Former Rep. Will Hurd on ransomware, China, and the tech race the U.S. can’t afford to lose
As one of Congress’s leading experts on cybersecurity over the last six years, Will Hurd regularly introduced cyber legislation and grilled government leaders on their agency’s defensive posture.
But despite his efforts, Hurd, a Republican who until January served as the U.S. representative for Texas’s 23rd district, says the government still has a lot of ground to cover. Companies and critical infrastructure operators are struggling to protect themselves against Russia and the ransomware actors who operate within its borders, while China is racing to dominate the U.S. in space, artificial intelligence, and quantum computing.
“The future is scary, to be honest,” said Hurd, who worked as an undercover operative with the CIA before his political career. Hurd currently serves as managing director at the investment bank Allen & Company, and joined OpenAI’s board of directors last month. He’s also writing a book that is expected to come out next year.
Hurd spoke to The Record earlier this month about President Biden’s cybersecurity strategy, his unsuccessful efforts to create a Cyber National Guard, and China’s quest for dominance in the advanced technology space. The conversation below has been lightly edited for space and clarity.
The Record: I'm sure that your former colleagues in Congress right now are wishing that you were still there—they’ve had a lot on their hands between SolarWinds, Microsoft Exchange, Colonial Pipeline, and now JBS.
Will Hurd: We could have been prepared for all of these things, and it shows how far we have to go in order to make sure we're defending our digital infrastructure properly. We left a legacy for them to pick up on if they're willing to take it.
TR: These are just the latest in a series of big cyberattacks that have stretched back years, if not decades. Why do you think we’re still not prepared for them?
WH: First off, it’s hard. Defending digital infrastructure is difficult. And guess what—it's only going to get worse. It starts getting worse when you have artificial intelligence mixed into cyberattacks, and when it gets fuzed with quantum computing. We are at a Y2K point, because quantum is going to be able to break encryption as we know it. And we rely on encryption right now for so much and at all levels of society. So the future is scary, to be honest.
We also have to ask ourselves are we seeing a changing focus and goal of the attackers? We know folks are going in and trying to steal money. You can make a lot of money with ransomware—it is a billion-dollar industry. And these are not the nation states… this is not the A-Team launching these attacks. SolarWinds was sophisticated—that was the A-Team. But when you look at the Colonial Pipeline and JBS attacks, you have to wonder if this could be used in the future ultimately as a misdirection. Could Russia or China attack our food, water, or power in order to tie us up and prevent us from responding if Russia does something like invades further into Ukraine or if China actually goes and invades Taiwan. We have to look at the potential for how these attacks can be used. If a fairly sophisticated actor can cause this much damage, what would a super sophisticated adversary be able to do?
In the last year, we’ve seen reports of China turning off the lights in Mumbai in response to a border skirmish with the Indian government. We’ve seen attackers try to poison water supplies in Florida. We’ve seen an attack on a pipeline that feeds 40% of the energy needs on the East Coast, we’ve seen our largest meat processor getting hit, we’ve seen a report that a woman died because of an attack that disrupted a hospital. All of this has happened in a short period of time.
"If a fairly sophisticated actor can cause this much damage, what would a super sophisticated adversary be able to do?"
— Former Rep. Will Hurd (R., Texas)
But to echo your original question—why did President Biden have to issue another executive order for the federal government to do the basics? After all, President Obama had to issue an executive order for the federal government to get its act together, President Trump had to issue an executive order. We should have transitioned to the cloud, we should already be doing zero trust, we should have multi-factor authentication. Now these agencies need to make sure they’re doing all these things in order to protect themselves.
TR: Do you think we’re going to be having the same conversation with the next White House administration?
WH: Unfortunately, I think we are. Here's one of the things I learned in my six years in Congress: When Congress uses its oversight function, when it shines a light on the activities and behavior of the executive branch, you see changes. When I was on the Appropriations Committee and I had the head of an agency in front of our committee, my questions were always on cybersecurity. Nobody ever brings up cybersecurity in appropriations hearings with people like the Secretary of Housing and Urban Development. Congress has to make sure these things are happening.
One of my favorite entities in the federal government is the GAO—the Government Accountability Office—they do something every year where they highlight all these high-risk problems. And guess what, it’s not getting fixed. When the Office of Personnel Management got breached in 2014, they knew of the vulnerabilities but they didn’t patch. We’ve got to be able to do the basics—if we can do that, we’re going to defend ourselves against, let’s say, 85% of potential attacks.
TR: How do you rate President Biden’s approach to cybersecurity so far?
