Show Notes:

Today on the show we welcome Andrea Little Limbago. Andrea is the Chief Social Scientist at
Endgame, directing and contributing to the company’s technical content. She has a background
in quantitative social science and direct operational support and writes extensively on the
geopolitics of the cyber domain, policy, and data science – making her the perfect guest for
today’s topic. It’s often easy to forget that behind every computer is a human being and that
cyber security is as much a human problem as it is a technical problem. In this episode, we talk
with Andrea about the challenge of securing the internet humanely and what the future of the
internet looks like as it splinters from an open, borderless system to one that increasingly gets
controlled by state and sovereign nations. We touch on the challenges faced by the cyber
security workforce today, US elections, China’s new social credit system, crypto-currency, the
new developments in GDPR and how they all have the potential to impact democracies and the
control over your own data.

Key Points From This Episode:

Andrea's journey from academia to cyber security.
Why cyber security is also a retention challenge.
How companies can protect their employees from burnout.
What happened to the utopian idea of the internet?
State sovereignty and the balkanize internet or splinter net.
The implications of China’s new social credit system.
Learn more about GDPR and the control over your own data.
Does Russia’s internet look different to the rest of the internet?
The effects of the crypto currency movement on cyber security.
Learn more about the Russia-China authoritarian model.
Will GDPR be successful in helping democracies move forward?
Discover what Endgame does and how it operates on a daily basis.
Find out what it’s like being a woman in cyber security today.
Fake news and cyber hacks and their effect on the political climate.
And much more!

Links Mentioned in This Episode:
Endgame 
Andrea Little Limbago on Twitter
Andrea Little Limbago on LinkedIn

“The ‘hacking back’ bill isn’t the answer to cyberattacks” by Andrea Little Limbago 

Full Transcript of the Interview

In this interview, cyber security is a human problem. We sit down with Andrea Little Limbago, Chief Social Scientist at Endgame, and talk about how people figure into the challenge of securing the internet and what the future of the internet looks like as it splinters from an open borderless system to one that increasingly gets controlled by state and sovereign nations.

Well, thanks for sitting down with us. Just for people who are reading, introduce yourself.

My name is Andrea Little Limbago. I’m the Chief Social Scientist at Endgame. It’s a security company based in the DC area. My background actually is a little bit different. I’ve been – I started off in academia, had a PhD in Political Science.

Man, I feel for you. PhDs require a lot of years.

Those were a lot of years. I spent my 20s in school. Did a lot of computational modeling of interstate conflict. From there, I taught a little bit. Went to NYU and taught there and then went to the government and worked for Department of Defense. Then doing various kinds of analytics, and now I’m at Endgame. I’m researching and writing on the geo-political aspects of cyber security.

Interesting. Yeah, Chief Social Scientist I don’t often hear. Is that a role at a lot of Cyber Security firms?

No, it’s not. I made up the title and they went along with it.. It’s nice when you get to do that, right?

I just made it up. That’s good.

I’m the only one. I’m lucky in that regard. I’m just starting to cross with other social scientists, one’s in the conference right now. There’s another one. We somehow tend to find each other. We would flock together. It’s good. There needs to be more social scientist in this area. We always say cyber security is highly technical, but there’s a human behind everything.

It’s the 8th layer, right? The one we can’t secure.

That’s exactly – We’re not going to. Now I just understand defenses also, understand the attackers and their motives and incentives. Then even to see the interfaces for a lot of the technologies just aren’t user friendly. That’s another aspect of it all. The data visualization and making it so that analysts can actually use the products.there’s a broad range. I wrote something on this just last week on the range of your jobs now in cyber security is so much more broad, and it’s not just the hackers which depend testing and all that and the reverse engineering is always going to be important. But there’s a broad skillset that’s needed.

I think the range of – I mean, they always talk about a million plus open positions, but you can’t show up at an event. Also, I think part of that is that a lot of the jobs are – they’re not only hard in many cases, they’re really repetitive and tedious and those sorts of things.

Yeah, that’s what’s interesting. I actually I just presented here. I did a survey at the end of last summer on retention. There’s a lot of focus on the pipeline as it should be. You’re hoping to grow the pipeline, but cyber security also the retention challenge, and part of it based on the survey, one of the big issues is burn out, which that’s understandable. Part of what we see in the burnout is to see there aren’t great career trajectories, and some of the stuff as people come in they are doing – it’s rote processes, so they’re the same thing over and over that just can become very tedious.

