Las Vegas 2023

Where Bits & Bytes Meet Flesh & Blood

With routine disruption of connected infrastructure: the water you drink, the food you put on your table, the oil & gas that fuel our homes - cars - and supply chains, the schools your children attend, the municipalities that run your towns and cities, and even timely access to patient care - with now proven losses of life, political will has formed. Changes are upon us. As the world increasingly depends on software and Digital Infrastructure, they increasingly depend upon… you.


Josh Corman

Founder, I am The Cavalry (dot org)





All right. The next speaker is Josh Corman, uh, who's one of the best boundary spenders I've met in my career. He's a dear friend of mine who I met over 20 years ago, and I'm so proud of the many adventures, uh, we've had together. And some of 'em defy easy explanation. Uh, we got to work together on trying to change the PCI data security standards, scoping standards, uh, which he ridiculed as the No Child Left Behind Act for Information Security. What that meant was that it was meant to be a floor for security, but became the ceiling with others. We attempted to bring information security into the DevOps fold, which is something that eventually became known as DevSecOps, or SEC DevOps, or DevOps sec. He attended his first DevOps days in Austin where so many of you got to meet and work with him. Uh, he spoke with John Willis at this conference in 2016 about how information security and DevOps are like peanut butter and chocolate better together.


Um, but what is most remarkable, uh, to me is the impact that Josh has had on the regulatory environment. So, Dr. Steven McGill yesterday talked about the upcoming legislation, the 2021 Executive Order on Improving the Nation's Cybersecurity, uh, that mandated software bill of materials. And that was actually a direct result of his efforts. Similarly, the first medical device cybersecurity legislation that made equipment manufacturers liable for the security of the products they sell was due to his efforts. And he served as nearly for nearly two years as a chief strategist for the CISA Covid Task Force inside the US Department of Homeland Security. I think his long journey and recent successes have some pretty fantastic lessons for any technology leader. So I asked him if he could share his story and the lessons that he's learned, that he's learned, and I'm so glad that he said yes. So here's Josh


Baby. Bad bud. You so take look.


All right, buckle up. Um, I'm going for the record on slides. I missed you all. It's been a while. Um, I was here at the first one here with John Willis, so what, eight, nine years ago. But, uh, I've really gone into public safety, human life things, and we're gonna give a whirlwind tour about the last 10 years of this crazy journey called I the Cavalry. First, I want you to look at the ceiling. It's a 52 story hotel of stealing concrete. And you've been in here for days and not one of you looked at the ceiling the entire time in perpetual fear that this building would collapse upon you because stealing concrete or dependable foundational infrastructure for society. Part of how I met Gene is I wrote the Rugged Software Manifesto and said, as society increasingly depends on software, it's not nearly as reliable, dependable, in fact, it's chaotic.


Now, some of the work I did, um, brought Gene into some strange places. There's a huge story here we won't get into today, but I had researched the rises of Anonymous and Hacktivism because I, I said that hyperconnectivity and Globalism was leading to emergent properties, erosion of social contracts, because first and foremost, I'm a philosopher by training. We ended up in the hacker community who got exposed to Gold Rat end Deming to be a systems thinker, and now I'm a public policy guy. So when you put those things together, um, I was worried that cyber activism was gonna turn into cyber terrorism, and it did. And because of that, because the number four on the kill list was, uh, a script kitty, a UK borne honor student from, uh, Birmingham, who, uh, joined ISIS after being arrested in teen poison from Anonymous and started the cyber Cate.


So when a script kitty can reach out and touch someone, it doesn't matter. In a world of seven people, what most people would do, it matters what one would do. And because I was successfully predicting things like the emergence of cyber terrorism and the cyber caliphate, uh, the intelligence community took notice and started inviting hackers into their halls to decide how do we better protect society as we're increasingly depending on digital infrastructure? So I did not feel heroic enough. I asked a team of five of the smartest people I knew to form a complimentary skillset and go in and try to speak truth to power. And in a two day workshop, we were trying to answer questions like, if you could add one sentence of legislation to have the most material impact on public safety, economic, national security, and human life, what would that sentence be and why?


