‘Begin with the assumption of breach’: Rep. Will Hurd on COVID-19 cyber threats
The Texas Republican talks tensions with China, the risks of remote work, and the coming tech brain drain on Capitol Hill.
With millions of Americans working remotely from unsecured devices, China facing accusations that it is seeking to steal research on COVID-19 vaccines, and a presidential election just months away, the United States is facing an onslaught of cyber threats. In Congress, few lawmakers have as deep an understanding of those threats as Rep. Will Hurd, the Texas Republican.
Before taking office in 2015, Hurd spent several years as a CIA officer and several more as a private cybersecurity consultant. As a lawmaker, he's continually pressed for legislation to improve America's cyber defenses and modernize government technology. Now, as Hurd prepares to leave Congress at the end of 2020, his technical expertise is arguably more needed than ever.
Protocol spoke with Hurd about rising tensions between the U.S. and China, why businesses should "begin with the assumption of breach," and whether he's concerned about a brain drain of tech experts on Capitol Hill.
This interview has been edited and condensed for clarity. It was adapted from a virtual Protocol meetup with Hurd on May 21.
What new, urgent cybersecurity threats have been raised by this virus, and what is Congress doing to address them?
There's going to be another phase of support. And one of the things I think it should be used for is strengthening digital infrastructure and making sure we have the cybersecurity around it. We know right now that we're seeing advanced persistent threats going after hospitals and trying to learn about what's happening in some major cities. It's happening in my hometown of San Antonio. So, how do we make sure that we can provide federal dollars to allow these folks to work on that?
That's something I'm actually working on right now. It's basically a state and local modernization fund, where it would probably be one-time money, and if it's going to protect infrastructure, and it already has a federal connection, then you may be able to apply for this fund. When people talk infrastructure, it's no longer just bridges, roads … and dams, it's your computers and your telecommunications infrastructure as well.
That covers the government side of the equation, but what about all these companies whose entire workforce is working from home? What should they be doing to secure their internal infrastructure?
Begin with the assumption of breach. An attacker is going to be able to get in. And so the question is: How quickly can you detect? How quickly can you quarantine? And how quickly can you push people off?
Because of "bring your own device," you don't know what's on that endpoint. So you have to assume that endpoint is corrupted. Trust protocols from a technical perspective are something that businesses are going to have to think through. As an employee, I expect to be able to use my device, but then there's some company responsibilities that come with that.
The good thing is if you do the basics — patch your software, have a 14-character password, and don't click on something if you don't know who it's from — you protect yourself from 86% of the threats. But the other area where I think the federal government and the business sector can improve is information-sharing on cyber threats. Unfortunately, right now, when it comes to information-sharing, we still think like my old world in the intelligence community, and we don't appreciate how perishable cybersecurity information is or information on an attack may be.
One thing we heard from the federal government recently was that we're seeing cyber threats out of China related to COVID-19 vaccines. What can you tell us about those attacks and the administration's response?
This is based on the Chinese belief that there's going to be a first-mover advantage for whoever gets the vaccine first. And so, just like the Chinese for the last number of years, if not decades, have stolen information when it comes to our great technology companies, they're stealing it now, and they have been stealing IP when it comes to the pharmaceutical space as well. That's the end motivation: Getting to that vaccine first.
They're trying to erode trust between the United States and all of our allies in other parts of the world. Early on, they said that coronavirus started in the U.S. and started in Italy and that the U.S. can't respond. They're still lying about some of the responses that are happening in the United States, because the Chinese want to be seen as the ones that can help you after this. And right now the Chinese are concerned about their own population's view on how they handled the crisis internally, but they're also looking at this as an opportunity to supercharge their efforts to become the sole hegemon by 2049. 2049 is 100 years of communist rule in mainland China, and they have said that they want to become the world's superpower. And so they're using the chaos that's been created on COVID-19 to supercharge those efforts. You've seen them become even more aggressive with their disinformation campaigns.
And the response by the administration? Look, they're attributing. Under the previous administration, I always had some disagreements about attribution.
You've been talking for a while about China engaging in a global disinformation campaign around the coronavirus and where it came from. What do you think should be the role of social media companies in mediating that kind of disinformation? How do you think they've done so far? What more can they do, and then is there a role for Congress to step in?
This is the reason this debate on disinformation is so hard, because of First Amendment responsibilities and rights. I'm a firm believer that you shouldn't have the federal government telling news entities what is truth or what is not. Each [platform] is making a decision on what is a political ad or what isn't a political ad. Those are debates for everybody.
But when it comes to speech, it's hard for me to say. There is some basic education that needs to be happening at all levels of our society to make us better consumers of information.
Your House Republican colleagues put out this expansive package of bills aimed at giving the U.S. a leg up in the tech race with China. The issue is that China has an advantage because its technological initiatives are backed by the government. What do you think Congress and the broader administration needs to prioritize right now to ensure that the U.S. has a real shot at winning this so-called race?
