Security expert weighs in on cybersecurity regulation and ransomware attacks of US cities

Bryson Bort, founder and CEO of cybersecurity company SCYTHE, fears "death by a thousand paper cuts" more than than a digital apocalypse. He also shares his views on how well cyber-deterrence works.

Security expert weighs in on cybersecurity regulation and ransomware attacks of US cities

CBS News and CNET Senior Producer Dan Patterson talked with Bryson Bort, founder and CEO of SCYTHE, a cybersecurity company that provides attack simulation, about privacy regulations, cities being attacked by ransomware, and whether cyber-deterrence works well. The following is an edited transcript of their conversation. 

Dan Patterson: Presumably, somebody will win this election, and presumably we will have many people who are going to make determinations about regulation over the next, say, 18 to 36 months. We have some precedent we can look at... the GDPR. California has its own privacy regulations that are emerging, but cybersecurity and cyber defense is still something that is challenging for our federal government. And when we listen to Silicon Valley, we hear mixed signals about whether regulation is good or bad. What is your take? Is regulation coming? What will regulation look like, and should we have regulation of cybersecurity?

SEE: Security Awareness and Training policy (TechRepublic Premium)

Bryson Bort: I'll start with the first point, which is the general straw man that is trotted out in these, is that any government intervention is bad. There's truth to that. Government, particularly the federal government, tends to be big and heavy-handed and that can cause unintended consequences. That doesn't mean that that's always true. And so what I counsel is, we want to see iterative policy. Let's mark a point, learn, understand. Let's engage the technical community in that discussion to bring it together. And when I talk about the technical community, I'm not talking about the traditional Silicon Valley fan group that has millions of dollars of lobbyists pushing for specific economic benefits, but the independent security researcher community, where those folks are really altruistically looking at what are the best ways to solve these problems.

Dan Patterson: Baltimore?

Bryson Bort: I was originally born in Baltimore, not many people know that. Baltimore is yet another example of what we're going to see more. Atlanta, before. There was a small city in [Valdez] Alaska. City government is particularly vulnerable to ransomware, and the democratization of attack that we see. These things are out there, and it doesn't even matter if you're the target, you can get hit, and once you get hit this stuff spreads like wildfire, and it takes everything down. And most city governments don't have the resources to effectively respond. Again, it goes back to how much money ... they're already looking at budget priorities and going, "Well I need to worry about taking care of revitalizing this part of the downtown, and I need to be taking care of the Metro, and I'm doing this, and where does computer security fit in that budget?" It's for everybody, very small. Except for nowadays, it affects all of those things, and in a split second you're going to go back to the Stone Age writing on paper for everything. We're going to see more.

Dan Patterson: What keeps you up at night? What scares you?

Bryson Bort: What scares me? I'm afraid of death by a thousand paper cuts. The cyber Pearl Harbor, the digital apocalypse that has been mentioned--I don't think that's really what's going to happen... I don't think we're going to have a cyber 9/11. I think we're going to be slowly sliced from thousands of directions. And it's one of those things where you're the frog in the boiling water, and the temperature just slowly rises until it's too late, and we're boiled. And we're an awesome target for that because of our center stage as the driver of democracy in this world, and, excuse me, as the standard bearer for democracy in this world, as well as the number one economy, as well as that our military is there to provide stability for commerce throughout the world. And if it can be done to us that way, it can be much more easily done to anyone else. And so my fear is that we're going to find ourselves in an untenable situation. And we didn't notice it, because it was a sum of thousands of attacks.

SEE: VPN: Picking a provider and troubleshooting tips (free PDF) (TechRepublic)

Dan Patterson: And the solution?

Bryson Bort: I don't know. I don't know what the complete solution is. The best that I can offer is, we really need to take this seriously as private citizens, private industry, and as government working together. Private industry is on the forefront of these attacks because they're the most vulnerable. They are the economic powerhouse of everything that we do, and I think the government needs to take a much stronger stance on what kinds of resources it's providing in support of that, and the more repetition of what we saw with cyber command in 2018 with our Defend Forward strategy. There's a lot of argument in expert circles about how well does cyber-deterrence work? And personally, I don't think we've yet found the right combination where I've been able to deter you as an aggressive adversary to stop doing what you're doing. We need to find a way to impose enough cost on you, the decision-maker in that authoritarian regime that it's no longer worth it for you to direct your minions to do what they're doing.

Also see

20200423-bort2-dan.jpg

Bryson Bort, founder and CEO of SCYTHE, a cybersecurity company that provides attack simulation

Image: Mackenzie Burke/TechRepublic