People

‘Begin with the assumption of breach’: Rep. Will Hurd on COVID-19 cyber threats

The Texas Republican talks tensions with China, the risks of remote work, and the coming tech brain drain on Capitol Hill.

Will Hurd

U.S. Rep. Will Hurd, pictured here during the impeachment inquiry in 2019, says the federal government and the business sector can improve information-sharing on cyber threats: "Unfortunately, right now, when it comes to information-sharing, we still think like my old world in the intelligence community."

Photo: Samuel Corum — Pool/Getty Images

With millions of Americans working remotely from unsecured devices, China facing accusations that it is seeking to steal research on COVID-19 vaccines, and a presidential election just months away, the United States is facing an onslaught of cyber threats. In Congress, few lawmakers have as deep an understanding of those threats as Rep. Will Hurd, the Texas Republican.

Before taking office in 2015, Hurd spent several years as a CIA officer and several more as a private cybersecurity consultant. As a lawmaker, he's continually pressed for legislation to improve America's cyber defenses and modernize government technology. Now, as Hurd prepares to leave Congress at the end of 2020, his technical expertise is arguably more needed than ever.

Protocol spoke with Hurd about rising tensions between the U.S. and China, why businesses should "begin with the assumption of breach," and whether he's concerned about a brain drain of tech experts on Capitol Hill.

This interview has been edited and condensed for clarity. It was adapted from a virtual Protocol meetup with Hurd on May 21.

What new, urgent cybersecurity threats have been raised by this virus, and what is Congress doing to address them?

There's going to be another phase of support. And one of the things I think it should be used for is strengthening digital infrastructure and making sure we have the cybersecurity around it. We know right now that we're seeing advanced persistent threats going after hospitals and trying to learn about what's happening in some major cities. It's happening in my hometown of San Antonio. So, how do we make sure that we can provide federal dollars to allow these folks to work on that?

That's something I'm actually working on right now. It's basically a state and local modernization fund, where it would probably be one-time money, and if it's going to protect infrastructure, and it already has a federal connection, then you may be able to apply for this fund. When people talk infrastructure, it's no longer just bridges, roads … and dams, it's your computers and your telecommunications infrastructure as well.

That covers the government side of the equation, but what about all these companies whose entire workforce is working from home? What should they be doing to secure their internal infrastructure?

Begin with the assumption of breach. An attacker is going to be able to get in. And so the question is: How quickly can you detect? How quickly can you quarantine? And how quickly can you push people off?

Because of "bring your own device," you don't know what's on that endpoint. So you have to assume that endpoint is corrupted. Trust protocols from a technical perspective are something that businesses are going to have to think through. As an employee, I expect to be able to use my device, but then there's some company responsibilities that come with that.

The good thing is if you do the basics — patch your software, have a 14-character password, and don't click on something if you don't know who it's from — you protect yourself from 86% of the threats. But the other area where I think the federal government and the business sector can improve is information-sharing on cyber threats. Unfortunately, right now, when it comes to information-sharing, we still think like my old world in the intelligence community, and we don't appreciate how perishable cybersecurity information is or information on an attack may be.

One thing we heard from the federal government recently was that we're seeing cyber threats out of China related to COVID-19 vaccines. What can you tell us about those attacks and the administration's response?

This is based on the Chinese belief that there's going to be a first-mover advantage for whoever gets the vaccine first. And so, just like the Chinese for the last number of years, if not decades, have stolen information when it comes to our great technology companies, they're stealing it now, and they have been stealing IP when it comes to the pharmaceutical space as well. That's the end motivation: Getting to that vaccine first.

They're trying to erode trust between the United States and all of our allies in other parts of the world. Early on, they said that coronavirus started in the U.S. and started in Italy and that the U.S. can't respond. They're still lying about some of the responses that are happening in the United States, because the Chinese want to be seen as the ones that can help you after this. And right now the Chinese are concerned about their own population's view on how they handled the crisis internally, but they're also looking at this as an opportunity to supercharge their efforts to become the sole hegemon by 2049. 2049 is 100 years of communist rule in mainland China, and they have said that they want to become the world's superpower. And so they're using the chaos that's been created on COVID-19 to supercharge those efforts. You've seen them become even more aggressive with their disinformation campaigns.

