web site, booktv.org. >> you're watching booktv on c-span2 with top nonfiction books and authors every weekend. booktv, it's for serious readers. -- television for serious readers. >> host: and congressman will hurd, a republican from texas, is the chairman of the subcommittee on information technology. he's our guest this week on "the communicators." congressman hurd, before you became a member of congress, what were you doing? >> guest: well, when i graduated from texas a&m university with a degree in computer science, i went straight into the cia. i was an operations officer. so i was the dude in the back alleys at 4:00 in the morning collecting intelligence on threats to our homeland. i spent two years in washington, d.c. in training, two years in india and two years in pakistan, two years in new york city and a year and a half in afghanistan where i managed all of our

undercover operations. when i left the cia, i ended up becoming a partner in a consulting firm and helped start a cybersecurity firm that helped with penetration testing, helping businesses, manufacturers defend their digital infrastructure from attackers. >> host: so how has that benefited or affected your work in congress? >> guest: well, it's been really important. i think one of the values i bring is a unique background and experience on issues of national security or cybersecurity. and having spent a good deal of my adult life chasing terrorists, dealing with al-qaeda, looking at iranian nuclear proliferaters, this has helped -- i have direct experience in some of the most pressing national security issues of the day. and having been in the private sector and seeing what the private sector's doing in order to defend their digital infrastructure.

some of our banks, their abilities to protect themselves from millions of attacks every single day is important. and so being able to see that and bring that experience as the chairman of the subcommittee has been invaluable. i understand what it takes to defend the digital network, the difficulty of it but also what the basic best practices of good digital hygiene are. and so being able to recognize, you know, the current state that many of our agencies are in and what the future state should be and having an idea of how to get there, i think, is very important. it's especially important in the oversight role that congress plays. >> host: the u.s. government is spending approximately $80 billion a year in technology and cybersecurity. are we getting our money's worth, in your view? >> guest: no. because 80% of that spend is on legacy systems, stuff that your

viewers would think are old and outdated. to me, that's absolutely outrageous. and part of that, you know, this is a issue that i spend a lot of time on. i.t. procurement is not a sexy topic. no one's ever going to hold a rally for i.t. procurement, but the reality is the way we can reduce the size and scope of the federal government is how we purchase goods and services. the way we make our government more efficient is to utilize the latest technologies. and we have to make sure that the folks that are defending our networks are using the latest techniques, the latest tools. i use the social security administration as a perfect example. this is an agency that has information on every single american, and then they have a lot of information on our seniors. and we need to make sure that that information is being protected. department of education is another example. they have, you know, so much information on our students from all across the country, and that information can be used in order

to create fraud and ultimately create long-term problems for our kids. >> host: well, joining our conversation today, congressman hurd, is tim starks who coffers cybersecurity -- who covers cybersecurity for politico. >> hello, congressman. >> guest: good afternoon. >> good afternoon to you. there's a law which you're very well familiar with that is spended to improve some of -- intended to improve some of the problems you're talking about. what -- can you explain the importance of that law, in particular to how it would apply to security and how you think agencies are implementing it so far? >> guest: sure. this law was passed a number of years ago,ing and it was ultimately designed to empower the cios, the chief information officer, within these various agencies. the reality was that, you know, theoretically the cio was supposed to be the one of the responsibility to implement i.t. projects, to direct and spend, but that wasn't happening.

so fitara was designed in order to strengthen the cio's role and also to make sure that they're doing things like agile development. that when you have these big, expensive projects, that you're realizing victories and wins and deliverables over a six-month period rather than, you know, pending half a trillion dollars over four years and producing nothing which actually happened when dod and v.a. tried to improve interoperability within their electronic health records. and the scores are based on information that the agencies are providing to themselves. so this is their own information. they know exactly how the score is arranged, and the reality is we only had one out of 24 agencies, we only had one agency get a b, we had one agency had an f, and everybody else was in between. and what's been good is that

