Podcasts
Caveat
Ep 119
Caveat 3.31.22
Ep 119 | 3.31.22

Opening up from Congress's point of view.

Show Notes
Transcript

Will Hurd: The future of war is going to be in cyberspace. Cyberspace is a domain just like air, land, sea and space. And this is something that we have to be prepared for. And we have adversaries like China that are going to be - they're a peer and could potentially beat us in that arena.

Dave Bittner: Hello, everyone, and welcome to Caveat, the CyberWire's privacy, surveillance, law and policy podcast. I'm Dave Bittner, and joining me is my co-host, Ben Yelin from the University of Maryland Center for Health and Homeland Security. Hello, Ben. 

Ben Yelin: Hello, Dave. 

Dave Bittner: Today, Ben shares a story about a new trans-Atlantic agreement on data privacy. I've got the story of allegations from the DOJ that Google is playing fast and loose with attorney-client privilege. And later in the show, Ben speaks with former Texas Congressman Will Hurd on his new book, "American Reboot." While this show covers legal topics and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover, please contact your attorney. 

Dave Bittner: All right, Ben, let's jump in here. We've got some good stories to share this week. Why don't you start things off for us? 

Ben Yelin: So my story comes from The New York Times. It is entitled "U.S. and European Leaders Reach Deal on Trans-Atlantic Data Privacy," by David McCabe and Matina Stevis-Gridneff. So we had an agreement on data privacy with the European Union. We've come up with a couple of agreements. Both of them have been struck down in the Court of - European Court of Justice. The most recent agreement was struck down 18 months ago, and that was the case of Schrems II. Basically, the European Court of Justice said this agreement on data privacy can't have the force of law because of U.S. surveillance practices. Basically, because of what we've learned from Zoom disclosures - other, you know, legal cases, public reporting - surveillance practices in the United States are such that we can't assure citizens of the European Union that if their data is shared with their American counterparts - that that information is going to be protected. 

Dave Bittner: Is this a GDPR thing? 

Ben Yelin: Yeah. I mean, it was - the cause of action was under GDPR. 

Dave Bittner: OK. 

Ben Yelin: But this has been kind of a long-running dispute between the European Court of Justice, the business community and the United States. And it predates GDPR... 

Dave Bittner: I see. 

Ben Yelin: ...By several years. 

Dave Bittner: OK. 

Ben Yelin: Business interests, for a variety of reasons, are absolutely gung-ho about getting an agreement in place. Data-sharing is profitable. It's good for consumers on both sides of the Atlantic. A lot of services - and they mention a couple in this article - really rely on data transfers and are not going to be able to sell their products in Europe if we don't have some type of agreement in place. So President Biden went to Brussels really to meet with European counterparts on the situation in Ukraine. But as a byproduct of that meeting, there was an agreement reached on a new data privacy shield with the European Union. We don't have very many details on the agreement. The most we have is a fact sheet released by the president's - the administration in the United States. They released a joint statement saying that this is going to be codified in a presidential executive order, but we do not have that executive order, the text of it, yet. 

Ben Yelin: The major change from previous versions of this Privacy Shield agreement is that there is going to be an independent data protection review court. So this is going to be a venue for European citizens to object if they believe that their privacy has been violated by U.S. interests or U.S. companies or that their data has been subject to surveillance. Now, there is a civil liberties advocate in the European Union. His name is Max Schrems. He has a group called NOYB, which is an abbreviation for none of your business. 

Dave Bittner: (Laughter). 

Ben Yelin: And he has made it his life's work to invalidate these trans-Atlantic data privacy agreements. He's been successful twice. There was Schrems and Schrems II. And just like there was a "Home Alone 3" and just like there have been... 

Dave Bittner: Right, right. 

Ben Yelin: ...Sequels to some of our... 

Dave Bittner: Schrems III: Return of the Jedi. 

Ben Yelin: Exactly. 

Dave Bittner: (Laughter) Right. 

Ben Yelin: I think we could see a Schrems III here. 

Dave Bittner: Yeah. 

Ben Yelin: Schrems was quoted at the end of this article as being skeptical of the deal. He wanted to analyze the details. He said if it's not in line with European Union law that they - meaning himself or any other civil liberties group in Europe - might challenge this new regulation. I think the proof is going to be in the actual details 

Ben Yelin: of the executive order. What the U.S. has assured as part of this deal is that there are going to be new privacy protections to constrain the U.S. surveillance state, so that we're only conducting electronic surveillance or signals intelligence on matters of the utmost importance to national security. I think that's a good aspirational goal. But until we can see what the enforcement mechanisms are, I just don't see how that would be enough of an assurance to somebody like Schrems. So I could very well see this agreement being challenged in courts. 

Ben Yelin: Certainly, the tech companies are very pleased. This article quotes a couple of them, including Meta, who says that, you know, they've been concerned about what they call global internet fragmenting. They want to make sure that there's this cross flow of data, that we can do business with our European counterparts and, you know, stay connected, keep our services running. So they are pleased that this agreement, at least temporarily, provides some certainty for American and European companies, that they can transfer data quickly and safely and they're not going to be subject to legal consequences. So business community - happy. And so far, Schrems himself is skeptical. 