And the response by the administration? Look, they're attributing. Under the previous administration, I always had some disagreements about attribution.

You've been talking for a while about China engaging in a global disinformation campaign around the coronavirus and where it came from. What do you think should be the role of social media companies in mediating that kind of disinformation? How do you think they've done so far? What more can they do, and then is there a role for Congress to step in?

This is the reason this debate on disinformation is so hard, because of First Amendment responsibilities and rights. I'm a firm believer that you shouldn't have the federal government telling news entities what is truth or what is not. Each [platform] is making a decision on what is a political ad or what isn't a political ad. Those are debates for everybody.

But when it comes to speech, it's hard for me to say. There is some basic education that needs to be happening at all levels of our society to make us better consumers of information.

Your House Republican colleagues put out this expansive package of bills aimed at giving the U.S. a leg up in the tech race with China. The issue is that China has an advantage because its technological initiatives are backed by the government. What do you think Congress and the broader administration needs to prioritize right now to ensure that the U.S. has a real shot at winning this so-called race?

It is a race. The Chinese have made it very clear their goal is to become the world leader in 10 of the future technology spaces. It's artificial intelligence, it's quantum, it's machine learning, advanced optics, things like this. And they can move all their factors of production in one direction.

So, what should the U.S. do? If a U.S. company, or investor, can't do something in China, why are we allowing a Chinese company or an investor to do that here in the United States of America? If we treat Alibaba in the United States as an American company, but Amazon or Salesforce is not treated as a Chinese company in China, then why are we not allowing that reciprocity? I think it starts with that. There is legislation that passed the Senate that said if you can't follow U.S. accounting practices, guess what? You can't be listed on the U.S. exchanges.

I think a good example of this is what we should be doing around 5G specifically. The Chinese are ahead with Huawei because it's backed by the federal government. There's only three other providers that we all know: Samsung, Nokia and Ericsson. So how can we be working with our other allies to make sure that there's a true competitor against Huawei?

That's where we should be going, and we're not. It's all kind of haphazard. And the Chinese, you know, that's what happens when you have an authoritarian government. But I always say this: They may be able to get somewhere first, but American creativity, entrepreneurship, openness is always gonna win the day.

Are you frustrated that the Trump administration's approach on 5G and on creating a so-called Huawei competitor has been somewhat scattershot and complicated by internal fights?

You can't put 5G at his feet, because this 5G debate should have happened 20 years ago. We should have had the foresight back then. I've disagreed on some of the China policy, but the threat of China, I do agree with.

You can create a tax code that helps any American in the 5G space, in order to make sure we're being competitive. Then that's going to come into a debate about using our tax code for policy. So it's broader than just what the executive branch is doing. It's some of these debates that we're having in Congress as well.

I would say, best-case scenario, we're tied. More likely, they're more advanced. I've had senior cyber security officials from our European allies basically saying: Guys, y'all lost the battle on 5G. Y'all need to be thinking about 6G.

Let's talk about data privacy. It seems like for the last couple of years we've seen this shift toward embracing data privacy in Congress and the states with the passage of CCPA, and even some tech companies have been calling for federal privacy legislation. But now this crisis seems to be reversing a lot of that and sparking a new willingness to use technology and data to stop the spread of the virus. What role do you think is appropriate for tech companies and for data to play in contact tracing and in monitoring employees when they go back to the workplace?

Our public health system in the United States is actually a local system. What happens here in Bexar County or San Antonio is very different to what happens in Boston. And so, that tool that Google and Apple just came out with is going to be a tool that other people adopt. I think it starts with: My information needs to reside on my device, and I need to have the ability to share that information in a secure way with who I want to share that with, whether that's to get on a plane or not. We can achieve the use of data, and the protection of privacy at the same time. We need to stop acting like these are two things that are mutually exclusive.

There's a concern that if the federal government doesn't get behind it, digital contact tracing might not be as effective. What do you make of that?

Those debates fall on an ideological spectrum of, do you believe in local control or not? I think adoption will probably happen quicker if an enterprising head of the local health agency is able to adopt something. And then if someone shows it's working, other people can adopt it that way, rather than having this one-size-fits-all solution that comes down from someone at the Centers for Disease Control and Prevention.