WH: He’s doing all the things that need to be done from a technical perspective. He’s put some pipefitters in—Chris Inglis, Anne Neuberger, Rob Joyce at the NSA, Lisa Monaco at the Department of Justice. These are all people that understand this issue and are real practitioners. The next step that needs to happen is that every administration needs to build upon the previous administration’s work, so we have to make sure that the funding is there to improve our infrastructure. The military has a phrase that technical fitness leads to combat effectiveness. If your tanks and planes and weapons don’t work the way they’re supposed to, you’re not going to be effective on the battlefield. That’s the same concept when it comes to digital infrastructure. Do all the agencies have a culture of modernization when it comes to cybersecurity? That culture can only change at the top. And Congress has a role to play as well, too. Joe Biden can put in an executive order about breach notifications within the federal government from subcontractors, but how come Congress hasn’t passed a breach notification across the country? How come we haven’t addressed privacy concerns? Executive orders can only go so far.
Congress needs to get their act together and start looking to the future. Robin Kelly (D., IL) and I did a bill on IoT, for example—basic security measures. Depending on who you talk to, we’re soon going to have anywhere between 50 billion and 125 billion connected devices in this world. That’s a whole lot of devices. Everybody agrees we should have some basic security measures in place. But it took three years to pass. That kind of stuff can’t happen, because in three years a lot changes.
TR: Policymakers have seemed to be paying a lot of attention to cybersecurity, especially after SolarWinds. There have been regular hearings and calls for bipartisan action. Do you think anything has changed? And what do you think their key priorities need to be?
WH: Even during my time in Congress, there were two bipartisan or maybe even nonpartisan issues: the importance of cybersecurity, and the threat of the Chinese government to our way of life. And while those two things are separate, there’s a Venn diagram and some overlap in the middle because China is probably the most sophisticated adversary we have when it comes to their capabilities in cyberspace.
So that’s always been there. The next step Congress has to take is figuring out what we have to do. One way the federal government can play a role is improving the operational collaboration with the private sector. The former head of the NSA Keith Alexander always said the private sector believing they can secure digital infrastructure by themselves is the equivalent of the French believing the Maginot Line is going to protect them from the Germans. Operational collaboration usually starts with information sharing. And we don’t need to recreate what’s already out there—a lot of companies have a good idea of where the next attacks are going to come from, and those assumptions should be turned into intelligence collection priorities.
"The military has a phrase that technical fitness leads to combat effectiveness. If your tanks and planes and weapons don’t work the way they’re supposed to, you’re not going to be effective on the battlefield. That’s the same concept when it comes to digital infrastructure."
— Will Hurd
A second point—and this is one of the things I tried when I was in Congress, and I was unsuccessful—is a Cyber National Guard. How do we improve the back-and-forth between cyber practitioners within the federal government and the private sector? You can start by giving kids scholarships that require them to work in the government for a few years after they graduate. You’re not going to be in the NSA or the Department of Defense, but in something like the Department of Commerce. And if you leave the government to work in the private sector, you’re going to commit to 30 or 40 days a year helping and protecting the government. This would improve the cross-pollination of concepts and ideas within the public and private sectors. I was unable to get this done because of security clearances—we don’t need to get into the details, but these are the kinds of things we need to be thinking about.
We don’t have the workforce necessary to properly protect ourselves. We have to build a workforce for the future, not yesterday. And we know there’s probably about half a million cybersecurity positions in the federal government and in the private sector that are unfilled right now. And they’re great jobs—some of the starting salaries for these jobs in Texas are $90,000. We need more kids learning these skills.
TR: There are obviously many agencies that have responsibility for cybersecurity, but a lot of lawmakers have recommended that CISA take on an elevated role—some have used the term “quarterback.” How do you think the agency is doing so far, and what direction do you think they should be going in?
WH: I’m proud to have helped Chairman Mike McCaul (R., TX) create CISA a number of years ago. And there was some debate about whether they should even have a role, and when you look now, it's important. There's a clear delineation of who's responsible for what. NSA is responsible for defending the intelligence communities and the Department of Defense. Cyber Command is supposed to be offensive. And then every agency is supposed to defend themselves—that's why they have CIOs and CISOs. And CISA is supposed to play a supporting function in the dot-gov space, which is all the government outside of military and intelligence. CISA is supposed to be the belly button for coordination between the public and the private sector. And when I say private sector, I'm really talking about industries that are considered critical infrastructure: financial, utilities, voting systems, things like that.
But CISA is not the CISO for the country. They don't have the resources, they don't have the technical expertise in order to do that. When you think about who JBS or Colonial Pipeline are going to go to, they first call the FBI, because they’re going to respond. Sometimes the Secret Service has responsibility. But CISA can help companies better defend themselves, and that starts with getting the basics right. My understanding of Colonial Pipeline is that the attackers didn’t use a zero day to get into their systems. I don’t think that was the case with JBS either. You have to have the basics right, and you have to back up your information so in the event something like this does happen you don’t have to pay the ransom.