this has focused the conversation on things like data certain consolidation. the federal government has almost 11,000 data centers. facebook, one of biggest companies in the world, has four. there's no reason that the federal government should have 11,000. again, we realized that four agencies have realized $2 billion worth of savings over the last two years by moving into the cloud. so these scores were designed to shine a light on some of these problems, on some key elements that if we get right, we can improve the efficiencies and the security of the federal government's digital infrastructure. >> host: before we go any farther, fitara, cio is an acronym for chief information officer. >> guest: yeah. say that three times fast. [laughter] >> host: tim starks. >> so the scores you talk about,

if i recall correctly, a number of agencies moved up. do you think they're moving up fast enough? showing the progress you'd like to see? >> guest: and i believe six agencies are the ones that moved up. that's a good trend. i'd like to see it faster. the reality is the environments in which these chief information officers, cios, are operating are pretty large. so i don't think we can get, you know, get to improve security fast enough. there is no silver bullet when it comes to protecting a digital infrastructure. the reality is you have to begin with the presumption of breach. you give an attacker enough time, they're going to get in, and the question is can you detect them, can you quarantine them and kick them out of your network, and how fast can you do each one of those steps. the problem has been years of mismanagement, of not investing in current technologies, and this is an or not important reason that we have the fitara scores, is to continue to shine

a light on this, continue to put pressure on these agencies and make sure they're doing the right things in order to protect our digital infrastructure so that we don't have something like the opm hack where 23 million records of folks that have gone through a security background was breached. and so this is important. we're not moving fast enough. but we also need to make sure that these agencies have the flexibility. if they realize savings, that they're able to use that savings on other issues throughout their networks. >> well, speaking of, the president has his own proposal to address some of these issues, the i.t. modernization fund he's proposed which is $3 billion of seed money that he hopes by investing in improving these legacy systems that eventually will net many more billions of dollars in savings. that proposal does not seem to have any money in any of the spending bills that are moving either in the house or senate. i'm wondering if you think that is a good idea and, in particular, if so, do you think

it's something that might be happening before the president leaves office in. >> guest: so the concept is a valuable concept. we need to make sure that our agencies are modernizing, but here is the reality: you don't just modernize in 2016. you have to constantly stay up-to-date on the latest trends, the latest tactics, techniques and procedures in developing your network. i think the reality is, you know, it's hard when you're already spending $80 billion a year on your i.t., purchasing i.t. goods and services and when 80% of that is on legacy systems, it's hard to justify another $3 billion. why not use that $80 billion more successfully? and again, i think this is where when you do certain things to realize savings -- and i talked earlier about how just four agencies moving into the cloud has saved $2 billion -- that saving is realized over the next four years is about $8 billion. imagine if agencies had to that, those -- had access to those funds this which they could do

the modernization in their network. but we have to bake this into their operations. the cios have to be thinking about long term and how can they move, you know, aged systems into the future. how can they get rid of old systems. we had a bipartisan and bicameral letter that was sent out to all the agencies that asked for hardware and software that was 40 ono longer supported by -- that was no longer supported by vendors. the information that we got back is staggering. you know, there's programs that a vendor stopped providing support back in 1993. and for folks within the government and things that they can continue to do the right upkeep, to patch the software, to understand the vulnerabilities, i think that is unrealistic. and so, you know, moving forward on modernization is absolutely important, but this is something that should be a day-to-day thing for our cios and our csios, the chief information security officers.

>> the white house would tell you it's not just money they're proposing for this fund the, there are overeight mechanisms. -- oversight mechanisms. do you think those could help? >> guest: look, i think if you give the cio the flexibility that if they realize savings that they're able to use that over multiple calendar years, i think that's a good tool for them to have access to. because the reality is when you talk about some of these big projects within the federal government, the problem that the federal government has is scale. many of these projects that you're talking about are huge, and that takes a different mindset, takes a different tack. and to try to realize savings in one calendar year and use that in the same calendar year is really hard to do. so so making sure that these cio tos across agencies have that capability and freedom and flexibility is important. i think part of the plan is to have a ciso for the federal