Dave Bittner: Yeah. 

Ben Yelin: So we will see what happens. 

Dave Bittner: Well, help me understand here. Is the primary concern that of government surveillance as opposed to private sector surveillance - you know, the Facebooks of the world who rely - have their own surveillance regime for advertising purposes? 

Ben Yelin: So far, in the Schrems cases, it has been about government surveillance. I think the private companies are going to be constrained by domestic laws on data privacy. But the real concern is that governments, in an effort to do signals intelligence for national security purposes, are not going to adhere to the principles of these agreements. So it really has been a nation-state concern, not based on the activities of these companies. I mean, I think these companies are fine complying with domestic data privacy laws to the extent that they exist. You know, so they adapted to comply with GDPR. They've adapted to comply with the state laws that we have in the United States. I think the concern among activists is even if we have these data privacy protections that will constrain the companies themselves - the Googles and the Metas of the world - it might not be enough to constrain governments, especially if there is some overriding national security interest. 

Ben Yelin: And in the Schrems II case, they give concrete examples. And it's things we've talked about a million times - Section 702 of the FISA Amendments Act, Executive Order 12333, types of U.S. surveillance practices where we have leveraged the fact that most tech companies are based in the United States to intercept information for national security purposes and the fact that we maintained a internationally searchable database, XKeyscore, pursuant to our authority under Executive Order 12333, where a large portion of internet traffic went to a data server that was accessible by our intelligence agencies and the agencies of our allies. So it was those practices that were cited by the European courts in the previous Schrems cases. So they really have been skeptical of our government surveillance more so than the concerns about company surveillance in the private sector. 

Dave Bittner: Are you at all optimistic that there is a place where the folks on opposite sides of this can meet in the middle? 

Ben Yelin: Yeah, I think it's going to be trial and error. Again, I have to see what the details of the executive order are. They have not been released. I think we're getting closer to a situation where there are enough assurances from our government - and, of course, it depends on who's in power in the United States. But there are enough assurances from our government that data is going to be protected, that that satisfies both our European counterparts, which it generally has - I mean, we have come to these agreements - and it satisfies, most importantly, the European courts, who have been more skeptical of our surveillance. 

Dave Bittner: I see. 

Ben Yelin: But I think, you know, even if there is a Schrems III, you know, that might inform... 

Dave Bittner: I'd say count on it (laughter). 

Ben Yelin: Yeah. That might inform the next agreement. 

Dave Bittner: Right, right. 

Ben Yelin: You know, if this is thrown out in a year, then maybe in two years, we have another more robust agreement that has - that further cracks down on some of our surveillance practices and assures European courts that we care about the integrity of data pursuant to GDPR. So, yes, I do think we are closer to coming up with some sort of equitable agreement. I agree that there is a business interest and economic interest in sharing data. I think it's essential to the operation of these companies for their own profit margins and for them to be able to - especially for American companies to be able to sell their services in European markets. So there's enough of an incentive from all of the parties involved that I think we can come up with a solution here. 

Dave Bittner: All right. 

Ben Yelin: The obstacle is the court and Schrems himself or Schrems' compatriots - whether they are able to successfully challenge this new agreement. 

Dave Bittner: All right. Well we will have a link to that story in the show notes. Again, that's from The New York Times. My story this week comes from Ars Technica. It's an article written by Jon Brodkin, and it's titled "Google Routinely Hides Emails From Litigation by CCing Attorneys, the DOJ Alleges." So this story is about - the Department of Justice in their ongoing antitrust suit against Google is claiming that Google plays kind of fast and loose with assigning the status of attorney-client privilege to internal company communications. Can we have a little bit of an education here from you... 

Ben Yelin: Sure. 

Dave Bittner: ...Ben? 

Ben Yelin: Let's do a deep dive. 

Dave Bittner: Yeah. What exactly is - so what are the basics that we need to know about attorney-client privilege and how it applies in a case like this? 

Ben Yelin: Sure. So information between one's attorney and oneself is privileged, meaning it can't be divulged in court. That is to protect the integrity of the relationship between an attorney and his or her client. The thinking is an attorney wouldn't be able to give their client confidential advice to pursue their case vigorously if there was the threat that these types of communications can be revealed in a court of law. So it is a common law privilege that descends from our English legal ancestors. It's long been established. 

Ben Yelin: The right of the attorney client-privilege is not absolute. So, for example, if you are communicating with your attorney about committing a crime or committing fraud, that is an exception to the attorney-client privilege. That information is discoverable. So it is a general privilege. There are exceptions on it. It is not the only privilege. You know, there are legal privileges with doctors and patients, legal privileges with one's spouse. But this is certainly, I think, the most common legal privilege - the attorney-client privilege. 