On one hand, there’s a super challenging aspects of cyber security, but there’s also some of it that we really need to work toward automating and helping make that part of the job better for the workforce. If we can enhance in that area, I think that would be another way to help retain and that’s something that people commented on numerous times throughout that survey.

Yeah. It’s how do we make you not doing the same job over and over and over again.

Exactly. Yeah, because anyone is going to burn out. It’s not even you’re just doing it over and over again. It’s for long hours, it can be your nights and weekends. It never ends, I mean really.

You literally are in this world where everything is a potential disaster, right?

Yeah. End the of the day it doesn’t matter what – how much you stopped if something got in. That’s where you’re held accountable. It’s stacked against you, and so even how corporations do metrics performance and success that those are the things as well that need to be – to take those aspects in the counties. It’s a different kind of job than many of the other ones, and we just haven’t really innovated organizationally, I think.

I mean, part of – in all of the discussions, we often talk about the problems, but we also think it’s nice to highlight potential solutions and people who – or at least people who are doing it well. Now in this space, that’s usually not actually company name. There’s no nuance to talk about it.

That’s exactly right.

Specific. If you think about people who are – or organizations. What are they doing that is working, even for the retention issues particularly?

Yeah, the different aspects, some can be something as simple as company said you have paid time off and those things. Making sure your employees take that, and when they take that they’re not actually making the more vacations. Providing those breaks – I mean, something that seems so simple, right? Actually, I even hear from certain levels they push back, “Oh, they got you all in unlimited leave, which means they’re going to take unlimited time off.”

In cyber security that does not tend to be what happens. No. People aren’t taking their time off. Then when they are, it’s a work vacation, which isn’t a fun vacation. People need to take a break. They need to step away from it, unwind. That’s so important for mental health. Those aspects of it, some companies are doing things that cross-mingle the security workforce withthe rest of the workforce to make it more of a – like a collegial relationship, because so often security is viewed as – they’re there to slow us down, as opposed to you’ll keep us safe. Just better education in that area I think helps out a lot.

Yeah. Then you create that culture of security, right? Because there is that discussion and you understand maybe why people aren’t implementing procedures that you’ve set up and also then they maybe do – use some of the procedures, because they realize how important it is.

They do. Then they also see that when you don’t have that is it people trying to circumvent the security, which then – yeah, that’s not helpful either. That doesn’t help anyone. It’s communication which then gets factored to the broader range of skills that are needed.

I’m laughing, because I remember a friend who I used to work with. I think we had Blue Coat where it’s walked here from going to sites. I get it. You’re not supposed to go to sites that are inappropriate for work. But ESPN was blocked and stuff like that. My friend whenever he got that, and you quickly realize like – and the warnings awful. It’s the first time you’re like, “Oh, my God.” Then once you hit it like a 100 times, you’re just like, “Nothing is going to happen.”

You’re desensitized too. It’s like doesn’t never – Yeah.

My friend, whenever he got one, he just go right back. He’s like, “Yeah, you know it.”

That’s right.

It’s that human challenge. Whatever where do they intersect.

Yeah. Even they have – these were the broader thinking about security, if we’re still – one of our biggest problems of seeing a thing, for humans to not click on a link. That I should not be – we should not the counting on that for good security.

Humans are going to screw stuff up. We should count that that is going to happen.

That’s exactly right. Yeah. We need to just think more creatively in a lot of these different areas. I think we can be starting to do that, which is good. But I think for it to happen, again I think it needs – you different discipline is all coming in together and working together on that.

I had a chance before we sat down to read through a couple of articles that you’ve written recently. Again, the terrorized look –

I know. I hope I remember what I wrote.

To make it easy. One of the things that you were talking about were the different frameworks of how people are thinking about data, particularly like GDPR versus some of the other countries. Their way of thinking about security and about data controls. For those people who didn’t have a chance to find that article, walk us through those different frameworks.

No, this is one of the things – the thing about that it keeps me up at night. You see I have to go down that road. We’re moving to our – initially, the internet, the vision of it was for your free and open internet. Only good is going to come from that.

An idyllic place.

Exactly right. It’s a utopia. Of course, someone who studied conflict and state warfare, I can’t think about the dystopian. I worry that we’re actually moving more and more towards a place where – it’s called the Balkanize internet, or the splinter net. It’s a breaking part of the internet based on state sovereignty, which is interesting, because it’s so different than – even five years ago everyone was like, “Oh, it’s a borderless internet.” Really it’s not.