government be placed in omb. i think that's a positive step. the current cio, tony scott, i think, you know, he has a great background and great experience in the private sector, knows what it's like to to defend networks from bad guys, and he's been able to leverage a lot of that experience into the federal government. and having someone like that who's focused specifically on security is a good idea. >> host: congressman hurd, ciso stands for -- >> guest: the chief information security officer. >> host: you mentioned also tony scott, the chief information officer for the u.s. he has said that the current situation with government cybersecurity is a bigger problem than y2k, do you agree? >> guest: oh, absolutely it is. and here's reality. the number of attackers coming after us are only increasing, and the level of sophistication is increasing. as we move to a more digital environment, interconnected world, that increases our

surface area of attack. and the folks that have the capabilities to get into our system is large. and so this is a difficult job, and the reality is we can also be learning from our private sector colleagues, and information sharing is important. congress passed the cybersecurity act of 2015. it was a very important piece of legislation that is going to make sure we have the tools and that dhs is the belly button in order to, you know, improve information sharing between the federal government and the private sector. you have information sharing organizations that, you know, usually are within a particular try like the football services industry try -- financial services industry try to share information among themselves. but if we include the private sector and the federal government, it's great. we know right now that there are some russian hackers in moscow that are coding the next, you know, level of malware that is going to be used to penetrate our digital infrastructure in

our banks here. and the financial services industry kind of know where those attacks may come from. if we were able to use national intelligence resource to try to better understand that and get that information to our, to the private sector in order to help them defend and get one leg up on the attackers, this is one way that we can take our to defensive game to the next level. >> congressman, one of the things that, another one of the things that the administration wants to do to respond to the kinds of threats you're talking about is a change to what is commonly known as rule 41 which changes how the government would get warrants to conduct its own hacking to go after other kinds of threats. there were some protests recently about that. congress has until december 1st to block it if it so chooses. where do you fall on the scale of that being a threat to privacy versus a necessary tool to go after cyber threats? >> guest: well, here's the reality. we can protect our digital infrastructure and our civil liberties at the same time.

our civil liberties are not burdens, they are the things that make our country great. and we should go to every single length we possibly can to protect them. and we can make sure that we're still taking the fight to those that are trying to attack us. the devil is always in the details on how you do this. when it comes, you know, a lot of these attacks are coming from offshore in countries that don't have rules against this kind of behavior. the hackers know that, the countries know that. so there's all kinds of tools that we can be using and also trying to work with these countries to pass cybersecurity or legislation to make these, make this kind of behavior illegal. that's another way that we can press on this. but again, the devil's in the details, and we've got to make sure that we're protecting our civil liberties while doing everything we can to take the fight to the bad guys. >> host: congressman hurd, when it comes to degrees of security, does the nsa and the commerce department, for example, do they

need the same levels of security? and should they be on the same system? >> guest: that's a, it's a very good question, and the concept is called defense in depth, you know? being able to protect everything with the same level of security is really hard to do, it's really expensive to do. so when you design your network and you design the data that's flowing across your network, you've got to say what is the most important things that need to be protected, and let me make sure that i design my system to protect that and have the tools to protect that. and so the question is right, it's, you know, nsa has certain things that need to be protected to a certain level, commerce may have some too, but we can't go -- we can't think of a one-size-fits-all solution when it comes to cybersecurity. and this is why we've got to make sure our cios are involved in the planning. what is the most important thing to protect, how can we protect that and continue to allow the movement of information for people to do their job and provide services to the american people?

but this is something that we need to make sure that the folks that are involved in protecting our digital infrastructure understand. and this is a philosophy that has been around in the private sector for some time, and we need to see more of that in the federal government. >> host: are you finding the agencies eager or reluctant to upgrade, update their technology in cybersecurity? >> guest: i think -- one of the frictions that you see is many of the cios across the various agencies understand what they need to do. they're getting some pushback and friction from some of the cfos because the cfos feel like they're losing some of their authority and their power. that's not what it's about. this is about making sure the technical experts are involved in defending those networks. and so that is one aspect to this problem. i think the cios, it's been good to see how some of these agencies have been reaching out