Dave Bittner: Now, who decides? In other words, if - let's say in, as you mentioned, a case where there's fraud - you know, there's alleged fraud between an attorney and a client, who's the one who gets to see the communications and decide whether it's in fair play? Is that a judge? 

Ben Yelin: It's a judge. Exactly. 

Dave Bittner: OK. 

Ben Yelin: So we have a very recent current example of this. There was an allegation that former President Trump and his attorney John Eastman engaged in criminal activity. And there's been an investigation by the January 6 commission in the House of Representatives. They tried to subpoena some of the records - some of the communications between Mr. Eastman and the former president. And Eastman, in his response to that request for information, said that the information was privileged. The January 6 commission tried to argue that this crime fraud exception applied, saying, we can obtain these communications if there is at least a preliminary showing through the evidence that a crime has been committed or fraud has been perpetuated. 

Ben Yelin: So this went to a district court - federal district court judge in California, where Mr. Eastman is located. And it is the judge's responsibility in that circumstance in camera ex parte - so not publicly, in other words - behind closed doors, to review all the communications in question to see if there is substantial enough evidence of criminal activity. And in this instance, the judge determined that there was, meaning a solid majority of the communications in question where - are now being released and are now being sent to the January 6 committee because the privilege did not apply. 

Dave Bittner: Interesting. 

Ben Yelin: So it's the judge overseeing the case ex parte in camera, by him or herself, who gets to make the determination whether there's a preliminary showing, a substantial showing that a crime has been committed. 

Dave Bittner: I see. Well, let's - so switching back to this case where the DOJ is making these allegations against Google - it seems as though what they're getting at is evidently Google had an internal program that they labeled communicate with care (laughter). 

Ben Yelin: It sounds so nice, doesn't it? 

Dave Bittner: It - well, I mean, who doesn't want to care about their communications? But basically, the bottom line here is that Google directed their employees to basically CC an attorney and somehow label it as privileged communications and include a generic request for counsel's advice in order to shield sensitive business communications. But the problem... 

Ben Yelin: Oldest trick in the book, Dave. 

Dave Bittner: (Laughter) The problem the DOJ has here is that, evidently, quite often the attorneys didn't even reply to these emails. Like, I guess they knew what game they were playing, right? - allegedly. And so it was it wasn't a good-faith request for legal advice. It was just preventing these communications - according to the DOJ - preventing these communications from being available for investigation, right? 

Ben Yelin: See, if I were one of the attorneys, I would at least respond with a pro forma response saying, I'm reviewing your concerns out of my legal obligation to give you advice and then respond two weeks later with, after a determination, you know, with my trusted legal sources, I've decided that this was an acceptable communication. 

Dave Bittner: You'd think the eggheads at Google would have some sort of automation in place where, you know... 

(LAUGHTER) 

Dave Bittner: ...If the people included certain keywords, the lawyers could respond - have an automated response that says exactly what you just said, including certain keywords, right (laughter)? 

Ben Yelin: Yeah. Exactly. I mean, they're smarter than the rest of us, so they should have figured that out. 

Dave Bittner: Right. Right. 

Ben Yelin: The problem, from the DOJ's perspective, is it's very difficult to prove. So they're trying to get access to these communications as part of the broader antitrust lawsuit against Google. I'm sure there is some evidence. I mean, they seem to have the email - some of the email communications of the CEO of Google's parent company. So that's obviously going to be very important evidence in order to get access to these privileged communications - and they are now privileged since an attorney was involved - you have to make some sort of showing that this was not a good faith communication with an attorney, that this was an effort to privilege information that otherwise should not have been privileged. It's really hard to get access to that evidence. And I think Google can plausibly claim that, as part of their normal communications practices, we involve our attorneys to make sure that all of our activities are compliant with the law. It's really hard to refute that. And it's certainly going to be hard to find evidence that Google was knowingly doing this to skirt the legal requirements and to get around the attorney-client privilege. So really, they're probably going to get away with it, you know? So they might have evidence beyond email communications. I'm sure they do. 

Dave Bittner: Yeah. 

Ben Yelin: So it's not like the entire case is going to be thrown out. But this is why so many organizations engage in this practice of including attorneys in potentially inculpatory conversations... 

Dave Bittner: Right. 

Ben Yelin: ...Is, then, the privilege applies. 

Dave Bittner: Yeah. 

Ben Yelin: And it's much harder to get that conversation discoverable in court. 

Dave Bittner: The DOJ said - one of their examples, they said a Google vice president explained that he was including an attorney in an email about business negotiations because his message would contain trigger words, presumably terms that Google employees are taught to avoid, like leverage, that regulators might look for. The included attorney did not respond in any of the subsequent roughly 25 emails in the string and was eventually dropped from the email thread entirely, confirming that his inclusion was not for the legitimate purpose of seeking legal advice. 

Ben Yelin: This is why, you know, you're at Google, so you have the resources of the Google search engine. Just Google the thesaurus and get a alternative word for leverage so that you're not invoking those keywords. 