TR: How do you rate the ransomware threat right now? Do you have any hope that it’s going to get better?
WH: Can it get better? Absolutely. Because ransomware is taking advantage of known vulnerabilities in your systems. When I was in the cybersecurity business, it was shocking to me how easy it was to break through an organization’s defenses. We would get in within 15 minutes. There’s this notion that you’ve got to be testing that you’re doing the things that you think you’re doing. If you’re doing the basics, you’re going to be protected against ransomware. The hardest thing for an enterprise to do is to ensure their employees don’t click on things they shouldn’t be clicking on in their email.
Why are we seeing an increase in ransomware? It’s because they realize there are a lot of folks out there that we can take advantage of and that are willing to pay our demands. If you attack an industry that has a critical function, they’re going to pay even faster. We should be seeing a decrease in ransomware attacks, but the rise shows how porous a lot of industries are.
TR: How much of the ransomware problem can be pinned on Russia?
WH: I would say it’s like a supermajority. The way I look at Russia and China is that the Chinese are probably more technically sophisticated, but the Russians have the willingness to use the tools. They have a willingness to deal with the consequences. There’s a connection between the criminal organizations and the GRU and SVR. These are tools and tactics that they’ve used in Europe for a number of years now, and now we’re seeing them being turned on us.
Part of what's difficult when you talk about cybercrime and digital war is what is the appropriate response. We know in physical war—if Kim Jong-un launched a missile into San Francisco, we know how we would respond, they know how we would respond. But with the theft of intelligence, the appropriate response is not necessarily the theft of their intelligence. You want to prevent it from happening in the first place, and that’s why we need the Russians to agree to international rules that cybercrime shouldn’t be allowed and needs to be prosecuted within your borders. That’s how you start cracking down on this—the State Department has a role to play in this and making sure every country has rules, regulations, and the willingness to cooperate with the targets of these attacks.
"When it comes to quantum and AI, there is no second place... This is something that we have to be prepared for, but most people don’t understand it and don’t know the threat."
— Will Hurd
TR: Earlier you brought up quantum computers and how it might affect encryption, which is a fascinating subject. Is that something you’re focused on right now?
WH: That’s something I’ve been focused on for a long time, dating back to when I had a quantum company visit me when I was in Congress and it blew my mind. One of the things that we have to realize is that the Chinese government has been very clear that they are trying to surpass the U.S. as the global leader in advanced technology—space, 5G, artificial intelligence, quantum computing, all of these things. We know the Chinese and the Russians are sucking up as much intelligence as they can possibly find. Imagine if you knew that at some point in the future somebody would be able to read all your emails, see all your financial transactions, all those kinds of things, what would that mean? We have to be prepared for that. When it comes to quantum and AI, there is no second place. The first mover advantage is so significant. This is something that we have to be prepared for, but most people don’t understand it and don’t know the threat.
One of the things that I’ve learned from being connected to the national security community for 21 years now is that when there’s an assessment that X is going to happen in Y years, it’s usually Y divided by two. We need to be careful.
TR: What role do you think the government should play in this field?
WH: If there are projects funded by the federal government, the results need to be available for the U.S. and allies. The openness of that research is important in order to drive innovation. We also need to ensure that startups and researchers are able to take advantage of the compute power—we need to make sure not one cycle is going to waste. But this is not just an American issue, we need to cooperate with our allies. We’re not going to have as much data as China, because they don’t care about civil liberties. So we have to make sure our algorithms are able to operate with less data. We also have to be prepared in space. Space is a contested domain now. Most people don’t realize how important space is to terrestrial communications and to how we operate on a daily basis.
TR: We’ve talked a lot about China and Russia—which country are you most concerned with right now when it comes to cybersecurity?
WH: Long-term, it's China. They are more sophisticated, they have more resources, they are going to potentially lead us—they are a peer, not a near peer. If you go back to the time of the Korean War, Douglas MacArthur was fired because he almost promoted a war that would have required the Chinese to get involved. Our analysis was that we would have a difficult time if the Chinese got involved. That was 70 years ago! They are a peer.
Now Russia is a bully that’s using these tactics now, so we have to address them. But if we’re worried about quantum and the ability to break all of our encryption, it’s likely to come from the Chinese. Russia is trying to reestablish the territorial integrity of the USSR, but China is trying to surpass the U.S. as the global hegemon. That’s not my opinion—that’s what the Chinese have written and said themselves. They’ve been focused on this for a long time.
Adam Janofsky
is the founding editor-in-chief of The Record from Recorded Future News. He previously was the cybersecurity and privacy reporter for Protocol, and prior to that covered cybersecurity, AI, and other emerging technology for The Wall Street Journal.