to dhs, department of homeland security and the folks that are involved in helping to defend and test some of the networks within the federal government. so that partnership is new, it's growing, and it's working. and so i've been, i've been happy to see that those kind of relationships are happening. but the reality is if a cio thinks that they can do this all by themselves or have all the tools and don't need help from anyone else, they're wrong. and so making sure that they're going out and asking for the help when they can. >> congressman, i wanted to return to two things you said just to make sure i understand where you are on that rule 41 change i asked about. sounds like you're still studying it? is that what i pick up from you? >> guest: ing yeah, this is a complicated issue and something we have to spend more time studying -- >> host: understood. you also mentioned russia. obviously, they've been in the news lately with the hack of the dnc. congress and the administration have either introduced

legislation or had talks or issued sanctions or threatened sanctions against north korea, iran, china. has the administration and/or congress taken its eye off the ball on russia and kind of having a targeted agenda with cracking down on their cyber hacking? >> guest: well, i think this administration has taken its eye off of russia on many fronts, and that's a huge problem. nobody should be surprised that the russians were involved in hacking american systems in order to try to get a leg up on potential future negotiations. the reality is though that what is a digital act of war and what is the appropriate response. there's not a whole-of-government answer or response to that. different parts of the government kind of have an idea what that means, but the reality is if north korea launches a missile into san francisco, we know how the u.s. government would respond, and the north koreans know how we would respond. that's a physical-on-physical attack.

but what is a digital-on-digital attack, and what's the appropriate countermeasure? be maybe it's a digital reaction, maybe it's aing if reaction, maybe it's sanctions. but there's not clear understanding and agreement on what is a act of war and what is an appropriate response. and until we have those conversations and red lines, it's hard to have a conversation about any individual actor because we haven't agreed upon what is a red line. >> china, there was a recent report by the company fireeye and other companies also confirmed essentially saying china's hacking has dropped off and attributed to a thurm of things, including things the administration has done. is that what your understanding is as far as what's happening? and if so, why do you think it's happening? >> guest: well, that's my understanding of that report. the question is, that is a perspective of one entity on their networks, and they are a very well-respected organization.

and i believe what they are saying, but the question is have we seen the same level or potential dropoff in attacks on federal infrastructure, on military infrastructure, on national security infrastructure? that's the question i do not know. but reality is, is when you do attribution, when you say, hey, we got hacked by these folks, that's a method of deterrence as well too. and i think escalating some of these attacks and talking about how the chinese were involved, i think that is a deterrent in kind of decreasing what they can put -- what they think they can get away from -- get away with, excuse me. so this is an ongoing conversation. and, again, we can't be lulled just because we have data over a handful of months to suggest attacks have gone down. the reality is, is, you know, we shouldn't make any long-term assessments on that information until we have years worth of

that data. >> host: congressman hurled, you mentioned the office of drs. congressman hurd, you mentioned the office of personnel management hack. what are some of the ramifications that we've seen now that it's been several months since that happened? >> guest: well, the ramifications is that there are still folks that may or may not know that their information was stolen. you know, it's hard to, it's hard to pinpoint whether some individual that experienced fraud, if that went -- if that was because their information was stolen in that opm hack. it's been a year since that hack, the american people have become aware of that hack, and there's till a lot more information -- still a lot more information that we need to understand in order to have a longer term assessment. 23 million records is a lot of records. and some of that information you don't have to take advantage of right away. it's stuff that can be used three or four years from now.

and so my fear is that a couple years from now we've topped talking about opm hack, the opm hack is a distant memory, and that's when the bad guys who took the information start using that to conduct fraud and things of that nature. >> host: and, congressman, and you used this term or this idea that this is not a very sexy issue. how do you get the attention of appropriators or and leadership, etc. >> guest: even though it may not be a sexy issue, people recognize this is an important issue. you know, i represent 29 counties in texas; urban areas and rural areas. and the last 17 months i've done over 320 meet and greets, and there's two questions i've gotten asked in each one of those. the question on national security usually, isis or iran related, and the other one's on cybersecurity. and that question is different every time. but people are nervous that, you know, they keep reading about these high profile attacks that

