The former spy who infiltrated Congress’s cyber policy debate
MARCH 5, 2015
He was an undercover CIA officer in Afghanistan and Pakistan. Then, after nine years as a spy, Will Hurd turned to defending against virtual attacks in the private sector. As a civilian, he helped build a tech firm that supported major financial services and manufacturing companies to defend their networks against hackers.
Now, Representative Hurd is in Washington, bringing tech expertise to policy issues on Capitol Hill. With key technical and security positions on House committees, Hurd says he'll attempt to bridge the gap between the intelligence community and the private sector on legislative issues.
Passcode recently spoke with Hurd about President Obama's cybersecurity plans and National Security Agency reform. Edited excerpts follow.
Passcode: What do you think about the White House’s proposal for information sharing between the private sector and the government?
Hurd: This is actually one of the few areas we [in Congress] can cooperate on. One of the most important things I think we need to make sure happens is liability protection for those that are sharing information. I’ve seen this on both sides. The federal government is great at saying, “Hey, share your information” but not very good at sending information back to them to help people protect themselves.
This recent Sony brouhaha is a perfect example. What did the federal government know in advance? What did it share with Sony? I don’t think anybody in the private sector is asking for the federal government to protect them but if there is a way we can give them information to help them protect themselves, that’s what we need to do.
Passcode: From the privacy side, are you worried about what happens to the information from the private sector once it’s shared with the government?
Hurd: That’s ultimately the concern people have. The private sector is protecting this information, and if you give it to the government, well, the government hasn’t shown that they’re very good at protecting some of this stuff. So if there’s going to be a breach of information it’s more likely going to happen on the government side than it is on the private side.
But this is a nuanced issue I think we can get to some kind of solution on. As companies collect more information, they are very good at saying, “If you’re going to sign up for something, here’s what you’re agreeing to.” Some of those same protections, some of those same issues, need to translate back to the government as well.
Passcode: Let’s say some information-sharing bill does pass. Actually implementing that would bring an inevitable organizational challenge. Are people on the Hill starting to think about this issue now?
Hurd: You don’t even have information that’s being shared within departments. Now you’re talking about [sharing information across agencies]. I’ve been at the pyramid of the information game and I know what’s out there. I know what’s not getting down to the people that need it. That’s an issue that needs to be addressed as well – sharing within a top secret or classified environment amongst agencies and then figuring out how to get information to businesses to protect themselves.
If you’re going to be passing classified information, do you have the tools to read that information? If you talk to any of my colleagues on the Hill and ask them, “What is an IIR?” – well, if you don’t know what an [Intelligence Information Report] is, you can’t talk about what is this information game.
Passcode: What else do members need to be paying more attention to?
Hurd: You’ve got to talk about the evolving threat we’re dealing with here. This is no longer Russian organized crime trying to steal credit card information. These are bad actors that are trying to cripple an entity in an organization. How do we defend against that kind of attack? What do you do once someone’s in?
If North Korea launches a missile into into San Francisco, North Korea knows what our response is going to be. The American people know what our response is going to be. Now, a digital attack on a physical thing, likeStuxnet, we’re kind of figuring out what is the response. But what about a digital on digital attack? What is the response? Who’s going to respond? These are the questions that haven’t been answered.
Passcode: As someone who’s been in the intel world, where will you stand on reforming the National Security Agency’s surveillance practices?
Hurd: It’s ultimately a counterterrorism issue. Terrorists are trying to kill a lot of people and elicit counterterrorism responses in government that foments discord among the people.
So when you have a policy [of collecting phone and e-mail records in bulk] that [many people] believe is wrong, then we need to rethink that policy. For me to be able to go back to those hardworking men and women in the NSA, and say, “Guess what, guys? We’re going to take away some tools that y’all have been using because you know what? You can’t be in the position as a warfighter where the people you’re trying to protect are distrustful of you.”
Also, we’re not going to catch a terrorist with a computer alone. You’ve got to partner that with good on-the-ground intelligence. The folks at the NSA, the CIA, and the people protecting this country – they’re operating as if it’s September 12, . They’re hardworking, red-blooded Americans that love this country. We’re going to have to tell them, “You can solve the technical problem, but there is a political and constitutional problem we have to solve.”
Passcode: Sounds like you’ll have some interesting conversations with your friends in the intelligence world now that you’re in this job.
Hurd: It’s going to be odd – seeing some of my buddies, we went through The Farm [Camp Peary, the CIA training facility] together and things like that. Then to come back and be in a different position. I think they will be excited to have someone that kind of understands the community. I think they’re also going to be a little bit fearful as well. Because I know how the place works. So that’s always a double-edged sword.
Passcode: Now that you’re here, how does it feel to be the cybersecurity expert in the Congress?
Hurd: A lot of freshman got elected because people said, “We want you to go up there and get things done.” I’m poised to be in that position. I have a computer science background. My joke to engineers is, “I could probably bang out some Fortran 77 code right now.” But understanding common ones and zeros, having done some offensive operations when I was in the CIA, having protected businesses in the private sector seeing the full spectrum of the threat – it’s exciting to be in this position where we can strengthen each one of those elements.
Passcode: Any specific proposals you’ll be pushing?
Hurd: We’re in the process of going through [proposals]. One of the words I’ve heard more in the last two weeks more than any other word is “jurisdictional.”
Passcode: You’re now chair of the Oversight and Government Reform subcommittee on IT. What’s the game plan for that?
Hurd: Understanding the Sony issue and how that happened and that threat because I think the Sony hack and attack is an example of how these [Advanced Persistent Threats] are changing – not just being sneaky and stealing this information, but actually ruining and breaking things. I think there are some opportunities in the healthcare industry with wireless health devices and the protection of those wireless networks surrounding that. And when you look at how much money the government is spending on IT, is it being used in the right way?