What Was This Texas Congressman Doing at the Hacking Conference Def Con?

Among the almost 20,000 people who went to this years' Def Con—perhaps the world's premiere hacking conference—were hackers, cybersecurity professionals, lawyers, activists, and also an unexpected guest: the former CIA agent turned Republican Congressman Will Hurd.

You don't see many politicians at Def Con. In fact, Hurd might very well be the first one who's ever took the trip to the desert in Las Vegas for the conference just to attend. But in reality, it makes sense for Hurd to go to Def Con.

Before being elected as the representative of Texas' 23rd congressional district, Hurd was a partner at the small cybersecurity firm FusionX, and he graduated in computer science from A&M.

When he took office earlier this year, he brought his technical background to his new job. He organized the first congressional hearing on encryption, and what the FBI calls as the "going dark" issue, an hypothetical scenario where unbreakable encryption is so pervasive that agents don't have access to relevant data during investigations.

Thanks Matt DevostAugust 8, 2015

I was introduced to Hurd during a party on Friday, and I sat down with him on Sunday to ask him why exactly, he came to Def Con to mingle with hackers.

What follows is a lightly edited (for clarity and brevity) version of our conversation.

MOTHERBOARD: So, what brought you to Def Con?

Rep. Will Hurd: There's so many people here that are involved in this space, so for me it was a good opportunity to have some side conversations with folks who are leaders in the industry, in cybersecurity and privacy.

So it's been very helpful to get the talent in one room, to have conversations about what role my subcommittee [Hurd is the Chairman of the House Oversight Subcommittee on Information Scurity] should have, and what it should be doing in this space.

[And] it's been great. One, just to see this, to understand the scale, is important. I have walked away with some new ideas on areas where we can be focusing.

Did you know about Def Con? Or did someone invite you to come?

I've known about it, I've known about it for a long time. And Matt Devost, the CEO of FusionX who I worked with, I think he's on the board [of Def Con], so it made sense. I had a couple of days free to get out here, I was flexible, so I was like "let's do this."

Did you take any precautions not to get hacked during your time at the conference?

[Laughs] Of course, of course, of course! I haven't used an ATM anywhere within 10 miles of this place. It's been funny how some of the support staff and the folks in the service industry here have been told to disable your WiFi and bluetooth.

The word is out, nobody wants to be on the Wall of Sheep.

Did somebody tell you to be careful? Did someone warn you?

Oh no, I knew. Having spent time doing work in this industry, you've heard all the stories.

What new ideas did you get from being here?

The idea of research in the cybersecurity space and how that is important. I've also realized that a lot of the battles we're dealing with, encryption and things like that, these aren't new battles, these are things that we've already gone through before. That's helpful for dealing with that battle now.

Let's talk about one of those new, old battles, the one on encryption. In all these months working on it, have you been able to figure out exactly what the FBI wants?

No, I haven't, I haven't. And that's what's frustrating. Comey himself recently has said is not asking for legislation, which is a good thing because he probably wouldn't get it.

If the point is to have a broader conversation, on law enforcement in a changing world, that's a valuable conversation to have. But let's go into it with the assumption that we need to do absolutely everything to protect our civil liberties. They're what makes our country so great, and let's always, always, ensure that anything we do protects those.

Has the FBI showed you any evidence that they really have a problem with encryption?

I haven't been briefed on anything that I think warrants a great level of concern.

I'm sure there's a lot more conversation that I could be having with my former colleagues. The FBI is a very important element of our national security apparatus. I was at CIA when 9/11 happened. And the reason we haven't had another terrorist attack in this country is the hardworking men and women in the military and our intelligence. It's an honor to have served side by side with a lot of them and that's why to me it's very important that we get this right, because they're an important piece.

But I haven't been briefed or seen any use cases of this "going dark" problem.

So, what's the solution?

You can't have a solution if you don't know what the problem is. Nobody who has any technical level or expertise thinks that backdoors in encryption is technically feasible, let alone could make sense—and this is not a partisan issue either.

What did you learn about the hacker community's view of the encryption debate?