have happened in almost every week. how many people, you know, have had to get a new credit card because their information was stolen somewhere? this is manager that impacts everyone -- this is something that impacts everyone, and i think some folks are afraid of the difficulty of the topic and the technicalities involved in this topic, but people definitely recognize that this is a threat and that this this s only become an increasing threat as we move into a more interconnected digital age. we can talk about the internet of things where, you know, all of our devices start talking to one another, driverless cars, you know? as we put more stuff into the cloud and connected to one another, that increases potential areas where people can attack. and we can continue to grow and leverage technology for good, but we have to think and begin with security in mind and how we protect that information. >> host: tim starks. >> another issue you've been pretty active on congress,

congressman, is there have been some talks where administration officials have gone to vienna and tried to lift some of these export control ricks that they're worried will hurt u.s -- restrictions that they're worried will hurt u.s. cybersecurity companies. what would you like to see the ideal outcome? what would be the final thing you'd like to see happen to make that better? >> guest: well, i think this whole issue is a success. this is where a multilateral agreement was negotiated, and the u.s. government's trying to figure out how to implement it. they got feedback from the private sector, and the private sector said, whoa, there's going to be some serious problem ands some long-term ramifications that weren't taken into account when this agreement was negotiated. department of commerce gets kudos for realizing this. congress played a role in providing oversight and having a conversation on that, and the state department decided to go back and renegotiate the entire multilateral agreement. and they decided to take some

private sector experts to europe for the negotiations. so that is a, that is a huge victory, and my -- what i've heard about these negotiations over the last couple days is that the technical expertise of the private sector, that came from the private sector was invaluable in discussing how do we have a multilateral agreement that helps prevent bad guys from getting some of these tools but doesn't hurt international businesses, local businesses from doing everything to protect themselves. so i think this is a good example of when strong oversight from congress led to something that was a good outcome. >> host: and finally, congressman hurd, what can we expect from your subcommittee in the coming months or year? >> guest: sure. one of the things you can expect is talking about what is a digital act of war. you know, we can also looking at

how do we, how do we allow the chief information officers within a agency to utilize some of the savings they realize in their network for other projects? these are two areas that i think are very important. we're going to continue to play our oversight role within congress on fitara and making sure our agencies are moving in the direction of improving their security across their networks. and one thing that i'm passionate about is making sure that there's true interoperability between the department of defense and v.a. are when it comes to electronic health records. the a soldier, sailor, airman, marine should not be told when they're leaving dod to print out their electronic health record and physically carry it to the v.a. it's 2016. if dod and v.a. is able to achieve real interoperability, they could be the standard for

the world or, and that leads to a lot of great things, everything from doing, you know, digital research cohorts where you can do testing on drugs faster, you can get life saving drugs to the market quicker, you can, you know, as an individual see all of, you know, all of the doctors' visits you've ever had, that's going to help you be healthier and live longer. there's some really exciting things. and the federal government could actually lead in this area if we get our act together. >> host: congressman will hurd is a republican from texas. he's a freshman, and he is also chairman of the subcommittee on information technology. tim starks covers cybersecurity for "politico." this is "the communicators." >> former nato ambassador nicholas burns joins other foreign policy experts for a look at nato. seive live at 1:30 eastern on

c-span. later in the day, officials from the obama and george w. bush administrations. that's also from the atlantic council, and we have it live at 4:30 eastern on c-span. >> i am pleased that the senate as a body has come to this conclusion: television in the senate will undoubtedly provide citizens with greater access and expose your to the alaskas of this body. to the actions of this body. this access will help all americans to be better informed of the problems and the issues which face nation on a day-by-day basis. >> you know, during the election i had the occasion of meeting a woman who had supported me in my campaign. and she decided to come to shake my hand and take a photograph. a wonderful woman, she wasn't asking for anything, and i was or very grateful that he took the time to come by.

it was an unexceptional moment except for the fact that she was born in 1894, and her name was marguerite lewis, an african-american woman who had been born in louisiana, born in the shadow of slavery, born at a time when lynchings were common place, born at a time when african-americans and women could not vote.