And this was 11 years ago. And at the end of those two days, besides a personal story I won't get into, we found out that they couldn't implement a single one of our brilliant ideas. And at the bar, at the, at the airport that night, I said to each of these fine frames, the cavalry isn't coming. And I didn't complete the sentiment. It just, there was a silence and a exhaustion that no one's gonna save us. Now, subsequently, my mother's brain cancer turned into, uh, her stroke turned into brain cancer. We had to hospice her. We went through a funeral process. And during her eulogy, I realized if something's missing in the world, maybe it falls to us to try to put it there. So I am the cavalry. Later on August 1st, 10 years ago, uh, I asked the hacker community at Defcon, just up the street, what are you willing and able to do if no one's gonna save us?


And I didn't mean on fixing all the world's problems, but my basic concern is our dependence on connected technology was growing much, much faster than our ability to secure it in areas increasingly exposing us to loss of life. Like medical devices, cars, high-speed, rail, power, water, food supply. And we were messing with Maslow's base of the hierarchy, your basic human needs. I was looking at the healthcare industry and they're all concerned about your HIPAA data, your PHII said, I love my privacy. I'd like to be alive to enjoy it. We have more regulation to have a corpse with their privacy intact than to have safe, resilient delivery of patient care. So to think of Maslow's hierarchy needs, I'm gonna jump forward and backward during my emergency federal service. Um, you know, these are the things where you're not inventing iPhones or writing poetry when you have fear for want for the bottom food, water, shelter, safety, basic human needs.


During my time at cisa, the newest federal agency, we had successful electronic compromise of the water you drink, the food you put on your table, the oil and gas pipelines that fuel your cars, your homes, and your supply chains, the schools your children attend, the municipalities from around towns and cities, federal agencies charged with national security and defense, and even timely access to patient care during a pandemic with now proven moral consequences. My team proved it. So to go back in time, a lot of the things I learned to bring to bear on this public safety mission that I wanna invite you into, I learned from Gold Rat. The goal, the theory constraints fundamentally changed my life. I learned from Demming, I learned from Gene, I learned from the tribe that the Phoenix project built. I learned from each of you. And I hope you can see that some of those ideas to have empathy, boundary spinning, humble seekers looking for global optimums were brought to bear.


Not just on making our shopping carts faster or our movies better, but maybe society better. So in the before times, we had to learn empathy. So we couldn't just go to doctors and nurses and say, you should be more cyber secure. They don't care. We're in the way of business. You heard plenty of conversations the last few days about that. What we learned though, is how they think and what their love language is. And it turns out that someone did a study in 2017 that found that if you have a heart attack during a US marathon, you have a statistically significant more likely chance of dying in that city. Not 'cause you're a runner, but because it takes 4.4 minutes longer to get to the ambulance to the hospital. And that 4.4 minutes was sufficient to drive morbidity, mortality for heart attack victims. What does that have to do with cyber?


Nothing and everything. What we know is delayed integrated care affects mortality rates for stroke. It's called the golden hour or golden hours. 1, 3, 4 hours are the difference. If you can walk again, if you can talk again, because of the work and the trust we built with, I am the cavalry because we use empathy, because we invested in their love languages because we were boundary spanners, because we were generative, I got asked to serve on a congressional task force. The headline at the end of that task force report was that healthcare is in critical condition of the 7,000 hospitals in this country, 85% are small, medium rural, and don't have a single qualified security person on staff. We knew if they showed up and had a cyber disruption, they were gonna have a very bad day. We were wildly under prepared. They told me, Josh, if you gave us a ton more money, 10 more million dollars, we're not gonna spend it on cybersecurity. We're gonna buy more ambulances or Da Vinci surgical robot, we're gonna hire more nurses. They said, until people die, we're not spending a penny on this. So like good hackers, what did we do? We started killing people.


We started the Cybered Summit. We worked with physicians and we took er simulations. They do all the time to practice their exotic skills. And we added actual proof of, um, actual demonstrable hacking into the medical delivery of care to see can they notice? Does it affect the outcomes in every case? Patients coded. We covered on a nightline and we showed them a palpable, visceral way in which they were not prepared. And that was grid prep work. Uh, but that was not anything compared to what happened during the pandemic. What you're about to see are some slides made by hired thought, Ben. So, uh, they're a little making fun of me, but that's okay. Um, the pandemic changed everything in part because the trust that we built during, um, the congressional work, uh, when the pandemic was declared, the newest federal agency went to Congress and said, we need some emergency help.