Dave Bittner: (Laughter) Right. Right. Right. 

Ben Yelin: I'm sure there's even a special search engine for Google employees to evade legal requirements. Yeah. 

Dave Bittner: Oh, my - so you sort of alluded to - you said this is the oldest trick in the book. So I mean, this is standard operating procedure in a lot of places for a lot of folks, yes? 

Ben Yelin: Yeah. I mean, organizations don't always get away with it. Sometimes it's very clearly done in bad faith. And because of the exceptions for crime and fraud, in a lot of these cases, a judge will review the communications to see if a crime was being committed or planned or if there was some type of fraud involved. And in that case, the conversations are discoverable anyway. So it doesn't matter whether you've brought your attorney into the communication. 

Dave Bittner: I see. 

Ben Yelin: But certainly, this is a tactic. It's not a tactic that's only used with the attorney-client privilege. This kind of comes out of a lot of our legal fiction, "Law & Order," some of our other favorite police procedurals. But sometimes, people will communicate something to their spouse to take advantage of spousal privilege, or put something in their wife or her husband's name so that it's protected by spousal privilege. 

Dave Bittner: Right. Right. 

Ben Yelin: So it's certainly not a unique example of trying to - not to use Google's word, but leverage... 

Dave Bittner: (Laughter). 

Ben Yelin: ...These common law privileges to one's advantage in litigation. 

Dave Bittner: So clarify for me - the attorney-client privilege shields the contents of the communication, but it does not shield the existence of the communication? 

Ben Yelin: It does not, no. So it's the contents of the communication that are concealed as part of the attorney-client privilege. 

Dave Bittner: Right. 

Ben Yelin: Generally, that's not that important of a distinction because metadata is not that interesting when it comes to attorney-client communications. 

Dave Bittner: I see. 

Ben Yelin: Of course, an attorney is going to communicate with his or her clients, especially - these are all part of lawsuits. So of course, a client is going to engage in communications with his or her attorney. 

Dave Bittner: Right. 

Ben Yelin: So it's always the content that's really in question. Were they doing something criminal? Were they conspiring? Is there some evidence in there that might aid in the resolution of a civil case? It almost - it does always have to do with the content and not with just the fact that a conversation took place. 

Dave Bittner: I see. All right. Well, again, this story is from Ars Technica, written by Jon Brodkin. We will have a link to that in the show notes. 

Dave Bittner: Ben, we've got a really - a real treat of an interview this week. You took the interviewing duties this time and, boy, what a get for you, right (laughter)? 

Ben Yelin: It was a big thrill. 

Dave Bittner: Yeah. 

Ben Yelin: I had a really good conversation with a former congressperson from the 23rd District in Texas, Will Hurd, who has just released a book called "American Reboot." And I had a really enjoyable conversation with him. I hope you enjoy it as well. 

Dave Bittner: All right. Here's Ben's conversation with former Texas Congressman Will Hurd. 

Ben Yelin: We are very pleased to be joined by former Congressman Will Hurd, who is the author of the new book "American Reboot." Thank you so much for joining us, Congressman Hurd. 

Will Hurd: Ben, please call me Will, and it's a pleasure to be on with you. 

Ben Yelin: Fantastic. Well, it is nice to have you, Will. We were lucky enough to get an advance copy of the book. As somebody who tends to thumb through these things, I didn't expect that I'd enjoy it as much as I did. 

Will Hurd: (Laughter). 

Ben Yelin: But it was really an excellent read. And I think it gives us a lot of fodder for conversation. I guess we can start at a high level. What was the impetus for you to write this book? Was there a distinctive experience that inspired you, something that happened during your congressional tenure? Just thinking at that high level. 

Will Hurd: Sure. I think the impetus for the book was that during my time in Congress, I saw many issues that were affecting our role, the - America's role in the rest of the world, and we weren't addressing some of them. Our politics was getting in the way from tackling these really - what I consider to be generational-defining challenges. And so those were the kinds of topics that I always tried to talk about when I was in Congress. And what - the aha moment for me on this book was when I started thinking through how I've come to some of these conclusions that I've come to, I could point to five, six very specific events that impacted me and changed my mind. And so for me, I wanted to share those stories. And the reader - they come to the same kind of conclusion and go on that journey I went on to come into some of these conclusions. So that's what I wanted to do. 

Will Hurd: And really, it goes back to a specific experience in 2018 when a bipartisan group of former elected officials, admirals and generals, academics basically said that the U.S. economic and military dominance is no longer guaranteed and that this century is not necessarily going to continue to be the American century. And so that was something that was always in the back of my head. And to have the opportunity to write about some of these challenges - oh, and by the way, what we should be doing to address those challenges and make sure we keep this the American century is why I wrote "American Reboot." 