It's pretty much unanimous. You can't build a backdoor in encryption, it's that simple. You can't build a front door or side door either, because if you give a key to the good guys, then the bad guys can go after it. That's pretty unanimous thinking in a space like this.

So let's stop talking about that. Let's start talking about how we can be doing things to protect our digital infrastructure even better.

The FBI doesn't have the same position, though.

They don't agree, but that's why we're gonna keep having this conversation, and we're going to keep talking to them and say, listen, encryption is not new. And I've asked and nobody from the Bureau has ever given me a real use case where encryption prevented them from moving forward on a case, where the case went actually dark.

Until that happens we're going to continue making sure that trying to have a useful conversation with the Bureau.

The real issue here is attribution, that's what they're trying to do. If there's ways that we can help so the FBI can do attribution better, then let's do it.

What do you mean by attribution?

If I'm a special agent and I'm chasing a bad guy and they're saying if we have the legal document to get access to their data and because it's encrypted they can't see the plaintext. The issue is not what's in the plaintext, the issue is who is that person that they're trying to investigate, who is doing bad. That's a much easier problem to solve than just getting access to plaintext information.

What's the most surprising thing you've seen here?

I was not expecting the whole Capture The Flag [a traditional Def Con game where teams of hackers compete against each other to hack and defend networks]. The intensity, the professionalism, was pretty amazing.

One of the things I've learned this weekend is that there's a very simple solutions to protecting all the US government's nameservers. Because the way certain procurement rules are written, they have to be in the United States. So guess what, all of our resources are in one place when for reliability, we should have them spread out. We have military bases all over the world, there's a way we can do a better job of protecting our digital infrastructure that way.

That was a very simple simple thing that someone brought to my attention, that made me go like "that makes sense!"

Did you go to any of the talks? What was your favorite hack?

I've poked my head into a couple of them, and it's a level of technical that is a little bit beyond me sometimes.

How was your experience with the attendees of the conference? Did you find that hackers were adversarial or friendly?

Everybody has really been fantastic and open, and warm, and willing to share their experience. Everybody has been frank and I think for the most part the advice that I've gotten has been helpful.

I've had more people reference CSPAN and the hearing we've done on privacy that anything else we've done to date. So it's interesting to know that folks in the industry and the experts have been following some of the stuff I've been working on in Congress, which is great.

So the community, while skeptical of governments in general, does pay attention.

Of course and they have to. And for me, look, I don't want to recreate the wheel, there's a lot smarter people out there than I, who are working on this issue, so for me it's like, let's use that to have legislation and laws that make sense.

At the same time, many people think information sharing is not the right answer. Take the OPM hack, for example. The main issue there wasn't a lack of sharing data, it was OPM's security failures.

Absolutely. Everybody needs to follow best practices, and not everybody is doing that.

The OPM example is a wake up call for every agency head and every CIO of agencies to pull out your IG reports, pull out the GAO high risk reports and start dealing with those critical vulnerabilities immediately.

Because guess what, you're going to be pulled in front of of the IT Oversight Subcommittee and be asked all those questions. So I think we in Congress gotta be focused on the oversight function even more because some of these agencies have five or six years' worth of IG reports warning them that their digital infrastructure is not secure.

FTC fines people millions of dollar and putting people on a 20 years consent decree, alright? And then the federal government is not doing the things it should be.

Speaking of that, what do you think of the US government's current stance on cybersecurity?

Senate is going to take up the cybersecurity bills that we've already passed in the House and they're going down a path that I disagree with. DHS should be the entity that's responsible for protecting the .gov domain and the center point for the interaction with the private industry.

We have a lot of way to go from achieving that. Having a framework in place to share information is important. But these bills are just the preface of this story, they're not even the first chapter.

So let's get this done so that we can have the framework to share information then we start talking about how do we share information in a way that's valuable.

Sharing what we have can go a long way in helping to better improve our infrastructure. And I think another area where the federal government could be helpful is helping small and medium sized businesses. If you look at all the high profile hacks, it's a third party vendor that was used as the access point.

Some of these folks don't have the resources or technical know how to defend themselves the right way and that's an area where I think DHS can be helping medium and small businesses defend themselves and that's going to make the larger US digital infrastructure even more safe and secure.