We, we are not prepared for such a multidisciplinary, massive issue. So they hired me to be what became the, the chief strategist of the CSA Covid Task Force. And our mission was to do two things, protect operation, warm speed and its successors on things that were, uh, related to diagnostics, therapeutics, and vaccines for a novel coronavirus, but also to protect the nation's 7,000 hospitals under record high cyber disruption. I took a lot of the demming work, I took a lot of the Toyota supply chain work. I took a lot of the theory constraints. And when we looked at the seven vaccine candidates that got tons of money and there are 23 named special suppliers who got tons of money and all the king's horses and all the king's men to make sure they didn't have a bad day in cyberspace or physical security, I was given a list of 4,000, actually 1000.


We turned it into four smaller, um, un prioritized suppliers. And I asked that moment, what are the ball bearings of the supply chain? What are those small unguarded weak links that if disrupted means there's a lot of dead people? And very quickly using a lot of what I learned from many of you and from history and from World War II and from recovery in Japan was we basically looked for scarcity dependency and other things. We found 66 ball bearings that if disrupted could kill millions more. And we had to marshal our resources in record time to try to protect them. We also had to look at massively multidisciplinary multi-sector issues like dry ice and ultra cold storage when Pfizer was released, desperately needed to get it to older people. The 85 year olds with four or more comorbidities were dying. Critical infrastructure workforce was dying.


It turned out we didn't have enough ultra cold refrigeration in the country for Pfizer's requirements. So we had to turn to dry ice, dry ice sublimates across space and time. We couldn't talk to one agency or one state. We had to do this massive logistical analysis to find what were the constraints in the bottlenecks in the precursors. And they don't speak this language. They don't know what a worthy map is. They don't even know what value chain mapping is in a lot of cases 'cause they're very, very siloed. And then there's fricking Wisconsin, they had all of the dry ice they needed, but they, they had it pre-committed to their cheese exports for Christmas <laugh>. So lemme go a little faster. Um, this was go time. People were dying. So when you talk to hospital professionals, they say it's all about caring capacity. Can you get care where you and your family need it when you need it?


And that is the three S's. This is their love language, space supplies and staff such that if you have 100 beds of space, you don't have a hundred bed hospital because you only have 80 staffed beds and you actually only have enough supplies for 60 of those 80 staff beds. So your capacity is the three S's. And that's all they could see during the pandemic. Every single one of them were stressed beyond belief. And no single agency could understand how to ameliorate those. I had to modify and enhance their truth. I couldn't replace their truth. And what I showed is when we saw 150,000 excess deaths at the one year mark of the pandemic from non covid conditions, 150,000 a your friends and family primarily 25 to 44 year olds were dying. I said, I bet you those are time sensitive, latency sensitive conditions like heart, brain, and pulmonary.


So it's not just keeping people alive, it's are we thinking about the latency impact of care delivery? And number two is medical technology. They don't care about cyber, they can't afford to care about cyber. But in the medical technology context, um, technology's a huge force multiplier of staff. A single nurse in a neonatal intensive care unit for babies can handle three babies safely in 1990. Armed with modern technology, they can do 12, 15, 18 concurrently remote nursing stations. So if that med tech is a force multiplier, the unavailability of it is a force divider and people die. They don't just die in the narrow sense that technology determines our total yield. So if you can contextualize the, the the impact of ransomware, the unavailability has a cascading effect on your space supplies and staff. This is what happened to a baby in Alabama on October 1st, 2021 on the front page of the Wall Street Journal.


We learned of the first named victim of a ransomware attack in an ongoing lawsuit where the ransom hospital chose to admit patients anyhow. And doctors and nurses essentially admitted to each other that had they had access to the dozen or more pieces of technology they need to deliver safe care, the baby would not have perish. And ultimately that baby lost their life. On the very same day we published the first statistical proof of loss of life where we could show using data science. We published in the CDC, their morbidity and mortality weekly report that we could track that the leading indicator of those excess deaths, that 25 to 44 year olds was ICU strain above 75%. So if the nation hit 75% or higher, uh, you would see 18,000 dead Americans in two weeks if you hit 100%. We saw 80,000 dead Americans in two weeks.


