How the government should regulate cybersecurity

Dragos founder and CEO speaks with Dan Patterson about current methods of securing the US electric infrastructure and ways IoT can be regulated.

How the government should regulate cybersecurity

CNET and CBS News Senior Producer Dan Patterson spoke with cybersecurity company Dragos, Inc., Founder and CEO Robert Lee about the security of the US infrastructure and how IoT should be regulated. The following is an edited transcript of the interview.

Robert Lee: On one end of the spectrum, something has to be done. [Internet of Things (IoT)] devices or a ripe discussion for regulation. I would position so because there's no single community to touch, there's no economic driver right now to actually be thinking about security in those devices, so regulation could make sense there.

But the type of regulation you want to implement is where it can get dangerous. The Facebooks of the world would love more regulation that actually tailors to themselves, and makes it harder for entries into the market to be competitors. The electric infrastructure that we have, I keep going back to that, but the US electric infrastructure in the United States is some of the most regulated infrastructure in the world. We have the NERC-CIP regulations that we've had those for over a decade now. They're very, very strict, million dollar a day type fines for violations. But we have to be willing to be flexible as well.

SEE: Mastermind con man behind Catch Me If You Can talks cybersecurity (TechRepublic download)

I testified in front of the Senate on that exact topic and said, "Look, the electric infrastructure, the regulations we have, we're better off today. Our electric infrastructure is better off than it's ever been. It's the best in the world, and regulation has played a part in that. But, we've learned a lot about attacks in the last couple years and if you're thinking pre-2014, we didn't know a lot about industrial specific threats. So, if all your regulations, and frameworks, and policies, and best practices are pre-2014, let's take a time out, learn something over the past couple years, and then apply that to regulation. Maybe more programmatic instead of performance based."

On the opposite side of the spectrum, we think about liquid natural gas and pipelines connecting in our infrastructure. We think about IoT, we think of those other communities, we can take different approaches based on the communities. Again, IoT, maybe there's not one community to take ahold of. Natural gas pipelines, there's a community, there's an ecosystem. You can have conversations and go, "Look, this is what we want to regulate towards, how do we get from A to Z? Let's have a bilateral conversation about it."

Without a community though, you can't do that. And that's where I think, again, regulation for things like IoT would make more sense. But I caution that every time I hear a security expert say, "If we only had better passwords. If we only regulated firmware checking." Any point thing can have disastrous butterfly effects on what you would actually really be accomplishing. And a lot of times we are introducing more and new risk by the type of regulations we write.

Dan Patterson: All right. Robert, I wish we could chatter about this all day, but leave me with one takeaway. When you go to bed at night what scares you?

Robert Lee: What scares me is always the fear. I think we have a lot of amazing people around our infrastructure doing wonderful things. I think the threats are not only real and extremely aggressive, but I think we'll be able to really invest towards that. But the fear is insane. And the amount of ill-informed security experts that talk about things that they probably should not be talking about, that are outside their expertise, and informing everybody from Congress to the public. They wrap around a fear that even a small infrastructure attack could have disastrous consequences.

Watch more interviews with Dan Patterson and Robert Lee 

Also see

20200225-lee-part5-dan.jpg

Robert Lee, founder and CEO of Dragos, Inc. 

Image: TechRepublic