Jun 5, 2017

Endgame's chief social scientist: We need a cyber security "paradigm shift"

Rebecca Zisser / Axios

Endgame's chief social scientist Andrea Limbago breaks down the most critical cybersecurity issues threatening both the U.S. and the world today. From Russian meddling in the U.S. election, to the global WannaCry ransomeware attack, Limbago says we need to start getting serious — fast — about implementing stronger cyber policies and protections, before a catastrophic attack causes irreparable damage.

The broad view: Limbago is adamant that the size and scale of future cyber attacks will only intensify, but she's confident there are defenses that can be built, as long as society accepts the fact that more sophisticated and targeted attacks are coming. "We can't pretend it's not out there anymore," said Limbago. "We need our policies to step up to the modern reality."

Most security experts say you should "assume you will get hacked" — that it's inevitable. But what can companies do in place of that? Both from a user policy perspective and in regard to tech precautions?

Cyber security issues have been around longer than we give them credit for, and we really should have more policies in place by now. For the private sector, you can assume that you're going to be under attack, I think that's a safe assumption and we've seen that, but that does not mean you should throw your hands up in the air and just give up. They need to start taking the defensive aspect (such as education and installing protective software) much more seriously, and I don't think that's really happened yet.

As for the policy side, we haven't really gotten anywhere. For instance, the executive order that just came out. What we really need right now is an integrated policy. John McCain has been very vocal about this and I tend to agree with his point on cyber policy. We're kind of still running around without any guidance in that area, and that's why there has been zero sign of deterrence so far.

Do think Trump's cyber executive order has put a dent in the work that needs to be done in regard to cyber security?

The EO should've been more, it's kind of vanilla. There is nothing terribly provocative about it. On the one hand it's good because you have a proposal that finally starts to prioritize cyber security... but we're at the point where incremental assessments aren't what we need. We need more of a paradigm shift, and that's where policy can come in, as well as integration into larger, strategic outlooks.

What will it take for individuals, organizations, and the government to really get serious about cyber?

I wish I was more optimistic on this, but I do think it will take a pretty big attack. I almost feel that WannaCry was a testing ground... one theory is that that's actually what it was, a test to see how people would respond and how widespread it would be. Not that that's true, but if it were, it worked. You saw how organizations responded, how unprepared so many were. The US generally got off pretty light on that, so we were lucky, but just imagine if WannaCry had hit the US really hard, if it had hit our hospitals really hard.

At the end of the day, even though WannaCry made the 24-hour news cycle, it quickly peered off again. So, I think it would have to take something really large, something truly impacting the US. I hope it doesn't come to that, but honestly I don't see that happening right now.

Are consumers losing trust in some of the digital platforms they rely on so much?

I think that they're losing trust but I'm not sure it's changing their behavior. I think the public is less inclined to trust both the government to protect their data, but also increasingly now some of the big companies like Google and Facebook that actually own the data. I still think there's going to be a divide between the tech-savvy, the people who just really get it, and those who don't. I also think a lot of people think that even if they were to stop sharing so much, the data is out there already... so they just give up.

What's your biggest takeaway from the recent attacks we've seen? What should we learn from them?

On the one hand, there's been an appropriate focus on Russia, and that needs to continue. But with what Russia is doing, it's important to keep in mind that those kind of tactics and techniques are available to other actors as well. It's not just the Russians we need to watch any more. While our policies, some of which are 30 years old, were made to counter one threat, our response should not be to just solely focus on the Russia threat, but learn lessons on what they have done. Other actors — we saw it with WannaCry — are going to take their approaches to achieve whatever their own objectives are.

Go deeper

Coronavirus dashboard

Illustration: Axios Visuals

  1. Global: Total confirmed cases as of 9 a.m. ET: 1,134,418 — Total deaths: 60,115 — Total recoveries: 233,689Map.
  2. U.S.: Total confirmed cases as of 9 a.m. ET: 278,458 — Total deaths: 7,159 — Total recoveries: 9,897Map.
  3. Public health latest: The CDC is recommending Americans wear face coverings in public to help stop the spread of the coronavirus. The federal government will cover the costs of COVID-19 treatment for the uninsured, Health and Human Services Secretary Alex Azar said.
  4. 2020 latest: "I think a lot of people cheat with mail-in voting," President Trump said of the 2020 election, as more states hold primaries by mail. Montana Gov. Steve Bullock said Friday that every county in the state opted to expand mail-in voting for the state's June 2 primary.
  5. Business updates: America's small business bailout is off to a bad start. The DOT is urging airlines to refund passengers due to canceled or rescheduled flights, but won't take action against airlines that provide vouchers or credits.
  6. Oil latest: The amount of gas American drivers are consuming dropped to levels not seen in more than 25 years, government data shows. Trump is calling on the Energy Department to find more places to store oil.
  7. Tech updates: Twitter will allow ads containing references to the coronavirus under certain use cases.
  8. U.S.S. Theodore Roosevelt: Senators call for independent investigation into firing of Navy captain.
  9. What should I do? Answers about the virus from Axios expertsWhat to know about social distancingQ&A: Minimizing your coronavirus risk.
  10. Other resources: CDC on how to avoid the virus, what to do if you get it.

Subscribe to Mike Allen's Axios AM to follow our coronavirus coverage each morning from your inbox.

The renaissance of the American family

Illustration: Eniola Odetunde/Axios

It used to be scarce and hard-earned, but suddenly family time is abundant in the era of shelter-in-place.

Why it matters: For the first time since the early 19th century, many parents and kids — and even grandchildren — are all under the same roof round-the-clock. And if past periods of emergency are any guide, this enforced togetherness could deepen our relationships for years to come.

Go deeperArrow2 hours ago - Health

Biden says he's starting VP search this month

Joe Biden. Photo: Scott Olson / Staff

Joe Biden said he's spoken to Sen. Bernie Sanders and former President Barack Obama about selecting a running mate — and that he wants to build "a bench of younger, really qualified people" who can lead the nation over the course of the next four presidential cycles.

Driving the news: Biden spoke about the state of the 2020 race during a virtual fundraiser on Friday night that was opened to pooled coverage.