And we hit those thresholds three times. And armed with that data science, we could look at the state of Vermont, which had a protracted disruption. Uh, just after the US election. And in the same state with the same pandemic conditions adjusting for hospital type and size, we could see that the ransom communities achieve these stress levels sooner and stay there longer than their peers. So we knew maximum minimum, most likely we could actually prove the mortal consequences of the unavailability of that care, both in that you couldn't survive the ambulance ride to the next nearest facility if it was more than an hour away and that the stress levels of those hospitals went up. Now you all know Conway's Law ostensibly provide medical care. The national critical function belongs to HHS Health and Human Services, except that it's not like that. We know in Conway's Law that your product eventually resembles your org chart.


But the real world is messy and public safety. Human life is messy. And truth is, if you don't have water, you don't have a hospital. If you don't have electricity, you don't have a law hospital. If you don't have the movement of patients and goods and chemicals, you don't have a hospital. So it's really complex and we don't operate that way. And Conway's law is unfortunate for your products. It's lethal for your federal government. So we tried to say when everything's important, nothing's important. I'm trying to reimagine and metabolize this anger and frustration. If the bottom of Maslow's is too squishy for you. I said, let's map these 55 national critical functions to latency sensitivity. If you shut it off for a day or a couple hours, does anybody die? And out of those 55 things, only 10 of them are lethal within 24 to four eight hours.


And they depend upon each other. And this is value chain mapping and this is dependency graphs. And this is the theory of constraints applied to your public safety and your way of life. And worse, as we fail to provide medical care in a timely manner, we're cutting into the workforce for water and wastewater technicians, longshore and supply chains, which is just a death spiral. So when I looked at most of these critical infrastructure things, they are multi-sector, nation nature. They're target rich, but cyber poor. They don't participate in public private partnerships. And we are messing with Maslow in a way we cannot and should not continue. I'm gonna go real fast at the end here for some of the victory lap. 10 years ago I started a journey to introduce software bill of materials. So if you like it, you're welcome. If you hate it, tough luck. Uh, we need software supply chain transparency. We're all in a supply chain mostly versus in the middle. And our tolerated vulnerabilities are passed into those small, medium rural hospitals. Eventually when we had political will and we knew that people were dying, I testified to the Senate last May and in the last minute the patch act passed. In a law. These are mandatory and minimum cybersecurity hygiene for medical devices. They must be patchable. They must have according disclosure program, they must have a software bill of materials. And you,


This will make hospitals safer, whether they're large, medium, small, or rural. But here's the problem guys, I want you to close your eyes for 30 seconds. I'm gonna go one minute long picture the hospital nearest your home. What does it look like? What's it called? When was the last time you were there? Were you seen the birth of a child? Did you take an injured family member in an urgent and paniced situation? Were you saying goodbye to a loved one for the last time? What's the name of that hospital? How far is it from your house? I want you to open your eyes because where would you go if it was ransom? Is it across town, east or west? Is it the next town over the next county over? Is it owned by the same company? Would it also be ransom? Now what if it closed its doors forever?


Because that's what happened to Hollywood. Uh, excuse me. Um, St. Margaret's in Illinois, most of these small, medium rural hospitals in the country have one to four weeks cash flow on hand and they're already on the ropes. If they get a ransom and they're down for six to 12 weeks, they're down for the count. So here's a map of the 200 plus closures of rural hospitals in the last five years. And with 700 ransoms a year, that's 700 more times to have them knocked out for good or part of a predatory merger and acquisition where you're gonna have diminished quality of care. Now, if you have plenty of hospitals in your town, you're fine. But in large parts of the country, there's no care for four or more hours. And if 4.4 minutes can kill you and four hours will kill you, what do you think this does at this trajectory?


So what are the constraints not for your company or for the goal of making profit? What are the constraints on society? How do I take and lift and shift everything that you all know and do for your companies? And to quote Dr. Spears, how do we maximize value creation for society? I need a hero. I need a lot of heroes. So my ask is, will you humble seekers and system thinkers and boundary spinners, take all the talent you've built and try to help us make sure we solve these bigger societal problems. 'cause no one's coming to save you. We know how to win. We now need to scale it. Thank you.


Bad. So.