Ben Yelin: I think it's very timely. So much of the book is fascinating to me. This podcast focuses, obviously, on cybersecurity, cyber law and policy. One anecdote that stuck out to me was your experience after the OPM hack. So you were a federal government employee in the intelligence community, so you were a victim of this hack. It was your information, along with millions of others that were stolen. And you have the opportunity to question witnesses at a committee hearing, and it seems that you were getting answers that were not quite satisfactory. Is there something that you took away from that experience that was kind of a broader lesson into the expertise of our federal government or its relative stasis on this issue? 

Will Hurd: Look, that experience with OPM hack - and I'm sure many of your listeners were impacted by this. Literally the day before the hearing, my chief of staff and I both got letters from OPM saying our information was stolen. Why did that matter? This was information in the hands of our adversaries - could be used to have some serious impact. And I outline some of those things in the book of how if, you know, narcotraficantes (ph) in Mexico had access to it or Russians - intelligence officers had access to it. And so it was pretty frustrating. And what was shocking to me was that this was preventable. It wasn't like the - because ultimately, it was the Chinese government that was involved in this hack. And it wasn't like they used a zero-day vulnerability and showed a super sophisticated attack. They took advantage of a vulnerability that OPM knew about, that the IG, the inspector general, had said many times needed to be fixed and that GAO even reviewed. 

Will Hurd: And so that was a moment early on in my time in Congress that showed that we weren't doing the basics when it came to digital hygiene and that that needed to be a focus and an effort to do those basics. It's hard to defend against. Look. I was in the business, right? I helped Matt Devoe (ph) create a company called FusionX. And we did technical vulnerability assessment and penetration testing. And you give me enough time, I'm getting in your system, right? And so - but if we're not doing the basics to defend our digital infrastructure, shame on us. And it's outrageous. 

Ben Yelin: One thing I wanted to touch on in an interview with you in particular is I have watched several hearings with members of Congress on technological issues that as - they've ended up devolving into a bit of a farce, largely because of the lack of technical expertise on the part of - no offense, but some of the septuagenarians, octogenarians among members of Congress. Is there a way before we even start to think about policy to increase situational awareness among our policymakers on these issues? What are some practical steps to help educate those who are going to develop these policies? 

Will Hurd: Look. So there's a number of things that we need to do to make sure we have people that understand some of these basics so you can set policy. Look. You know, I don't need someone that can code in Ruby on Rails in order to pass these things, but to understand some of the basics. And it starts with making sure we're getting the right people running for office, and when they are running for office, that we're asking these questions. Right? So when people are in candidate forums, the local newspaper or the local college or the local TV station is asking questions, why aren't there some questions about technology policy? Right? Starts there. And people that are putting out - every candidate, when they're running for office, you have to fill out some, you know, some form about your opinions. Why don't those forms include things about technology? 

Will Hurd: So that's a first step that, as citizens, we should be asking and demanding from our elected officials, hey, talk to me about these issues because they matter. That's step one. Step two, the ability for business - look. The only way we're going to solve this problem is if the public and the private sector actually work together, because there is a dearth of these - of technical officials with cybersecurity skills in the government. The numbers is the tens of thousands that we're lacking. And so the only way we can deal is to make sure the public sector helps augment that skill set. 

Will Hurd: So I always tell folks that are technologists or have - work on a technical company, have you ever met with the district director of your member of Congress? Right? This is an opportunity that members would love to have. The district director is the person that runs your office on the ground and wherever you represent. So making sure that when that member has - is passing legislation or having a hearing, they have people that they can trust and call and say, hey, explain this to me, and even ask dumb questions. I was shocked when I was in Congress, the number - even when I was a freshman, the number of members that came to me and asked for my opinion because they knew my background. So that's something that that we need to do. 

Will Hurd: And look. I try to work on legislation to get more technologists into the federal government and to create this kind of rhythm where people will come in the government and then leave, get back in in order to provide that skill set. Because things - what I've learned now - and I've been out of Congress for a year now, and I'm advising technology companies that have national security application. It's technology is moving fast, right? The future of cybersecurity is going to be good artificial intelligence versus bad artificial intelligence. And if we - the kinds of questions we need to be asking ourselves to prepare for that, we need more advice. 

Ben Yelin: Yeah. I mean, it's one of those things where technology is dynamic, and the industry is dynamic. And just by its nature, it's more dynamic than our policymakers and certainly more dynamic than our legal system, which is something that we certainly encounter all the time. 

Will Hurd: The other thing is being able to adopt new technology in the federal government is super hard. And that is something - the problem there - and I hate that a lot of times I have conversations about technology, it always does devolve to IT procurement. Nobody's ever held a parade on IT procurement. But if the people that are buying the good and service is not the person using the good or service, and that's what creates these problems to making sure we're getting the right technology. And, by the way, we've got to be ready because the future of war is going to be in cyberspace. Cyberspace is a domain just like air, land, sea and space. And this is something that we have to be prepared for. And we have adversaries like China that are going to be - appear and could potentially beat us in that arena. 

