Rep. Will Hurd on Cyber-security & Civil LibertiesBy Samuel Greengard | Posted 2015-02-13 Email Print
The congressman, who heads the new House Information Technology Subcommittee, talks about cyber-security and how business and government can protect themselves.
In an era when most political leaders struggle to understand information technology, Rep. Will Hurd, a freshman Republican representing the 23rd Congressional District in San Antonio hopes to drive change in government and business. Hurd formerly served as a senior advisor at cyber-security firm FusionX, and, before that, he worked as an undercover officer at the Central Intelligence Agency (CIA) for nine years, where he focused on counterterrorism and cyber-security in Afghanistan, Pakistan and India. Hurd is the first black Republican elected to Congress in Texas, and he already heads a newly formed House Information Technology Subcommittee. Baseline caught up with Hurd and asked for his thoughts on the current state of cyber-security.
Baseline: What are your thoughts about today's business environment and the growing challenge of cyber-security, cyber-warfare and hacking?
Will Hurd: One of the biggest issues that we need to deal with, both in government and in business, is the evolving nature of threats. It's no longer just Russian organized crime trying to capture your credit card information. There are now extremely sophisticated people attempting to do major damage.
If you're only trying to steal information, you're going to try to be quiet and sneaky about it. You want to be able to replicate the activity. But, if you are looking to inflict damage, you're likely to come through the front gates at full bore. That's a totally different nature of threat, and it requires a different defense.
Baseline: How does it change the stakes? What do business and IT leaders need to be thinking about?
Hurd: It's almost impossible to keep people out. You really have to start with a presumption of breach. So, the question becomes: "How quickly can you detect someone getting in your system? Can you cordon them off and trap them, and then can you determine what they have done up to the point of identification?"
It's definitely possible to protect systems and data. I have seen businesses and government agencies that do it well. But it requires a higher level of vigilance. It requires an understanding of the evolving nature of attackers so you can constantly defend against them. Today, it's move-countermove. And as attackers evolve their tactics, techniques and procedures, defenders must do the same thing.
Baseline: What are your suggestions for enterprise leaders?
Hurd: It starts with looking at your enterprise and figuring out what is the most important and sensitive information. It's crucial to know what needs to be protected and what level of protection is necessary. It's also important to focus on authentication and strong passwords. The number of IT professionals who do not follow basic requirements is huge, and the irony is that they know better.
Another important area is BYOD and the nodes of your network that are outside your control. It's important to have the right technology controls in place, but [you also need] the right processes and an educational component. You're only as protected as the one person that clicks a spear-phishing link in an email.
Baseline: What are your thoughts about cyber-spying and utilities finding malware in their systems?
Hurd: If North Korea were to launch a missile at San Francisco, we would know exactly what the response would be. We have clear rules of engagement. But we do not have clear rules of engagement for a pure digital-on-digital attack. Knowing the rules of engagement deters some of this undesirable behavior.
We need to work through this issue. I'm looking forward to being involved in the discussion and helping drive policy.
Baseline: Is it possible to protect the nation while also protecting civil liberties?
Hurd: This is something that we have to continually be thoughtful about, but I believe that we can protect our country and protect our civil liberties at the same time. In some respects, people feel safer now than a few years ago, so there is perhaps more questioning of policies.
But, while we want to keep our citizens safe, we also want to make sure that we don't do things to erode the liberties that make our country great. A goal of terrorists is to instill fear and disrupt our civil liberties and our way of life.
Baseline: Any final thoughts for business and IT leaders?
Hurd: It starts with a mindset: the C-suite needs to be more engaged and take a more active role. There must be a greater understanding of digital infrastructure and what types of data and information need to be protected.
In addition, you have to be prepared for what happens when someone gets in. It's critical to have your network examined on a frequent basis by a qualified third party. They are able to take a different perspective.
Finally, if you are using third-party systems—including cloud services—you really have to understand where the data goes, where it is stored and how it's being managed. The environment is changing very rapidly. While it's an exciting time with unparalleled opportunities, the focus must be on protecting the ones and zeros.