People

‘Begin with the assumption of breach’: Rep. Will Hurd on COVID-19 cyber threats

The Texas Republican talks tensions with China, the risks of remote work, and the coming tech brain drain on Capitol Hill.

Will Hurd

U.S. Rep. Will Hurd, pictured here during the impeachment inquiry in 2019, says the federal government and the business sector can improve information-sharing on cyber threats: "Unfortunately, right now, when it comes to information-sharing, we still think like my old world in the intelligence community."

Photo: Samuel Corum — Pool/Getty Images

With millions of Americans working remotely from unsecured devices, China facing accusations that it is seeking to steal research on COVID-19 vaccines, and a presidential election just months away, the United States is facing an onslaught of cyber threats. In Congress, few lawmakers have as deep an understanding of those threats as Rep. Will Hurd, the Texas Republican.

Before taking office in 2015, Hurd spent several years as a CIA officer and several more as a private cybersecurity consultant. As a lawmaker, he's continually pressed for legislation to improve America's cyber defenses and modernize government technology. Now, as Hurd prepares to leave Congress at the end of 2020, his technical expertise is arguably more needed than ever.

Protocol spoke with Hurd about rising tensions between the U.S. and China, why businesses should "begin with the assumption of breach," and whether he's concerned about a brain drain of tech experts on Capitol Hill.

This interview has been edited and condensed for clarity. It was adapted from a virtual Protocol meetup with Hurd on May 21.

What new, urgent cybersecurity threats have been raised by this virus, and what is Congress doing to address them?

There's going to be another phase of support. And one of the things I think it should be used for is strengthening digital infrastructure and making sure we have the cybersecurity around it. We know right now that we're seeing advanced persistent threats going after hospitals and trying to learn about what's happening in some major cities. It's happening in my hometown of San Antonio. So, how do we make sure that we can provide federal dollars to allow these folks to work on that?

That's something I'm actually working on right now. It's basically a state and local modernization fund, where it would probably be one-time money, and if it's going to protect infrastructure, and it already has a federal connection, then you may be able to apply for this fund. When people talk infrastructure, it's no longer just bridges, roads … and dams, it's your computers and your telecommunications infrastructure as well.

That covers the government side of the equation, but what about all these companies whose entire workforce is working from home? What should they be doing to secure their internal infrastructure?

Begin with the assumption of breach. An attacker is going to be able to get in. And so the question is: How quickly can you detect? How quickly can you quarantine? And how quickly can you push people off?

Because of "bring your own device," you don't know what's on that endpoint. So you have to assume that endpoint is corrupted. Trust protocols from a technical perspective are something that businesses are going to have to think through. As an employee, I expect to be able to use my device, but then there's some company responsibilities that come with that.

The good thing is if you do the basics — patch your software, have a 14-character password, and don't click on something if you don't know who it's from — you protect yourself from 86% of the threats. But the other area where I think the federal government and the business sector can improve is information-sharing on cyber threats. Unfortunately, right now, when it comes to information-sharing, we still think like my old world in the intelligence community, and we don't appreciate how perishable cybersecurity information is or information on an attack may be.

One thing we heard from the federal government recently was that we're seeing cyber threats out of China related to COVID-19 vaccines. What can you tell us about those attacks and the administration's response?

This is based on the Chinese belief that there's going to be a first-mover advantage for whoever gets the vaccine first. And so, just like the Chinese for the last number of years, if not decades, have stolen information when it comes to our great technology companies, they're stealing it now, and they have been stealing IP when it comes to the pharmaceutical space as well. That's the end motivation: Getting to that vaccine first.

They're trying to erode trust between the United States and all of our allies in other parts of the world. Early on, they said that coronavirus started in the U.S. and started in Italy and that the U.S. can't respond. They're still lying about some of the responses that are happening in the United States, because the Chinese want to be seen as the ones that can help you after this. And right now the Chinese are concerned about their own population's view on how they handled the crisis internally, but they're also looking at this as an opportunity to supercharge their efforts to become the sole hegemon by 2049. 2049 is 100 years of communist rule in mainland China, and they have said that they want to become the world's superpower. And so they're using the chaos that's been created on COVID-19 to supercharge those efforts. You've seen them become even more aggressive with their disinformation campaigns.