Ben Yelin: So we're in a very unique geopolitical moment, obviously. We - Russia invaded Ukraine now about a month ago. And I think we were sort of expecting there to be hybrid warfare where there was - there were cyberattacks on our critical infrastructure, perhaps, and some retaliation. Has this conflict lived up to your expectations? And perhaps more importantly, what worries you in terms of our own preparedness, our own cyber posture? And what can we do to help address some of those shortcomings? 

Will Hurd: I am like many observers of what is happening and is shocked that the Russian government has not been more effective when it comes to cyber warfare. And maybe said a different way - maybe said a different way - the Ukrainians are no slouches, right? They have been dealing with the direct threat of Russian - a physical attack, as well as digital attacks, since well before 2014 when the Russians first invaded. So I think this talks about the ability to defend against attackers. The lack of use of autonomous drones is something that was - also been pretty - I thought it would - we would have happened. Again, this could still escalate. I would say on a scale of 1 to 10, the Russians have probably only been at a five right now. And so they have a long way to go. And so we've seen them use autonomous drones in Syria. That can still happen. 

Will Hurd: The thing that we have to be prepared for is, are the water treatment plants across the United States - are they prepared? The one hack that happened - I think it was last summer. It was in Florida in that water treatment plant. I feel like that didn't get enough focus. What has happened? I'm sure Department of Homeland Security and CISA had - was working with other water treatment plants. But these are not the most sophisticated of digital infrastructures. So what's the aftermath of that? I look at the grid in Texas. Last year, during last summer, we saw our grid almost fail. And the ability to counter one of those kind - or to mimic a similar attack from the - from cyberspace is there. And so part of my fear is hubris of defenders to think, oh, we got it. And this is what I learned in the cybersecurity space. Everybody says, hey, we're doing the best, we're doing everything right. But when you pop the hood and look inside, they're never doing it the way that they say. And so you always have to have that third-party kind of attack. 

Will Hurd: And why I care about this - because there's a great book. It's a fiction book written. It was called "2034," and it was written by the former NATO commander. It talks about how the third World War is going to happen. And basically, it's the Chinese cut off our phones - all right? - the Chinese government. Let me make it clear. It's the Chinese government. The Chinese government cuts off our phone and our inability to defend in that space. That's something that we have to be prepared for, and we're not. And we're having debates right now on things that are silly compared to where - how we can be impacted. And ultimately, the Chinese government is trying to surpass the United States as a global superpower. What does that mean for all of us? What that means for us is that if the U.S. economy is no longer the most important economy, that's going to impact our retirements. That's going to impact our - the ability of our kids and our grandkids to have good-paying jobs. This is - these are the issues we should be trying to grapple with, and we need a true competition of ideas in order to do that. And that's one of the reasons why I wrote this book - to try to outline and educate folks and help show how I learned about these topics, as well. 

Ben Yelin: Yeah. I mean, one of the things that I liked about the book is the way it's structured. I think you end with some of these substantive problems. And to get there, you talk about some of these political, socioeconomic barriers that we face to trying to solve those problems. I was wondering if you could speak about that just briefly. I mean, what are the steps that we have to take as a society before we can start to address some of these more kinetic concerns? 

Will Hurd: You know, Ben, I'm sure your listeners - they're all probably a lot like me. I started my career in a computer lab at Texas A&M University. And when those computers weren't working and I didn't know what to do, what did I do? I rebooted the sucker, right? And for some reason, you get back to the original operating system. And for me, that's why this book is titled "American Reboot." We are at a political, cultural, international moment where it's impossible to get big things done. And we need to get back to those values and concepts that help make us the greatest country on this planet. Our political system has gotten so mucked up that it's - that - where it's the - our politicians are focused on the extremes of the political parties, not the middle and not the center, where 80% of Americans are. And so if we were able to start talking about all those things that unite us rather than divides us, we'll be in a better position to deal with some of these challenges. 

Will Hurd: And, look, you know, we're seeing it right now. The fact that Ukraine is even considering agreeing to not joining NATO is a - is ultimately a rebuke on NATO saying, hey, this may not be an alliance. It's better to go alone than to join this organization, right? Like, that's a serious rebuke of the international order that America has grown to cooperate. Technology - I sit on the board of a company that's working towards artificial general intelligence. The questions that we're going to be asking, in a very short period of time - I'm talking months and years, not decades - you know, is going to impact our future. 

Will Hurd: And so we have to get - talk and be ready to address these generational-defining challenges so that we can continue to improve quality of life for Americans, but also uplift humanity. And we have to get through this notion that the other side is evil and their only goal is to bring the country down to its knees. We have to be able to cooperate. And the things that I learned representing a truly contested congressional district is actually that way more unites us than divides us. Let's focus on those things so we can solve the problems of the future. And we're going to make sure the next 247 years are as exciting as the last 247. 

Ben Yelin: I promise I will close with something that's tangible. But I do want to mention for our listeners, if you haven't seen it, one of the great viral YouTube sensations of the past several years was you driving back to Washington, D.C., with Congressman Beto O'Rourke. You were stuck in Texas. There was some weather incident. 