It is a race. The Chinese have made it very clear their goal is to become the world leader in 10 of the future technology spaces. It's artificial intelligence, it's quantum, it's machine learning, advanced optics, things like this. And they can move all their factors of production in one direction.
So, what should the U.S. do? If a U.S. company, or investor, can't do something in China, why are we allowing a Chinese company or an investor to do that here in the United States of America? If we treat Alibaba in the United States as an American company, but Amazon or Salesforce is not treated as a Chinese company in China, then why are we not allowing that reciprocity? I think it starts with that. There is legislation that passed the Senate that said if you can't follow U.S. accounting practices, guess what? You can't be listed on the U.S. exchanges.
I think a good example of this is what we should be doing around 5G specifically. The Chinese are ahead with Huawei because it's backed by the federal government. There's only three other providers that we all know: Samsung, Nokia and Ericsson. So how can we be working with our other allies to make sure that there's a true competitor against Huawei?
That's where we should be going, and we're not. It's all kind of haphazard. And the Chinese, you know, that's what happens when you have an authoritarian government. But I always say this: They may be able to get somewhere first, but American creativity, entrepreneurship, openness is always gonna win the day.
Are you frustrated that the Trump administration's approach on 5G and on creating a so-called Huawei competitor has been somewhat scattershot and complicated by internal fights?
You can't put 5G at his feet, because this 5G debate should have happened 20 years ago. We should have had the foresight back then. I've disagreed on some of the China policy, but the threat of China, I do agree with.
You can create a tax code that helps any American in the 5G space, in order to make sure we're being competitive. Then that's going to come into a debate about using our tax code for policy. So it's broader than just what the executive branch is doing. It's some of these debates that we're having in Congress as well.
I would say, best-case scenario, we're tied. More likely, they're more advanced. I've had senior cyber security officials from our European allies basically saying: Guys, y'all lost the battle on 5G. Y'all need to be thinking about 6G.
Let's talk about data privacy. It seems like for the last couple of years we've seen this shift toward embracing data privacy in Congress and the states with the passage of CCPA, and even some tech companies have been calling for federal privacy legislation. But now this crisis seems to be reversing a lot of that and sparking a new willingness to use technology and data to stop the spread of the virus. What role do you think is appropriate for tech companies and for data to play in contact tracing and in monitoring employees when they go back to the workplace?
Our public health system in the United States is actually a local system. What happens here in Bexar County or San Antonio is very different to what happens in Boston. And so, that tool that Google and Apple just came out with is going to be a tool that other people adopt. I think it starts with: My information needs to reside on my device, and I need to have the ability to share that information in a secure way with who I want to share that with, whether that's to get on a plane or not. We can achieve the use of data, and the protection of privacy at the same time. We need to stop acting like these are two things that are mutually exclusive.
There's a concern that if the federal government doesn't get behind it, digital contact tracing might not be as effective. What do you make of that?
Those debates fall on an ideological spectrum of, do you believe in local control or not? I think adoption will probably happen quicker if an enterprising head of the local health agency is able to adopt something. And then if someone shows it's working, other people can adopt it that way, rather than having this one-size-fits-all solution that comes down from someone at the Centers for Disease Control and Prevention.
Now, the CDC, even the National Institute of Standards and Technology, should be able to say: Hey, here are some of the things that a system should have. These are some of the privacy protections that you should be able to use and provide that framework. But when it comes to the implementation, I think cities and counties, all those entrepreneurial labs, should figure out how to best use it. And guess what? When somebody gets it right, it's gonna get adopted, and then we're gonna see something like that become a standard.
You are one of the tech minds in the House. I know that a few of your Republican colleagues, who like you are going to be leaving at the end of this year, have sort of been the standard-bearers for tech. How confident are you in your colleagues' ability to carry these issues forward once you're no longer there?
I appreciate the vote of confidence. But I will say this: Some people think we need to have a centralized entity on technology. No. Everybody should be involved in technology.
Robin Kelly, who is a Democrat from Illinois, and I are working with the Bipartisan Policy Center on a national strategy for artificial intelligence, and we've done a number of convenings, and we're going to be coming out with papers really soon on the things we've learned. We want to make sure every entity is focused and that technology is not a destination. It is a tool. Every oversight and regulatory agency should be focused on that. And so if you do that, and you force everybody to do it, it doesn't have to be centralized in a handful of people that may have a computer science degree.
- What you need to know about the government's new cybersecurity ... ›
- Work from home tips from cybersecurity companies - Protocol ›
- Hackers during coronavirus: Nation-states seize moment - Protocol ›
- The cybersecurity risks businesses don't take seriously enough ... ›
- Startups may be denied Fed's Main Street Lending loans - Protocol ›