Now, the CDC, even the National Institute of Standards and Technology, should be able to say: Hey, here are some of the things that a system should have. These are some of the privacy protections that you should be able to use and provide that framework. But when it comes to the implementation, I think cities and counties, all those entrepreneurial labs, should figure out how to best use it. And guess what? When somebody gets it right, it's gonna get adopted, and then we're gonna see something like that become a standard.

You are one of the tech minds in the House. I know that a few of your Republican colleagues, who like you are going to be leaving at the end of this year, have sort of been the standard-bearers for tech. How confident are you in your colleagues' ability to carry these issues forward once you're no longer there?

I appreciate the vote of confidence. But I will say this: Some people think we need to have a centralized entity on technology. No. Everybody should be involved in technology.

Robin Kelly, who is a Democrat from Illinois, and I are working with the Bipartisan Policy Center on a national strategy for artificial intelligence, and we've done a number of convenings, and we're going to be coming out with papers really soon on the things we've learned. We want to make sure every entity is focused and that technology is not a destination. It is a tool. Every oversight and regulatory agency should be focused on that. And so if you do that, and you force everybody to do it, it doesn't have to be centralized in a handful of people that may have a computer science degree.

Workplace

Ask a tech worker: How many of your colleagues have caught omicron?

Millions of workers called in sick in recent weeks. How is tech handling it?

A record number of Americans called in sick with COVID-19 in recent weeks. Even with high vaccination rates, tech companies aren’t immune.

Illustration: Christopher T. Fong/Protocol

Welcome back to Ask a Tech Worker! For this recurring feature, I’ve been roaming downtown San Francisco at lunchtime to ask tech employees about how the workplace is changing. This week, I caught up with tech workers about what their companies are doing to avoid omicron outbreaks, and whether many of their colleagues had been out sick lately. Got an idea for a future topic? Email me.

Omicron stops for no one, it seems. Between Dec. 29 and Jan. 10, 8.8 million Americans missed work to either recover from COVID-19 or care for someone who was recovering, according to the Census Bureau. That number crushed the previous record of 6.6 million from last January, and tripled the numbers from early last month.

Keep Reading Show less
Allison Levitsky
Allison Levitsky is a reporter at Protocol covering workplace issues in tech. She previously covered big tech companies and the tech workforce for the Silicon Valley Business Journal. Allison grew up in the Bay Area and graduated from UC Berkeley.

COVID-19 accelerated what many CEOs and CTOs have struggled to do for the past decade: It forced organizations to be agile and adjust quickly to change. For all the talk about digital transformation over the past decade, when push came to shove, many organizations realized they had made far less progress than they thought.

Now with the genie of rapid change out of the bottle, we will never go back to accepting slow and steady progress from our organizations. To survive and thrive in times of disruption, you need to build a resilient, adaptable business with systems and processes that will keep you nimble for years to come. An essential part of business agility is responding to change by quickly developing new applications and adapting old ones. IT faces an unprecedented demand for new applications. According to IDC, by 2023, more than 500 million digital applications and services will be developed and deployed — the same number of apps that were developed in the last 40 years.[1]

Keep Reading Show less
Denise Broady, CMO, Appian
Denise oversees the Marketing and Communications organization where she is responsible for accelerating the marketing strategy and brand recognition across the globe. Denise has over 24+ years of experience as a change agent scaling businesses from startups, turnarounds and complex software companies. Prior to Appian, Denise worked at SAP, WorkForce Software, TopTier and Clarkston Group. She is also a two-time published author of “GRC for Dummies” and “Driven to Perform.” Denise holds a double degree in marketing and production and operations from Virginia Tech.

The fast-growing paychecks of Big Tech’s biggest names

Tech giants had a huge pandemic, and their execs are getting paid.

TIm Cook received $82 million in stock awards on top of his $3 million salary as Apple's CEO.

Photo: Mario Tama/Getty Images

Tech leaders are making more than ever.

As tech giants thrive amid the pandemic, companies like Meta, Alphabet and Microsoft have continued to pay their leaders accordingly: Big Tech CEO pay is higher than ever. In the coming months, we’ll begin seeing a lot of companies release their executive compensation from the past year as fiscal 2022 begins.