Will Hurd: That's right. We were in Texas. Beto and I represented El Paso. My district went from San Antonio to El Paso. It was 29 counties, two time zones, 820 miles of the border. And Beto was the only Texan on the VA committee, the Veteran Affairs Committee. And I asked him to come to San Antonio to meet with some of my veterans organizations. And this was one of the many snowpocalypses focusing on D.C. And our flights got canceled. Now, I'm a loyal Southwest Airlines guy. And so you know when Southwest cancels, they fly anything. So if Southwest cancels... 

Ben Yelin: Exactly. You know it must be bad. 

Will Hurd: Yeah. And so Beto said, let's drive back and livestream the whole - and livestream it. And I said, sure. And so we did. I think it was about a 35-hour trip, 31 hours in the car, 29 hours livestreamed. And we talked about everything. And look. Beto and I didn't agree on everything. But we had a debate, and people were shocked that we were having a civil conversation. And he made some good points. I made some good points. And so it was a moment that, you know, we were on every newscast, every television show. We had about 29 million people watching us over that day and a half on our socials. 

Will Hurd: And we - and it ended up turning into, like, you know, the next election, the next couple of election cycles were some of the most partisan election cycles in the world. But it showed that people are craving us to put our swords down and actually disagree without being disagreeable and work to solve real problems. Because here's what happens. Here's what I've learned. Most people care about putting food on the table, a roof over their head, and making sure that people that they love are healthy and happy. When you focus on those issues, it doesn't matter whether you have an R or a D after your name or an I or don't have anything. You know, people are going to respond. 

Ben Yelin: All right. I will close with something tangible, as I said. If you were going to talk to your former colleagues in Congress about three under-the-radar issues in the cyber realm that worried you over the next several years, 5 to 10 years, what would be those three issues? 

Will Hurd: Well, one is not necessarily a future issue. It's an issue we have to deal with. We have to have a national breach standard, period, full stop. This should have happened probably 10 years ago. But that is one of those things that's preventing us from addressing privacy. And we can't let the the European Union continue to outinnovate us on policy when it comes to technology. So when it comes to cyber, No. 1 is that. No. 2 would be we need to have a Y2K moment when it comes to quantum resiliency. We all know, your listeners are probably familiar with quantum computing and the ability that we're going to be able to break every kind of encryption. The conversation we can start having now of how do we have quantum-resilient algorithms and encryption throughout all of our systems? You know, we spent a trillion dollars over four years during the Y2K. And look. I remember, I was in college when Y2K hit. And I was afraid to, like, drive. I was supposed to go see my girlfriend in Dallas. I was living in San Antonio. I was afraid to travel, but it was... 

Ben Yelin: We thought planes were going to fall out of the sky. Yeah. 

Will Hurd: Absolutely. People were freaking out. But guess what? It was a non-event. Why was it a non-event? It's because we spent the previous four years and a trillion dollars working towards that. That's what we need to do with - when it comes to quantum and being prepared to have quantum of resiliency. And then the last point is we need to be able to get ahead and start thinking through some of what I would consider more philosophical issues around artificial intelligence, because that is going to be the future, as I said at the beginning, of cybersecurity. It's going to be good AI versus bad AI. And what are the rules of the road of how to train those kinds of algorithms? Where is the person supposed to be in a, in essence, the kill chain in order to do an offensive attack to stop something from happening? Making sure that we build upon some of our national strategy on AI so that we're prepared for this to be a weapon that's going to be used against us. I think those are three things that that we should be ready for. 

Ben Yelin: Perfect. Thank you so much, Congressman Will Hurd. The book is called "American Reboot." I believe by the time this episode is released, it will be available publicly at all your favorite online or in-person bookstores. So thank you so much for joining us, Congressman Hurd, Will. 

Will Hurd: Thanks, Ben. And I appreciate your focus on these important issues. 

Dave Bittner: All right. Boy, great interview. I enjoyed that very much. A couple of things that come up that caught my attention that I enjoyed. I loved his line - I laughed out loud when he said nobody's ever held a parade on IT procurement. 

Ben Yelin: That gives us an idea, right? Our annual IT procurement parade. Yeah. 

Dave Bittner: Yeah. Right. Exactly. It seems like - yeah, there's an opportunity there. It's underserved. But I think he's right. And I think it speaks to a really important point that, you know, they're sort of the unsung heroes of keeping everything safe, and yet they're within this framework that is slow and ponderous. And, you know, it moves at its own pace. It's - you don't turn that battleship on a dime, right? 

Ben Yelin: Right - often at a glacial pace, along with - and I think this is something else he mentioned in this interview - not just - we've talked about how the legal system moves at a glacial pace, but the policymaking mechanisms in this country move at a glacial pace. And I think that's something that's been very frustrating to Congressman Hurd from being on the inside. And I think that's one of the reasons - this type of inertia - that he decided to write the book. And I think it's to his great credit that he did that. 