Countries, especially with different regimes are starting to have - implement their own versions – to tell like data localization. Maybe on regulation as far as what data government should access and it could be anything from your social media to e-mail, so really could be almost anything in some states.

Yeah, the Great Firewall is probably what people are most familiar with, right?

Yeah, there is the Great Firewall, but then other countries are now trying to implement this – very similar. This is why it matters so much. They’ve got China on the one hand who’s basically the forefront of that model where basically it’s a closed off, they control what information comes in and out. China is implementing a social credit system now, which to me is terrifying, but it’s –

I’m not familiar with that. What’s a social credit system?

It’s only starting to implement and it’s going to be rolling out over the next few years. It’s a score that every one person is going to have based in, I think of it has actually rolled out. Some of these scores are already existing. It could be based on anything from your online content, who is in your social network and their scores, in addition to other kind of things like have you been late on a loan? Have you been late paying bills?

It’s taking in all these various aspects and creating scores for you. It could impact then down the road your job applications, whether you get a loan for something. It’s going to have this – it’s going to permeate throughout society and it’s all under government control.

It’s like your credit score on steroids with a political filter rolled over it?

Yeah.

Oh, my gosh.

It’s based on who was within your network as well. That’s going to start stratifying society as well between the haves and have nots. I’ve read an article, I think I cited this in my own case that we’re already starting to get implemented. People are looking at how they can move up and who they can link to, to help them move up that ladder. Then intentionally not linking to other people. That’s one version of it.

What I think is the more Utopian and hopefully more towards the individual privacy is more like the GDPR, which the EU is rolling out in May. That’s much more sale on personal privacy. The aspects have the right to be forgotten. It is very popular in Europe and different in the United States.

People get access to their own data from whatever company if they ask for it. There have been some interesting stories where in about that of people getting their dating profile, the data coming back to them and just be like, “Oh, my God.” The amount that people put into that. They don’t – without realizing how much information they’re putting into it. That was in GDPR. I love that’s being protected, so the individual has more control over their own data. You could see those are the two extremes going on right now.

Yeah. We try and stay hopeful in these  these talks, I mean other than the China stuff. It’s truly frightening, right?

Absolutely.

That idea of it’s not just even with the government is potentially doing, but then you start to have people self-sensor an act in reaction to it, right?

Yes. I should say there is some – the society was in China is by no means monolithic. There are groups that are circumventing the censorship as well, finding interesting ways to go around it. Just because that’s the path we’re going down now, it doesn’t mean it forever will be. I think we have to keep that in mind as well.

Especially I was trying to be more on the political science side. Their approaching a GDP per capita for a lot of countries historically have transitioned into democracies. They’re going to be at a turning point with a lot of other social factors and technology factors going on that just because this is the path their on now, it doesn’t mean that that’s always going to be the one they’ll be on.

Which is incredibly frightening I think if you’re in the leadership.

Absolutely.

I’m sure they’re looking at the data with a lot more diligence than maybe we are.

Yeah, absolutely. They also have more of the longer term outlook on things. They’re also throwing a lot of technology and really, they’re looking at AI as a new Sputnik moment and they want to win that race. At the same time, they are thinking about how to maintain control that’s why you’re seeing a lot of the corruption you’re going through and it’s why they’re calling out some of the different leadership purges that are going on. Yeah, it’s a fascinating time to watch that at the same time. That is not even talking about Russia and some other countries.

One of the things I wonder is partly as you think about cyber conflict and cyber warfare is part of that data control balkanization of the internet partly to if you think, okay I mean one of the interesting scary unique things about cyber warfare is that once you release an exploit, you may not have full control over where it goes and what it hits. If you start to take your own – an entire country systems to a different place, right? Then if you release potential exploits, what happens?

That intending consequences. Then you’re even taking a step further. Depending on who – which government is doing that may or may not care about unintended consequences. The best example of that actually is from last year is Not PETYA, if you remember. That was one after Wanna Cry. Global Ransomware that actually had a wiper malware component attack within it. It turns out everyone thought oh, global ransomware just like Wanna Cry. Initially that’s what everyone thought. It turns out it wasn’t just for that. It was targeted at Ukraine. But it had global reach. There were some companies that it cost several hundred millions of damageas collateral damage. It’s been somewhat attributed to Russia who doesn’t care. It’s not within their – does not impacting them at all. If the FedEx or Maersk, or any of those get hit.

Yeah. I mean, one they don’t really have ownership stakes in them. I’ve heard this, but I’d love your perspective, is that the Russian internet in some ways looks very different than the rest of the internet, so a lot of the exploits don’t necessarily impact them?