And the response by the administration? Look, they're attributing. Under the previous administration, I always had some disagreements about attribution.

You've been talking for a while about China engaging in a global disinformation campaign around the coronavirus and where it came from. What do you think should be the role of social media companies in mediating that kind of disinformation? How do you think they've done so far? What more can they do, and then is there a role for Congress to step in?

This is the reason this debate on disinformation is so hard, because of First Amendment responsibilities and rights. I'm a firm believer that you shouldn't have the federal government telling news entities what is truth or what is not. Each [platform] is making a decision on what is a political ad or what isn't a political ad. Those are debates for everybody.

But when it comes to speech, it's hard for me to say. There is some basic education that needs to be happening at all levels of our society to make us better consumers of information.

Your House Republican colleagues put out this expansive package of bills aimed at giving the U.S. a leg up in the tech race with China. The issue is that China has an advantage because its technological initiatives are backed by the government. What do you think Congress and the broader administration needs to prioritize right now to ensure that the U.S. has a real shot at winning this so-called race?

It is a race. The Chinese have made it very clear their goal is to become the world leader in 10 of the future technology spaces. It's artificial intelligence, it's quantum, it's machine learning, advanced optics, things like this. And they can move all their factors of production in one direction.

So, what should the U.S. do? If a U.S. company, or investor, can't do something in China, why are we allowing a Chinese company or an investor to do that here in the United States of America? If we treat Alibaba in the United States as an American company, but Amazon or Salesforce is not treated as a Chinese company in China, then why are we not allowing that reciprocity? I think it starts with that. There is legislation that passed the Senate that said if you can't follow U.S. accounting practices, guess what? You can't be listed on the U.S. exchanges.

I think a good example of this is what we should be doing around 5G specifically. The Chinese are ahead with Huawei because it's backed by the federal government. There's only three other providers that we all know: Samsung, Nokia and Ericsson. So how can we be working with our other allies to make sure that there's a true competitor against Huawei?

That's where we should be going, and we're not. It's all kind of haphazard. And the Chinese, you know, that's what happens when you have an authoritarian government. But I always say this: They may be able to get somewhere first, but American creativity, entrepreneurship, openness is always gonna win the day.

Are you frustrated that the Trump administration's approach on 5G and on creating a so-called Huawei competitor has been somewhat scattershot and complicated by internal fights?

You can't put 5G at his feet, because this 5G debate should have happened 20 years ago. We should have had the foresight back then. I've disagreed on some of the China policy, but the threat of China, I do agree with.

You can create a tax code that helps any American in the 5G space, in order to make sure we're being competitive. Then that's going to come into a debate about using our tax code for policy. So it's broader than just what the executive branch is doing. It's some of these debates that we're having in Congress as well.

I would say, best-case scenario, we're tied. More likely, they're more advanced. I've had senior cyber security officials from our European allies basically saying: Guys, y'all lost the battle on 5G. Y'all need to be thinking about 6G.

Let's talk about data privacy. It seems like for the last couple of years we've seen this shift toward embracing data privacy in Congress and the states with the passage of CCPA, and even some tech companies have been calling for federal privacy legislation. But now this crisis seems to be reversing a lot of that and sparking a new willingness to use technology and data to stop the spread of the virus. What role do you think is appropriate for tech companies and for data to play in contact tracing and in monitoring employees when they go back to the workplace?

Our public health system in the United States is actually a local system. What happens here in Bexar County or San Antonio is very different to what happens in Boston. And so, that tool that Google and Apple just came out with is going to be a tool that other people adopt. I think it starts with: My information needs to reside on my device, and I need to have the ability to share that information in a secure way with who I want to share that with, whether that's to get on a plane or not. We can achieve the use of data, and the protection of privacy at the same time. We need to stop acting like these are two things that are mutually exclusive.