Dave Bittner: Yeah. I also liked his mention of - that a lot of tech companies in particular, when it comes to security, have a lot of hubris. You know, they - before the breach happens, they talk about how they're fully protected and everything's great. And then, you know, you get under the hood, and you find maybe things weren't as great as they thought. And it's happened so many times... 

Ben Yelin: Right. 

Dave Bittner: ...To become practically a stereotype. 

Ben Yelin: Yeah. And it keeps happening, despite the fact that institutions of all sizes, in both the public and private sector, have been subject to ransomware attacks, data breaches, et cetera. You'd think other organizations would realize that's happening to us next, not, you know, our protections are adequate. We don't have to worry about it. 

Dave Bittner: Yeah. 

Ben Yelin: It's such a unique perspective - somebody who, prior to his service in Congress, was in this world, was in - obviously, he was in human intelligence as part of the CIA... 

Dave Bittner: Yeah. 

Ben Yelin: ...But has this fluency in cybersecurity issues. It's kind of a "Mr. Smith Goes To Washington" situation, literally, where - I love the anecdote at the beginning of one of his chapters about how he himself was victimized by the OPM data breach and went to this congressional hearing to ask questions of OPM personnel, and they had no idea what they were talking about. I mean, it was, I think, eye-opening to him because he has all of this institutional expertise, and the people who are actually in charge of an organization that is entrusted with a lot of personally identifiable information seem to not know what they were doing. 

Dave Bittner: Yeah. 

Ben Yelin: And I think that signaled more to him about the state of our bureaucracy, the state of our government, that I think kind of motivated that section of his book about how we have to be more forward-looking. We have to be more nimble. So that was one of the reasons I started with that anecdote, just because it was kind of eye-opening to me as it was eye-opening to him. 

Dave Bittner: Yeah. I mean, I - you know, I kind of wish he was still in there fighting the good fight. You know, it seems to me like, you know, he's the kind of person that we need more of representing us - just his willingness to approach issues in good faith, his knowledge and expertise of issues that are relevant. But, you know, I guess it's - the system, as it's currently structured, doesn't make it easy for folks like him to stick around. 

Ben Yelin: Yeah, and I think he talks about that in different sections of the book. I was - had sort of the same feelings as you just expressed, that he's somebody we want in our political system. He has experience in the intelligence community. He, I really think, comes to this for the right reasons and, I think, is very genuine in trying to work out some of his disagreements, which I think was well-represented by that anecdote of him driving across the country with Beto O'Rourke, livestreaming their conversation... 

Dave Bittner: Right. 

Ben Yelin: ...On a variety of topics. They disagree on issues, but they were - as the cliche says, they disagree without being disagreeable. 

Dave Bittner: (Laughter) That's right. That's right. That's another thing we could use more of. Right. 

Ben Yelin: Yeah. And so I think, certainly, the cyber sections of this book are fascinating for our own purposes and our own interests. But I think there are a lot of broader lessons contained within the book that should apply across our political system. And I really enjoyed reading it and speaking with him. It's - sometimes, it's the little things. I introduced him by saying Congressman Hurd, and he said, you can call me Will, and... 

Dave Bittner: (Laughter) Right. Right. 

Ben Yelin: For a little guy like me, I was like, that's refreshing. 

Dave Bittner: Yeah. 

Ben Yelin: Yeah. 

Dave Bittner: Yeah. All right. Well, again, our thanks to former Texas Congressman Will Hurd for joining us. The new book is titled "American Reboot," and it is available now. 

Dave Bittner: That is our show. We want to thank all of you for listening. The "Caveat" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our senior producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Ben Yelin: And I'm Ben Yelin. 

Dave Bittner: Thanks for listening.

Caveat
Podcast Info
HOST(S):
Dave Bittner
Ben Yelin
Dave Bittner is a security podcast host and one of the founders at CyberWire. He's a creator, producer, videographer, actor, experimenter, and entrepreneur. He's had a long career in the worlds of television, journalism and media production, and is one of the pioneers of non-linear editing and digital storytelling.
Ben Yelin, JD, is the Program Director for Public Policy & External Affairs at the University of Maryland Center for Health and Homeland Security, where he consults public and private entities on homeland security, cybersecurity and emergency management policy. He is also an adjunct faculty member at the University of Maryland Francis King Carey School of Law, where he teaches courses on electronic surveillance and the Fourth Amendment.
Schedule: Wednesdays
Creator: CyberWire, Inc.
ADVERTISEMENT
Sponsored by Arctic Wolf
Sponsored by Arctic Wolf

Arctic Wolf® is the market leader in security operations. Using the cloud-native Arctic Wolf® Platform, we help organizations end cyber risk by providing security operations as a concierge service. Highly-trained Concierge Security® experts work as an extension of internal teams to provide 24x7 monitoring, detection and response, as well as ongoing risk management to proactively protect organizations while continually strengthening their security posture. For more information about Arctic Wolf, visit  https://www.arcticwolf.com/