Hurd on the Hill

Will Hurd's freshman year in Congress has been action-packed. The Texas Republican was charged with leadership of the Information Technology Subcommittee of the House Oversight and Government Reform panel – a post he almost turned down. But between the hack and theft of confidential federal employee information from the Office of Personnel Management, the ongoing debate over commercial encryption and the implementation of new federal IT acquisition law, Hurd's panel has been busy.

Hurd has a tech background – somewhat unusual for a member of Congress. He was a computer science major at Texas A&M University and before his election to Congress worked as an adviser to cybersecurity firm FusionX. Even more intriguing, Hurd had a career as an undercover officer for the CIA, working in South Asia and the Middle East. He has bragged in public appearances about his cyber exploits on behalf of the clandestine service, but not surprisingly has offered few details. In a stump speech for a tech savvy audience at the SXSW conference in March, Hurd joked that he's in the "upper bottom third of people that understand technology, but in Washington I'm in the top 1 percent." His expertise gives him an edge when it comes to delving into the details of government IT management and mishaps.

"I like getting down in the weeds. This is the only way we're going to solve some of these problems," Hurd told FCW in an interview in his office.

Some of his early focus has been on the OPM hack. He thinks that other agency heads may have learned a powerful lesson from the grilling OPM Director Katherine Archuleta took from the full Oversight Committee in the wake of the breach.

"Getting Archuleta fired, she stepped down, but in essence, she was fired, was a big deal to show that protecting your digital infrastructure is important. I think that shows to a lot of other agency heads, the importance of focusing on cybersecurity," Hurd said.

Hurd is critical of what he sees as both poor manners and bad management on the part of the administration when it comes to its handling of the OPM breach.

"Not once did anybody say, 'I'm sorry -- my bad,'" Hurd told FCW. He takes the episode personally as a former fed with a classified personnel file. "But then, how we don't follow the basic tenets of good cyber hygiene – that's just shocking to me. Especially when, in OPM's case, you have over five years' worth of inspector general reports and [Government Accountability Office] reports that said, your digital infrastructure is deficient," he said.

Despite his anger about the breach, Hurd doesn't trade in vitriol and hyperbole. Whether in an interview or in the hearing room, he maintains a cool, composed demeanor. As a committee chairman he reserves his time for the end of a hearing – an unusual practice – and typically asks probing questions covering nuances and details that other members didn't broach.

His approach has won him plaudits from the other side of the aisle.

Rep. Ted Lieu (D-Calif.), who sits on the IT Subcommittee, told FCW that "even if we come at a problem from different angles, Mr. Hurd has been willing to focus on finding common ground," Lieu said in an email. "Will and I are two of only four 'recovering' computer science majors in Congress.  Having a fellow programmer on the Oversight Committee is important as we work together on critical issues such as backdoor encryption, privacy and cybersecurity."

The ranking member on the subcommittee, Rep. Robyn Kelly (D-Ill.) told FCW that "Chairman Hurd and I have worked to foster an atmosphere of cooperation on the subcommittee in an effort to create bipartisan solutions to combating cyber vulnerabilities."

Cyber legislation

Hurd has also been busy on the legislative front. He introduced the DHS IT Duplication Reduction Act of 2015, designed to put the notoriously fragmented Homeland Security Department on a path to eliminate overlapping IT procurements. That bill was signed into law. He also offered a key amendment to the National Cybersecurity Protection Advancement Act of 2015 that codified the use of the DHS Einstein network defense system. That bill was passed by the House with Hurd's amendment, and awaits action in the Senate.

Hurd is a strong supporter of the pair of cyber bills that came out of the House this session, and is watching the Senate's action closely. The Senate will soon take up legislation to codify information sharing about cybersecurity threat indicators between the government and industry. However, the Senate bill in its present form reserves a role for the National Security Agency in collecting threat information, whereas the House bills would give that job to DHS, a civilian agency. It's a distinction that's important to Hurd.

"We've got to protect our civil liberties. I think NSA's involvement in certain activities shouldn't happen. I think the hope is we get this [cybersecurity package] to a conference committee, and we'll be able to make sure that the privacy concerns and civil liberty concerns are taken care of," Hurd said. "Those are definitely some red lines in the House."

Rules of engagement

Hurd is concerned that the response to cyber breaches like the OPM hack, commonly attributed to China's intelligence services, isn't focused on deterrence or accountability.

"I think theft of 23 million records on sensitive government employees, that is a problem and there should be an appropriate response. Manipulating financial markets -- there should be a response," Hurd said. He wants more conversation about what constitutes a "digital act of war," and more of a sense of what the government is going to do when it is attacked. The lack of consensus, he suggested, is leading to drift.

"The key in deterrence is that the people doing the action know what the response is," Hurd said. "We should have red lines, and I'm not as confident that this administration is going to uphold red lines, but one of the problems in our deterrence of cyberattacks is that we don't have a commonly accepted, 'If X happens, then, Y is the response.'"

Making FITARA work

Hurd is also leading efforts to oversee implementation of the Federal IT Acquisition Reform Act, enacted late last year. While Hurd wasn’t in Congress when the legislation was drafted, he strongly supports its goals of streamlining CIO authorities and improving acquisition practices.

Going forward, Hurd plans to push back against agencies seeking special carve outs from FITARA, especially when it comes to expanded CIO authorities.

"There's a lot of agencies that are looking to do exemptions, and I think [Federal CIO Tony Scott] has pushed back on a lot of that," Hurd said. "Where we see anybody looking for an exemption, we're absolutely going to be doing a hearing on that, to ask them why. Why do you think that you need different criteria? That's the important role of the oversight function."