The former spy who infiltrated Congress鈥檚 cyber policy debate
He was an undercover CIA officer in Afghanistan and Pakistan. Then, after nine years as a spy, Will Hurd turned to defending against virtual attacks in the private sector. As a civilian,听he helped build a听tech firm that supported major financial services and manufacturing companies to defend their networks against hackers.
Now, Representative Hurd is in Washington, bringing tech expertise to policy issues on Capitol Hill.听With key technical and security positions on House committees, Hurd says he'll attempt to bridge the gap听between the intelligence community and the private sector on legislative issues.
Passcode recently spoke with Hurd about President Obama's cybersecurity plans and National Security Agency reform.听Edited excerpts follow.
Passcode: What do you think about the White House鈥檚 proposal for information sharing between the private sector and the government?
Hurd: This is actually one of the few areas we [in Congress] can cooperate on. One of the most important things I think we need to make sure happens is liability protection for those that are sharing information. I鈥檝e seen this on both sides. The federal government is great at saying, 鈥淗ey, share your information鈥 but not very good at sending information back to them to help people protect themselves.
This recent Sony brouhaha is a perfect example. What did the federal government know in advance? What did it share with Sony? I don鈥檛 think anybody in the private sector is asking for the federal government to protect them but if there is a way we can give them information to help them protect themselves, that鈥檚 what we need to do.
Passcode: From the privacy side, are you worried about what happens to the information from the private sector once it鈥檚 shared with the government?
Hurd: That鈥檚 ultimately the concern people have. The private sector is protecting this information, and if you give it to the government, well, the government hasn鈥檛 shown that they鈥檙e very good at protecting some of this stuff. So if there鈥檚 going to be a breach of information it鈥檚 more likely going to happen on the government side than it is on the private side.
But this is a nuanced issue I think we can get to some kind of solution on. As companies collect more information, they are very good at saying, 鈥淚f you鈥檙e going to sign up for something, here鈥檚 what you鈥檙e agreeing to.鈥 Some of those same protections, some of those same issues, need to translate back to the government as well.
Passcode: Let鈥檚 say some information-sharing bill does pass. Actually implementing that would bring an inevitable organizational challenge. Are people on the Hill starting to think about this issue now?
Hurd: You don鈥檛 even have information that鈥檚 being shared within departments. Now you鈥檙e talking about [sharing information across agencies]. I鈥檝e been at the pyramid of the information game and I know what鈥檚 out there. I know what鈥檚 not getting down to the people that need it. That鈥檚 an issue that needs to be addressed as well 鈥 sharing within a top secret or classified environment amongst agencies and then figuring out how to get information to businesses to protect themselves.
If you鈥檙e going to be passing classified information, do you have the tools to read that information? If you talk to any of my colleagues on the Hill and ask them, 鈥淲hat is an IIR?鈥 鈥 well, if you don鈥檛 know what an [Intelligence Information Report] is, you can鈥檛 talk about what is this information game.
Passcode: What else do members need to be paying more attention to?
Hurd: You鈥檝e got to talk about the evolving threat we鈥檙e dealing with here. This is no longer Russian organized crime trying to steal credit card information. These are bad actors that are trying to cripple an entity in an organization. How do we defend against that kind of attack? What do you do once someone鈥檚 in?
If North Korea launches a missile into into San Francisco, North Korea knows what our response is going to be. The American people know what our response is going to be. Now, a digital attack on a physical thing, like Stuxnet, we鈥檙e kind of figuring out what is the response. But what about a digital on digital attack? What is the response? Who鈥檚 going to respond? These are the questions that haven鈥檛 been answered.
Passcode: As someone who鈥檚 been in the intel world, where will you stand on reforming the National Security Agency鈥檚 surveillance practices?
Hurd: It鈥檚 ultimately a counterterrorism issue. Terrorists are trying to kill a lot of people and elicit counterterrorism responses in government that foments discord among the people.
So when you have a policy [of collecting phone and e-mail records in bulk] that [many people]听believe is wrong, then we need to rethink that policy. For me to be able to go back to those hardworking men and women in the NSA, and say, 鈥淕uess what, guys? We鈥檙e going to take away some tools that y鈥檃ll have been using because you know what? You can鈥檛 be in the position as a warfighter where the people you鈥檙e trying to protect are distrustful of you.鈥
Also, we鈥檙e not going to catch a terrorist with a computer alone. You鈥檝e got to partner that with good on-the-ground intelligence. The folks at the NSA, the CIA, and the people protecting this country 鈥 they鈥檙e operating as if it鈥檚 September 12, [2001]. They鈥檙e hardworking, red-blooded Americans that love this country. We鈥檙e going to have to tell them, 鈥淵ou can solve the technical problem, but there is a political and constitutional problem we have to solve.鈥
Passcode: Sounds like you鈥檒l have some interesting conversations with your friends in the intelligence world now that you鈥檙e in this job.
Hurd: It鈥檚 going to be odd 鈥 seeing some of my buddies, we went through The Farm [Camp Peary, the CIA training facility] together and things like that. Then to come back and be in a different position. I think they will be excited to have someone that kind of understands the community. I think they鈥檙e also going to be a little bit fearful as well. Because I know how the place works. So that鈥檚 always a double-edged sword.
Passcode: Now that you鈥檙e here, how does it feel to be the cybersecurity expert in the Congress?
Hurd: A lot of freshman got elected because people said, 鈥淲e want you to go up there and get things done.鈥 I鈥檓 poised to be in that position. I have a computer science background. My joke to engineers is, 鈥淚 could probably bang out some Fortran 77 code right now.鈥 But understanding common ones and zeros, having done some offensive operations when I was in the CIA, having protected businesses in the private sector seeing the full spectrum of the threat 鈥 it鈥檚 exciting to be in this position where we can strengthen each one of those elements.
Passcode: Any specific proposals you鈥檒l be pushing?
Hurd: We鈥檙e in the process of going through [proposals]. One of the words I鈥檝e heard more in the last two weeks more than any other word is 鈥渏urisdictional.鈥
Passcode: You鈥檙e now chair of the Oversight and Government Reform subcommittee on IT. What鈥檚 the game plan for that?
Hurd: Understanding the Sony issue and how that happened and that threat because I think the Sony hack and attack is an example of how these [Advanced Persistent Threats] are changing 鈥 not just being sneaky and stealing this information, but actually ruining and breaking things. I think there are some opportunities in the healthcare industry with wireless health devices and the protection of those wireless networks surrounding that. And when you look at how much money the government is spending on IT, is it being used in the right way?
听