 Yeah. I haven’t done any of my own analysis on that, but I’ve heard that as well. That’s what gets back to some of the targeting and how so many of these are increasingly customized for certain intended effects. Then you have some organization is unlucky enough to look very similar to the actual target they’re going to be hit by it. Yeah, I think that does impact the exploit profile and the target profile.

Yeah. Then the whole cryptocurrency movement is really interesting as well from either one, an ability for nations. Criminals or nation states could potentially profit. I mean, North Korea, might be their top business, right?

I would say that. That’s what first comes to mind, right? Well, they already made a lot of money off to your tacking Swift. Why not go after Bitcoin? Why not go with – It’s very lucrative and there are no repercussions.

Right. Because is on the internet in North Korea other than these guys.

Yeah. Loving this. With the intersection of Russia just creating the second access for North Korea.

I don’t know to that.

Before North Korea, basically there’s one way to get one pipeline into the internet for North Korea. China provided that. Russia’s now provided the second one within the last two or three months.

Just because they thought, “Why not?”

Why not? Yeah. That’s the interesting – the dynamics we’re starting to see is the unlikely allies I think are starting to – I think there’s more collaboration or at least mutual interest they’re going all with North Korea and Russia.

Right, we’re trying to get back to hope. GDPR, I think the interesting thing that we’ve been talking about with some people is that we’ll – I’d love your opinion is – do you think essentially GDPR will become a global standard for those who are not necessarily moving to the Russia and China model?

I think it’s going to be the trailblazer for it. There’s two different pathways. One is what they call cyber sovereignty path and that’s what the Russia-China authoritarian model. The other one is a multi-stakeholder model. That’s what democracies are tending to go under where they do protect individual liberties and freedom in addition to having free and open area as best you can even if it’s not the entire globe, the same perhaps within different blocks of it.

Yeah, but I mean, we’re already seeing other countries starting to copy some aspects of the GDPR. Even in the US we are. I think that it is setting a path for how democracies are going to move forward, which is why it’s important to keep an eye on it. Even like in the US, people may think it doesn’t matter, because it’s a EU regulation. Any company that has European data –

It’s basically everyone.

Yeah. Right? Then also safe for wherever it’s down, these similar aspects regulations are probably coming down the road. That’s the interesting thing that for so long policy and law has lagged so, so far behind technology. We’re starting to see that change now. The EU does seem to be leading a way in that area. We’ll see. We still have way more structured policy and more of the national security in this area, but as far as data privacy, it is moving forward.

All right. I mean, if this is your day job, like I want a day job and I make up my own title. I have to get that PhD first.

Yeah. You got to do that. You’ll be poor for a while, so it’s tough.

Ouch. I’d love to hear a little bit about Endgame and what you guys are doing and how you’re seeing the world. What are you guys doing on a daily basis?

Yeah. We are a product company, so we have endpoint protection platform. What I like a lot about it, I’m part of the research team. For us, we bring the different disciplines together like I was talking about. The machine learning aspect to it, we’ve got a data science team, which is phenomenal. A lot of R&D going in there for protecting malware and so forth, in addition to a lot of people who have – with government backgrounds for an offense and are implementing the prevention detection techniques to stop what they know how to do.

Implementing all of it together, but also within – we have a design team, so making sure that the interface design – it means that you don’t have to have a PhD, or 10 years, 20 years of experience if something come in and you protect their data a lot faster. It’s for enterprises.

Got you. Roll out across any device that you have, or is there a specific focus?

Specific focus is much more so within the corporate network. It’s not going to be something that an individual will – you’re on the road by and put at –

If I’m a corporate user and I end up bring your own device take?

No. It’s the security operation cells. For the folks we’re actually protecting, the company.

Okay. Pretty focused.

Yeah, very focused on that – the niche component of people who are protecting their corporations.

Do you get focused on an industry, or just whoever –

That’s interesting. Endgame, I’ve been there for going on four years. When I first started, it’s still very much in the startup phase. It’s been interesting, because on that regard because having been in academia and having in government, then going to startup, very different mentality, very different pace, like everything.

I feel like I’ve been through several lives just within this one company. We started off – even before I got there, Endgame started off just working for the government and then has evolved in moving the big ship so that it’s always still and probably still deployed within the government. We’re focusing much so commercially as well. Right now and that’s really the big push for this year and last year, and so that’s where it’s been going.

Get the corporates in there, right?