There's a concern that if the federal government doesn't get behind it, digital contact tracing might not be as effective. What do you make of that?

Those debates fall on an ideological spectrum of, do you believe in local control or not? I think adoption will probably happen quicker if an enterprising head of the local health agency is able to adopt something. And then if someone shows it's working, other people can adopt it that way, rather than having this one-size-fits-all solution that comes down from someone at the Centers for Disease Control and Prevention.

Now, the CDC, even the National Institute of Standards and Technology, should be able to say: Hey, here are some of the things that a system should have. These are some of the privacy protections that you should be able to use and provide that framework. But when it comes to the implementation, I think cities and counties, all those entrepreneurial labs, should figure out how to best use it. And guess what? When somebody gets it right, it's gonna get adopted, and then we're gonna see something like that become a standard.

You are one of the tech minds in the House. I know that a few of your Republican colleagues, who like you are going to be leaving at the end of this year, have sort of been the standard-bearers for tech. How confident are you in your colleagues' ability to carry these issues forward once you're no longer there?

I appreciate the vote of confidence. But I will say this: Some people think we need to have a centralized entity on technology. No. Everybody should be involved in technology.

Robin Kelly, who is a Democrat from Illinois, and I are working with the Bipartisan Policy Center on a national strategy for artificial intelligence, and we've done a number of convenings, and we're going to be coming out with papers really soon on the things we've learned. We want to make sure every entity is focused and that technology is not a destination. It is a tool. Every oversight and regulatory agency should be focused on that. And so if you do that, and you force everybody to do it, it doesn't have to be centralized in a handful of people that may have a computer science degree.

Climate

A pro-China disinformation campaign is targeting rare earth miners

It’s uncommon for cyber criminals to target private industry. But a new operation has cast doubt on miners looking to gain a foothold in the West in an apparent attempt to protect China’s upper hand in a market that has become increasingly vital.

It is very uncommon for coordinated disinformation operations to target private industry, rather than governments or civil society, a cybersecurity expert says.

Photo: Goh Seng Chong/Bloomberg via Getty Images

Just when we thought the renewable energy supply chains couldn’t get more fraught, a sophisticated disinformation campaign has taken to social media to further complicate things.

Known as Dragonbridge, the campaign has existed for at least three years, but in the last few months it has shifted its focus to target several mining companies “with negative messaging in response to potential or planned rare earths production activities.” It was initially uncovered by cybersecurity firm Mandiant and peddles narratives in the Chinese interest via its network of thousands of fake social media accounts.

Keep Reading Show less
Lisa Martine Jenkins

Lisa Martine Jenkins is a senior reporter at Protocol covering climate. Lisa previously wrote for Morning Consult, Chemical Watch and the Associated Press. Lisa is currently based in Brooklyn, and is originally from the Bay Area. Find her on Twitter ( @l_m_j_) or reach out via email (ljenkins@protocol.com).

Some of the most astounding tech-enabled advances of the next decade, from cutting-edge medical research to urban traffic control and factory floor optimization, will be enabled by a device often smaller than a thumbnail: the memory chip.

While vast amounts of data are created, stored and processed every moment — by some estimates, 2.5 quintillion bytes daily — the insights in that code are unlocked by the memory chips that hold it and transfer it. “Memory will propel the next 10 years into the most transformative years in human history,” said Sanjay Mehrotra, president and CEO of Micron Technology.

Keep Reading Show less
James Daly
James Daly has a deep knowledge of creating brand voice identity, including understanding various audiences and targeting messaging accordingly. He enjoys commissioning, editing, writing, and business development, particularly in launching new ventures and building passionate audiences. Daly has led teams large and small to multiple awards and quantifiable success through a strategy built on teamwork, passion, fact-checking, intelligence, analytics, and audience growth while meeting budget goals and production deadlines in fast-paced environments. Daly is the Editorial Director of 2030 Media and a contributor at Wired.
Fintech

Ripple’s CEO threatens to leave the US if it loses SEC case

CEO Brad Garlinghouse said a few countries have reached out to Ripple about relocating.

