsson. So how can we be working with our other allies to make sure that there's a true competitor against Huawei?

That's where we should be going, and we're not. It's all kind of haphazard. And the Chinese, you know, that's what happens when you have an authoritarian government. But I always say this: They may be able to get somewhere first, but American creativity, entrepreneurship, openness is always gonna win the day.

Are you frustrated that the Trump administration's approach on 5G and on creating a so-called Huawei competitor has been somewhat scattershot and complicated by internal fights?

You can't put 5G at his feet, because this 5G debate should have happened 20 years ago. We should have had the foresight back then. I've disagreed on some of the China policy, but the threat of China, I do agree with.

You can create a tax code that helps any American in the 5G space, in order to make sure we're being competitive. Then that's going to come into a debate about using our tax code for policy. So it's broader than just what the executive branch is doing. It's some of these debates that we're having in Congress as well.

I would say, best-case scenario, we're tied. More likely, they're more advanced. I've had senior cyber security officials from our European allies basically saying: Guys, y'all lost the battle on 5G. Y'all need to be thinking about 6G.

Let's talk about data privacy. It seems like for the last couple of years we've seen this shift toward embracing data privacy in Congress and the states with the passage of CCPA, and even some tech companies have been calling for federal privacy legislation. But now this crisis seems to be reversing a lot of that and sparking a new willingness to use technology and data to stop the spread of the virus. What role do you think is appropriate for tech companies and for data to play in contact tracing and in monitoring employees when they go back to the workplace?

Our public health system in the United States is actually a local system. What happens here in Bexar County or San Antonio is very different to what happens in Boston. And so, that tool that Google and Apple just came out with is going to be a tool that other people adopt. I think it starts with: My information needs to reside on my device, and I need to have the ability to share that information in a secure way with who I want to share that with, whether that's to get on a plane or not. We can achieve the use of data, and the protection of privacy at the same time. We need to stop acting like these are two things that are mutually exclusive.

There's a concern that if the federal government doesn't get behind it, digital contact tracing might not be as effective. What do you make of that?

Those debates fall on an ideological spectrum of, do you believe in local control or not? I think adoption will probably happen quicker if an enterprising head of the local health agency is able to adopt something. And then if someone shows it's working, other people can adopt it that way, rather than having this one-size-fits-all solution that comes down from someone at the Centers for Disease Control and Prevention.

Now, the CDC, even the National Institute of Standards and Technology, should be able to say: Hey, here are some of the things that a system should have. These are some of the privacy protections that you should be able to use and provide that framework. But when it comes to the implementation, I think cities and counties, all those entrepreneurial labs, should figure out how to best use it. And guess what? When somebody gets it right, it's gonna get adopted, and then we're gonna see something like that become a standard.

You are one of the tech minds in the House. I know that a few of your Republican colleagues, who like you are going to be leaving at the end of this year, have sort of been the standard-bearers for tech. How confident are you in your colleagues' ability to carry these issues forward once you're no longer there?

I appreciate the vote of confidence. But I will say this: Some people think we need to have a centralized entity on technology. No. Everybody should be involved in technology.

Robin Kelly, who is a Democrat from Illinois, and I are working with the Bipartisan Policy Center on a national strategy for artificial intelligence, and we've done a number of convenings, and we're going to be coming out with papers really soon on the things we've learned. We want to make sure every entity is focused and that technology is not a destination. It is a tool. Every oversight and regulatory agency should be focused on that. And so if you do that, and you force everybody to do it, it doesn't have to be centralized in a handful of people that may have a computer science degree.

Fintech

Judge Zia Faruqui is trying to teach you crypto, one ‘SNL’ reference at a time

His decisions on major cryptocurrency cases have quoted "The Big Lebowski," "SNL," and "Dr. Strangelove." That’s because he wants you — yes, you — to read them.

The ways Zia Faruqui (right) has weighed on cases that have come before him can give lawyers clues as to what legal frameworks will pass muster.

Photo: Carolyn Van Houten/The Washington Post via Getty Images

“Cryptocurrency and related software analytics tools are ‘The wave of the future, Dude. One hundred percent electronic.’”

That’s not a quote from "The Big Lebowski" — at least, not directly. It’s a quote from a Washington, D.C., district court memorandum opinion on the role cryptocurrency analytics tools can play in government investigations. The author is Magistrate Judge Zia Faruqui.