We’ve had some luck and see, we’ve done a couple of press releases on some of the big companies that we’ve recently started working with. That was exciting. It’s been exciting seeing – you’re basically coming from – when I first came to this product, aspects have existed in different places, but seeing everything come together is exciting.

It’s a solution. That’s awesome. I’ve been peppering you with questions. This is your chance, you’ve got a mini soapbox. What would you want to share this community get messages that you want out there? What are you excited about?

Yeah. Well, there are a lot of things I’m excited about, but the one thing – the part that’s so exciting you didn’t ask me what’s like being a woman in cyber security. This is probably the first interview that hasn’t happened. Thank you for doing that.

If you want to talk about that, you can.

It’s important to talk about that, but I think it’s really, really important that my soapbox is we need to be talking to these unrepresented groups about their expertise and not about what’s like being – Because that’s mainly the question that I always get. My pushback is like, I don’t have a gender studies background.

I guess maybe my perspective, I’d rather talk about conflict and geo-political posturing and all these things. That’s exciting. Well done on that. Thank you. Yeah, but I get what are the soapbox? The other one I think that – I think things are moving really, really quickly now and I think that – I wish more of the population was better aware. I think as a security community, we don’t do a great job translating why things matter.

I wish we’d do a better job of communicating to the rest of the world why it’s important to update your phone every – you see there is updates that you need. Why being safe on social media – there’s so many aspects of that and this reminds me actually of something I wrote last week too, sort of how does cyber security attacks affect the individual? It goes across the range, but people just don’t understand.

Part of it is here’s the societal aspects. Even the Olympics are going to be a big target. Even if you’re on national security, there are aspects that are under attack. Before the individual, social media now is becoming such an attack vector. Even if you think you’re not important, it depends on where you work, but then there is also the – at the individual level, there is the spyware and surveillance, it’s just –

Scary.

It is scary. Yeah. It doesn’t mean that’s going to – it’s not omni-present. You have to worry, like you – you know it’s days. Not to worry about that, but just being cognizant of it and protecting data more and not putting out as much data as people tend to do.

I mean, I was at a conference yesterday and we were talking about the election system. That’s something that we’re pretty – we got pulled in based on some conversations with election officials in various states. We were somewhat surprised, scared, right? Blown away by some of the issues there.

We spent some time adapting our system to see if we can help and then also to rally the community in general. What was incredible in this conversation I presented was somebody is like – basically said the problems are so large that can we even think about addressing that? In this community, if you feel like you’re in this community and you feel like, “Should we even bother?” Can you imagine if you’re Joe Q Public?

Yeah, I know. The defeatist mentality. Yeah, and we can’t go there, because in the one hand, it’s just so large and overwhelming. We’re seeing so many more aspects of society impacted, but we have to. At the end of the day, I mean we have to protect our elections. That’s one thing for 2018 I worry about are the turn of elections. I don’t care what party you’re in. I mean, both are going to get attacked.

We’ve seen that. We’ve seen it, I think going back to at least to wait for both presidential candidates had some attack against them. This is not a partisan issue and I think that’s one of the things that drives me nuts, because both groups are going to get attacked and it’s going to be across the US. There will be some targeting going on, but as we see we’ll get some of the European elections going on. Or Russia has been –

Macron is sounds like was attacked, as well as the impact on Brexit as well.

Absolutely. The thing with the French election was that – this is why I think we’re going to see – when something works elsewhere, it’s probably going to get tried again. In France and then elsewhere, we’ve seen the hacks that happens. You’ve got the cyber-attacks going on. Then what gets dumped, you give them this information embedded within the data and so it becomes very, very hard for them to figure out what’s real and what’s not –

Fake news. Fake news.

From the data dumps there, right? It’s combining the trolls with the cyber-attack. It’s not just fake news. It’s pushed out there as a real e-mail when may not actually been an e-mail. That’s run that elsewhere that – last year, major tensions in the middle east when there is a hack, you know fake information was planted. It led to boycott both political and economics. I think we’re going to start seeing more and more that this combination of the cyber-attack plus the misinformation together.

I think that might happen within our – the 2018 election. We just to be aware of it. Then again, it goes back to education. Find out what’s the source, why is something – why some are dumping what they’re dumping and when. It’s challenging times to say the least, but –

What do they say? Cursed to live in interesting times?

I guess so.. Yeah, we are for sure living in those right now.

Well, this is great. Thank you so much for sitting down with us. This is really interesting. I mean, such a wide-ranging discussion.

Yeah. No, thank you. It’s fun.

Thanks.

Appreciate it.