"There's no doubt that if the SEC doesn't win their case against us that that is good for crypto in the United States,” Brad Garlinghouse told Protocol.

Photo: Stephen McCarthy/Sportsfile for Collision via Getty Images

Ripple CEO Brad Garlinghouse said the crypto company will move to another country if it loses in its legal battle with the SEC.

Garlinghouse said he’s confident that Ripple will prevail against the federal regulator, which accused the company of failing to register roughly $1.4 billion in XRP tokens as securities.

Keep Reading Show less
Benjamin Pimentel

Benjamin Pimentel ( @benpimentel) covers crypto and fintech from San Francisco. He has reported on many of the biggest tech stories over the past 20 years for the San Francisco Chronicle, Dow Jones MarketWatch and Business Insider, from the dot-com crash, the rise of cloud computing, social networking and AI to the impact of the Great Recession and the COVID crisis on Silicon Valley and beyond. He can be reached at bpimentel@protocol.com or via Google Voice at (925) 307-9342.

Policy

The Supreme Court’s EPA ruling is bad news for tech regulation, too

The justices just gave themselves a lot of discretion to smack down agency rules.

The ruling could also endanger work on competition issues by the FTC and net neutrality by the FCC.

Photo: Geoff Livingston/Getty Images

The Supreme Court’s decision last week gutting the Environmental Protection Agency’s ability to regulate greenhouse gas emissions didn’t just signal the conservative justices’ dislike of the Clean Air Act at a moment of climate crisis. It also served as a warning for anyone that would like to see more regulation of Big Tech.

At the heart of Chief Justice John Roberts’ decision in West Virginia v. EPA was a codification of the “major questions doctrine,” which, he wrote, requires “clear congressional authorization” when agencies want to regulate on areas of great “economic and political significance.”

Keep Reading Show less
Ben Brody

Ben Brody (@ BenBrodyDC) is a senior reporter at Protocol focusing on how Congress, courts and agencies affect the online world we live in. He formerly covered tech policy and lobbying (including antitrust, Section 230 and privacy) at Bloomberg News, where he previously reported on the influence industry, government ethics and the 2016 presidential election. Before that, Ben covered business news at CNNMoney and AdAge, and all manner of stories in and around New York. He still loves appearing on the New York news radio he grew up with.

Enterprise

Microsoft and Google are still using emotion AI, but with limits

Microsoft said accessibility goals overrode problems with emotion recognition and Google offers off-the-shelf emotion recognition technology amid growing concern over the controversial AI.

Emotion recognition is a well-established field of computer vision research; however, AI-based technologies used in an attempt to assess people’s emotional states have moved beyond the research phase.

Photo: Microsoft

Microsoft said last month it would no longer provide general use of an AI-based cloud software feature used to infer people’s emotions. However, despite its own admission that emotion recognition technology creates “risks,” it turns out the company will retain its emotion recognition capability in an app used by people with vision loss.

In fact, amid growing concerns over development and use of controversial emotion recognition in everyday software, both Microsoft and Google continue to incorporate the AI-based features in their products.

“The Seeing AI person channel enables you to recognize people and to get a description of them, including an estimate of their age and also their emotion,” said Saqib Shaikh, a software engineering manager and project lead for Seeing AI at Microsoft who helped build the app, in a tutorial about the product in a 2017 Microsoft video.

Keep Reading Show less
Kate Kaye

Kate Kaye is an award-winning multimedia reporter digging deep and telling print, digital and audio stories. She covers AI and data for Protocol. Her reporting on AI and tech ethics issues has been published in OneZero, Fast Company, MIT Technology Review, CityLab, Ad Age and Digiday and heard on NPR. Kate is the creator of RedTailMedia.org and is the author of "Campaign '08: A Turning Point for Digital Media," a book about how the 2008 presidential campaigns used digital media and data.

Latest Stories
Bulletins