How the US hacks other countries

The founder and CEO of Dragos speaks with Dan Patterson about the US hacking other countries and its policies when responding to cybersecurity threats.

How the US hacks other countries

Dan Patterson, CNET and CBS News Senior Producer, spoke with cybersecurity company Dragos, Inc., Founder and CEO Robert Lee about the role the US plays in hacking other countries as well as the policies for cyberattacks in the US that result in loss of life. The following is an edited transcript of the interview.

Dan Patterson: Is there a symmetry here? Is the United States also hacking our adversaries and maybe even our allies?

Robert Lee: It's very fair to say that every state wants parity with each other--they absolutely want to be able to have the capabilities other states have. I think where you draw the line is up to interpretation. The US official policies where the standpoint is we don't target civilian infrastructure, so where a Russian or Chinese team might feel comfortable breaking into US electric power, that's something on the surface the US would say, "We don't do." 

SEE: Mastermind con man behind Catch Me If You Can talks cybersecurity (TechRepublic download)

I think that that's up to interpretation though because if you then deem it to be electric power supporting military base, maybe you would say that it's actually a military target. I think those lines haven't been fully fleshed out, largely to the detriment of everyone else.

Dan Patterson: Help me understand before we talk a little bit about the future about IoT, the cloud, and edge computing, help me understand what would happen if there were a cyberattack that resulted in loss of life here in the United States. What are our policies in terms of responding in kind to those types of attacks?

Robert Lee: There are a lot of different folks at different levels of the government from the National Security Council, the Department of Homeland Security, and Department of Defense that try to have those conversations and I think honestly, there's a little bit of confusion around what would happen at certain levels of attacks. We all can get our minds around the Eastern interconnect going out on the power grid. We have massive power loss from New York down to DC and so forth. We would think that's a large economic impact. Military-like action. 

We could wrap our minds around war and we could wrap our minds around really what'd be armed conflict with states. If you look smaller though, we kind of get in this area where the public is still really scared, but it's not really enough for armed conflict. Say the Saudi Arabia attack that happened, say something like that happened in the US where maybe a cyberattack took place on an oil refinery and killed five people.

Well, now you're in the land of really significant, like it's too harsh for just sanctions, but at the same time, it's not enough for wartime like actions. That's also where policy and norms and diplomacy need to be in a pretty good place to have those conversations. I think that we have not really established a lot of the mechanisms required to really face those types of situations well. I'm actually more concerned about a 30-minute power outage in a town than I am about grid-wide take down. 

There's more than one electric grid in the United States. These ideas of one cyberattack taking down the bulk electric system is pretty ridiculous at times. But if you have a 30-minute power outage due to a foreign power at a local town, you still scare the heck out of everybody. You still have policy implications. You still have congressmen and senators have to respond. It accomplishes a lot without actually being a very complicated attack.

Watch more interviews with Dan Patterson and Robert Lee 

Also see

20200225-lee-part3-dan.jpg

Robert Lee, founder and CEO of Dragos, Inc. 

Image: TechRepublic