Keep Reading Show less
Veronica Irwin

Veronica Irwin (@vronirwin) is a San Francisco-based reporter at Protocol covering fintech. Previously she was at the San Francisco Examiner, covering tech from a hyper-local angle. Before that, her byline was featured in SF Weekly, The Nation, Techworker, Ms. Magazine and The Frisc.

The financial technology transformation is driving competition, creating consumer choice, and shaping the future of finance. Hear from seven fintech leaders who are reshaping the future of finance, and join the inaugural Financial Technology Association Fintech Summit to learn more.

Keep Reading Show less
FTA
The Financial Technology Association (FTA) represents industry leaders shaping the future of finance. We champion the power of technology-centered financial services and advocate for the modernization of financial regulation to support inclusion and responsible innovation.
Enterprise

AWS CEO: The cloud isn’t just about technology

As AWS preps for its annual re:Invent conference, Adam Selipsky talks product strategy, support for hybrid environments, and the value of the cloud in uncertain economic times.

Photo: Noah Berger/Getty Images for Amazon Web Services

AWS is gearing up for re:Invent, its annual cloud computing conference where announcements this year are expected to focus on its end-to-end data strategy and delivering new industry-specific services.

It will be the second re:Invent with CEO Adam Selipsky as leader of the industry’s largest cloud provider after his return last year to AWS from data visualization company Tableau Software.

Keep Reading Show less
Donna Goodison

Donna Goodison (@dgoodison) is Protocol's senior reporter focusing on enterprise infrastructure technology, from the 'Big 3' cloud computing providers to data centers. She previously covered the public cloud at CRN after 15 years as a business reporter for the Boston Herald. Based in Massachusetts, she also has worked as a Boston Globe freelancer, business reporter at the Boston Business Journal and real estate reporter at Banker & Tradesman after toiling at weekly newspapers.

Image: Protocol

We launched Protocol in February 2020 to cover the evolving power center of tech. It is with deep sadness that just under three years later, we are winding down the publication.

As of today, we will not publish any more stories. All of our newsletters, apart from our flagship, Source Code, will no longer be sent. Source Code will be published and sent for the next few weeks, but it will also close down in December.

Keep Reading Show less
Bennett Richardson

Bennett Richardson ( @bennettrich) is the president of Protocol. Prior to joining Protocol in 2019, Bennett was executive director of global strategic partnerships at POLITICO, where he led strategic growth efforts including POLITICO's European expansion in Brussels and POLITICO's creative agency POLITICO Focus during his six years with the company. Prior to POLITICO, Bennett was co-founder and CMO of Hinge, the mobile dating company recently acquired by Match Group. Bennett began his career in digital and social brand marketing working with major brands across tech, energy, and health care at leading marketing and communications agencies including Edelman and GMMB. Bennett is originally from Portland, Maine, and received his bachelor's degree from Colgate University.

Enterprise

Why large enterprises struggle to find suitable platforms for MLops

As companies expand their use of AI beyond running just a few machine learning models, and as larger enterprises go from deploying hundreds of models to thousands and even millions of models, ML practitioners say that they have yet to find what they need from prepackaged MLops systems.

As companies expand their use of AI beyond running just a few machine learning models, ML practitioners say that they have yet to find what they need from prepackaged MLops systems.

Photo: artpartner-images via Getty Images

On any given day, Lily AI runs hundreds of machine learning models using computer vision and natural language processing that are customized for its retail and ecommerce clients to make website product recommendations, forecast demand, and plan merchandising. But this spring when the company was in the market for a machine learning operations platform to manage its expanding model roster, it wasn’t easy to find a suitable off-the-shelf system that could handle such a large number of models in deployment while also meeting other criteria.

Some MLops platforms are not well-suited for maintaining even more than 10 machine learning models when it comes to keeping track of data, navigating their user interfaces, or reporting capabilities, Matthew Nokleby, machine learning manager for Lily AI’s product intelligence team, told Protocol earlier this year. “The duct tape starts to show,” he said.

Keep Reading Show less
Kate Kaye

Kate Kaye is an award-winning multimedia reporter digging deep and telling print, digital and audio stories. She covers AI and data for Protocol. Her reporting on AI and tech ethics issues has been published in OneZero, Fast Company, MIT Technology Review, CityLab, Ad Age and Digiday and heard on NPR. Kate is the creator of RedTailMedia.org and is the author of "Campaign '08: A Turning Point for Digital Media," a book about how the 2008 presidential campaigns used digital media and data.

Latest Stories
Bulletins