Endgame's chief social scientist: We need a cyber security "paradigm shift"

Rebecca Zisser / Axios

Endgame's chief social scientist Andrea Limbago breaks down the most critical cybersecurity issues threatening both the U.S. and the world today. From Russian meddling in the U.S. election, to the global WannaCry ransomeware attack, Limbago says we need to start getting serious — fast — about implementing stronger cyber policies and protections, before a catastrophic attack causes irreparable damage.

The broad view: Limbago is adamant that the size and scale of future cyber attacks will only intensify, but she's confident there are defenses that can be built, as long as society accepts the fact that more sophisticated and targeted attacks are coming. "We can't pretend it's not out there anymore," said Limbago. "We need our policies to step up to the modern reality."

Most security experts say you should "assume you will get hacked" — that it's inevitable. But what can companies do in place of that? Both from a user policy perspective and in regard to tech precautions?

Cyber security issues have been around longer than we give them credit for, and we really should have more policies in place by now. For the private sector, you can assume that you're going to be under attack, I think that's a safe assumption and we've seen that, but that does not mean you should throw your hands up in the air and just give up. They need to start taking the defensive aspect (such as education and installing protective software) much more seriously, and I don't think that's really happened yet.

As for the policy side, we haven't really gotten anywhere. For instance, the executive order that just came out. What we really need right now is an integrated policy. John McCain has been very vocal about this and I tend to agree with his point on cyber policy. We're kind of still running around without any guidance in that area, and that's why there has been zero sign of deterrence so far.

Do think Trump's cyber executive order has put a dent in the work that needs to be done in regard to cyber security?

The EO should've been more, it's kind of vanilla. There is nothing terribly provocative about it. On the one hand it's good because you have a proposal that finally starts to prioritize cyber security... but we're at the point where incremental assessments aren't what we need. We need more of a paradigm shift, and that's where policy can come in, as well as integration into larger, strategic outlooks.

What will it take for individuals, organizations, and the government to really get serious about cyber?

I wish I was more optimistic on this, but I do think it will take a pretty big attack. I almost feel that WannaCry was a testing ground... one theory is that that's actually what it was, a test to see how people would respond and how widespread it would be. Not that that's true, but if it were, it worked. You saw how organizations responded, how unprepared so many were. The US generally got off pretty light on that, so we were lucky, but just imagine if WannaCry had hit the US really hard, if it had hit our hospitals really hard.

At the end of the day, even though WannaCry made the 24-hour news cycle, it quickly peered off again. So, I think it would have to take something really large, something truly impacting the US. I hope it doesn't come to that, but honestly I don't see that happening right now.

Are consumers losing trust in some of the digital platforms they rely on so much?

I think that they're losing trust but I'm not sure it's changing their behavior. I think the public is less inclined to trust both the government to protect their data, but also increasingly now some of the big companies like Google and Facebook that actually own the data. I still think there's going to be a divide between the tech-savvy, the people who just really get it, and those who don't. I also think a lot of people think that even if they were to stop sharing so much, the data is out there already... so they just give up.

What's your biggest takeaway from the recent attacks we've seen? What should we learn from them?

On the one hand, there's been an appropriate focus on Russia, and that needs to continue. But with what Russia is doing, it's important to keep in mind that those kind of tactics and techniques are available to other actors as well. It's not just the Russians we need to watch any more. While our policies, some of which are 30 years old, were made to counter one threat, our response should not be to just solely focus on the Russia threat, but learn lessons on what they have done. Other actors — we saw it with WannaCry — are going to take their approaches to achieve whatever their own objectives are.