Keep Reading Show less
Nat Rubio-Licht
Nat Rubio-Licht is a Los Angeles-based news writer at Protocol. They graduated from Syracuse University with a degree in newspaper and online journalism in May 2020. Prior to joining the team, they worked at the Los Angeles Business Journal as a technology and aerospace reporter.
Boost 2

Can Matt Mullenweg save the internet?

He's turning Automattic into a different kind of tech giant. But can he take on the trillion-dollar walled gardens and give the internet back to the people?

Matt Mullenweg, CEO of Automattic and founder of WordPress, poses for Protocol at his home in Houston, Texas.
Photo: Arturo Olmos for Protocol

In the early days of the pandemic, Matt Mullenweg didn't move to a compound in Hawaii, bug out to a bunker in New Zealand or head to Miami and start shilling for crypto. No, in the early days of the pandemic, Mullenweg bought an RV. He drove it all over the country, bouncing between Houston and San Francisco and Jackson Hole with plenty of stops in national parks. In between, he started doing some tinkering.

The tinkering is a part-time gig: Most of Mullenweg’s time is spent as CEO of Automattic, one of the web’s largest platforms. It’s best known as the company that runs WordPress.com, the hosted version of the blogging platform that powers about 43% of the websites on the internet. Since WordPress is open-source software, no company technically owns it, but Automattic provides tools and services and oversees most of the WordPress-powered internet. It’s also the owner of the booming ecommerce platform WooCommerce, Day One, the analytics tool Parse.ly and the podcast app Pocket Casts. Oh, and Tumblr. And Simplenote. And many others. That makes Mullenweg one of the most powerful CEOs in tech, and one of the most important voices in the debate over the future of the internet.

Keep Reading Show less
David Pierce

David Pierce ( @pierce) is Protocol's editorial director. Prior to joining Protocol, he was a columnist at The Wall Street Journal, a senior writer with Wired, and deputy editor at The Verge. He owns all the phones.

Hybrid work has some distinct advantages when it comes to onboarding.

Photo: LogMeIn

Jo Deal is the chief human resources officer at LogMeIn. She is responsible for leading global people strategy with a focus on attracting, developing and engaging talent.

The desire for change that sprung up during the pandemic resulted in the highest attrition levels in decades and a fierce war for talent playing out in the market. The Great Resignation forced managers to suddenly make hiring their top priority, and recruitment partners became everyone’s best friend as leaders scrambled to replace key roles within their teams.

Keep Reading Show less
Jo Deal
Jo Deal serves as LogMeIn’s Chief Human Resources Officer. She is responsible for leading global people strategy with a focus on attracting, developing and engaging world class talent by expanding LogMeIn’s reputation as one of tech’s most desirable career destinations, and by providing a collaborative learning environment where employees can grow their careers.
Entertainment

Peloton’s terrible, horrible, no good, very bad year

2022 just started, and Peloton has already halted bike production and is talking about mass layoffs. How did the pandemic darling get here?

How did Peloton go from pandemic star to sinking ship? One answer is the classic problem of supply and demand.

Image: Peloton; Protocol

It’s been a hell of a ride for Peloton. The headlines have been practically nonstop, from 2019’s cringey wife ad to 2021’s series of unfortunate “Sex and The City” events. But in 2020, Peloton could do no wrong. The at-home fitness company saw a 172% spike in sales over the course of that year, buoyed by the pandemic forcing wealthy gym-goers to stay home.

But nothing is ever easy or certain when it comes to Peloton. In the past week, Business Insider reported that Peloton is considering laying off 41% of its sales and marketing staff and closing down stores. CNBC learned that the company has hired McKinsey & Co. to help cut costs. And yesterday, CNBC reported that Peloton is temporarily halting production of its bikes. Peloton shares promptly plunged 24%.

Keep Reading Show less
Lizzy Lawrence

Lizzy Lawrence ( @LizzyLaw_) is a reporter at Protocol, covering tools and productivity in the workplace. She's a recent graduate of the University of Michigan, where she studied sociology and international studies. She served as editor in chief of The Michigan Daily, her school's independent newspaper. She's based in D.C., and can be reached at llawrence@protocol.com.

Latest Stories
Bulletins