Rep. Will Hurd (R) of Texas felt the sting of the Office of Personnel Management breach first hand. After all, the current chairman of the IT subcommittee on the House Committee on Oversight and Government reform is a former undercover CIA officer. His personal records – along with millions of other people's – are very likely in the hands of the hackers.
"The Chinese and the Russians know a whole lot about me from my days in the CIA," Representative Hurd told Passcode's Sara Sorcher and New America's Peter Singer in the latest Cybersecurity Podcast episode. "One of the things that was so egregious to me is that OPM never said, 'I'm sorry.' OPM never said, 'My bad.' That is what's outrageous."
"We still don't know: Has everybody who has been potentially implicated been notified?" Hurd continued. "One of the forms you use in the background investigations is 100 or so pages. If you had a security clearance and your neighbors were interviewed, your neighbors' Social Security Numbers and details were included. If you were married and let's say you got divorced, was that divorced spouse notified?"
Hurd is a rare breed in Congress: He also worked to defend the private sector from digital attacks as a cybersecurity professional. Now he has some key advice for other officials looking to clean up the OPM mess: "Encrypting data at rest. That's something very basic. The way this person got into this information is because the permissions this user was given were completely wrong," he said on the podcast. "I have a lot of people who come to the subcommittee and say, 'We need more money.' Well you don't always need more money to review the permissions of your users to make sure that you can't gain access to things you shouldn't get access to."
Chris Valasek, who made headlines this summer by demonstrating a live hack of a Jeep Cherokee with a Wired reporter in it – work that forced a recall of some 1.4 million Chrysler vehicles – also joined this podcast episode. Now a security lead at Uber’s advanced technologies center, Mr. Valasek talks about the line between drawing attention to cybersecurity issues and a dangerous stunt; how companies can make themselves available for "free quality assurance" hackers can provide; and security concerns within the Internet of Things.
The podcast is cohosted by Peter W. Singer, strategist at the New America think tank and author of "Cybersecurity and Cyberwar: What Everyone Needs to Know," and Sara Sorcher, deputy editor of The Christian Science Monitor's Passcode. The podcast is available for download on iTunes. You can find more information about the podcast on Passcode's long-form storytelling platform. Bookmark New America's SoundCloud page for new episodes or sign up for Passcode below.
In previous Cybersecurity Podcast episodes, the team interviewed leading privacy and cyberlaw expert Peter Swire about the half-life of secrets, surveillance and whether law enforcement was truly "going dark" in its pursuit of criminals and terrorists. Rick Howard, chief security officer for Palo Alto Networks and an Army veteran, joined the last podcast to weigh in on the line between spying for economic advantage and state secrets and whether companies should be able to strike back online to protect their interests.
They also interviewed Katie Moussouris, chief policy officer for HackerOne, about ways to incentivize hackers to report vulnerabilities they find, and the Brunswick Group's Siobhan Gorman about the "golden rules" companies should follow when disclosing they've been breached.
Singer and Sorcher spoke with Cory Doctorow – science fiction author, journalist, and coeditor of Boing Boing – about the lessons about cyber conflict that can be learned from science fiction, and Dan Kaufman, who at the time was head of the Defense Advanced Research Projects Agency's Information Innovation Office.
Previous episodes have also included guests such as Bruce Schneier, prolific author and chief technology officer at Resilient Systems; Nate Fick, the chief executive officer of Endgame, a venture-backed security intelligence software company; and Wired's Kim Zetter, author of "Countdown to Zero Day: Stuxnet and the Launch of the World's First Digital Weapon.
The team also interviewed Alex Stamos, who at the time was Yahoo's chief information security officer, and Heather West of Internet performance and security company CloudFlare.
Lt. Gen. Edward Cardon, the Army's top cyber commander, and Shane Harris, reporter at The Daily Beast and author of '@War, The Rise of the Military-Internet Complex,' joined for the first episode.