Hack the Plant Episode 2: Where is the Cavalry? with Josh Corman
In fact, the one that scared me after TriCk’s death the most that motivated a lot more action was a Hollywood Presbyterian Hospital shut down patient care for a week due to a single job at deserialization flaw and a single job of library and a single medical technology. They were even warned that there was an attack happening against JBoss. And hospitals said, “I don’t know what a JBoss is. Am I affected? Where am I affected?” They had no idea so they got hit. And they had to move critical care patients, cancel surgeries, divert ambulances in LA traffic.
I was terrified. Because I said, “If an accident can take out Hollywood Presbyterian, what could TriCk do to all hospitals in the area or in the country?” And I was very happy he was dead. So, it was around then that I had a really heavy weight on my heart. And Beau Woods and I decided to take a break from our private sector jobs. And I went into the Atlantic Council to drive this cyber statecraft initiative. And he came in as my deputy.”
That’s Joshua Corman, one of the creators of I Am the Cavalry, this week’s guest on Hack the Plant, a podcast of the R Street Institute and ICS Village. I Am the Cavalry brings the community of hackers together to change the world for the better. Corman’s divided his time between the private and public sectors, from IBM and Akamai to the Atlantic Council and the Cybersecurity and Infrastructure Security Agency (CISA).
(Subscribe to Hack the Plant on Spotify or Apple, by RSS feed or search for it wherever you listen to podcasts.)
Transcript:
Joshua Corman:
Our dependence on connected technology is growing faster than our ability to secure it, especially in areas affecting public safety and human life.
Bryson Bort:
I’m Bryson Bort. And this is Hack the Plant. Electricity, finance, transportation, our water supply. We take these critical infrastructure systems for granted, but they’re all becoming increasingly dependent on the internet to function. Every day, I ask and look for answers to the questions. Does our connectivity leave us more vulnerable to attacks by our enemies?
Bryson Bort:
I’m a senior fellow at the R Street Institute and the co-founder of the nonprofit ICS Village, educating people on critical infrastructure security with hands-on examples, not just nerd stuff. I founded GRIMM in 2013, a consultancy that works the front lines of these problems every day for clients all over the world.
Clip:
It’s played out in Israel right now, where hackers have been going after Israeli water systems, not to steal information from them, but to change the setting on the chemicals in Israeli water.
Bryson Bort:
Each month, I’m going to walk you through my world of hackers, insiders and government working on the front lines of cybersecurity and public safety to protect the systems you rely upon every day.
Clip:
If you think that the small-town water authorities and the mom-and-pop size companies have better cybersecurity in the US than the Israelis do, I’ve really, really bad news for you.
Bryson Bort:
An attack on our critical infrastructure, the degradation to the point that they can no longer support us means that we go back to the Stone Age literally overnight.
Joshua Corman:
If we think the government’s going to solve it for us, we’re wrong. We have to help them.
Bryson Bort:
This is not a podcast for the faint of heart. If you want to meet those protecting the world and what problems keep them up at night, then this is the podcast for you. I’m Bryson Bort. And this is Hack the Plant. On today’s episode, we’re talking to Josh Corman, one of the creators of I Am the Cavalry because the cavalry isn’t coming to save us. They bring the community of hackers together to change the world for the better.
Bryson Bort:
We’ll be covering the COVID pandemic, critical healthcare systems, balance between technological innovation and the inevitable crisis for sacrificing safety for speed. I Am the Cavalry was born in Las Vegas in the summer of 2013 during two cybersecurity conferences, the annual hacker conference DEF CON and its smaller community, BSides Las Vegas. Josh Corman and Nick Percoco began a conversation at those conferences about how emerging technologies have the ability to affect human life and public safety when applied to the internet of things, cars, medical devices, and more.
Bryson Bort:
So that point, security research was often seen as a threat to the general public or even criminalized. Josh, Nick, and other like-minded security professionals had a different view. The goal of I Am the Cavalry is a volunteer organization devoted to improving the security of four main focus areas, medical devices, transportation, connected homes, and infrastructure. I believe that our dependence on connected technology is increasing faster than our ability to safeguard ourselves.
Bryson Bort:
I’m going to tell you his story in his words. It may not be clear first why he’s an icon to those of us who wants to protect our country from some of our most pressing cyber threats, but by the end, I think you’ll see why and agree. Welcome to an in-depth conversation about why to love hackers.
Joshua Corman:
And think on what you get when you put a philosopher in the hacker culture for a couple decades. But I’m passionate protector. I want to make the world a safer place and somehow cybersecurity sucked me in to its chaos. And I try to use whatever skills and background I have to try to focus on where it invites me flesh and blood or affect the broader society. And it’s been a journey.
Bryson Bort:
I certainly think you’re being too humble. There are those of us who spend our whole lives striving to become individual contributors. And there are few of us who can really set as many candles on fire as you have with organizations like I Am the Cavalry and a lot of the things that you do. So, how is that grounded in your background? You have a background in philosophy, correct?
Joshua Corman:
Yeah. I originally went to school to be a Marine Biologist, but I got really bored one day when I realized I knew every Latin name for every snail. So, I was already working in computer science role. I was in the software development team as an intern and then full time. So, I had to get a degree in something. And I was fascinated by philosophy. I wanted to ask really hard questions and understand how people think. Turns out I thought it’s useless just getting a piece of paper.
Joshua Corman:
But as I got further in my career, when you see the rise of hacktivism and cyberterrorism and direct action online and cyber physical systems being attacked, it turns out my philosophy is really important as I’ve gotten closer to the world of international public policy and cyber state craft.
Joshua Corman:
And being a translator and ambassador from the technical talent of the hacker community into public policy makers who speak very different languages, the ability to structure an argument, write well, communicate clearly, adapt your nouns and verbs to the audience you’re speaking to, do multi-stakeholder things, I could not do any of that had I not been put through wringer of an undergraduate philosophy program.
Bryson Bort:
Can you give us one snail name in Latin?
Joshua Corman:
Littorina littorea and Littorina saxatilis. Wow. There’s a quiz, my brain hurts.
Bryson Bort:
Well done. And so, when did you start to apply that philosophy to cybersecurity? How did those two intersect?
Joshua Corman:
Well, nobody plans to get into cybersecurity. We had a partner that made one of the first Sims when I was in the software company, I did network management software. And I was just completely blown away by the subject matter of, oh, wait, there’s cybercrime, there’s hackers. So, as soon as I left that job, I got into a cybersecurity startup, just out of curiosity, and to be a puzzler. I think a lot of hackers get into this because they want to be a puzzler. It’s one of my five Ps, protector, puzzler, prestige, profit, and protest.
Bryson Bort:
These five are his hypothesis on what are the motivations for why somebody becomes a white hat hacker. White hat is somebody that’s working for good. Black hat is somebody who is hacking for bad. The good hacker that’s trying to save us is to protect, make the world a safer place, to puzzle driven by curiosity and challenge, prestige, the recognition of what I’m doing, the profit or professional seeking monetary reward for it, or politics, ideologically motivated.
Joshua Corman:
And 9/11 happened. We ran out of money and we had to lay most of our folks off and just focused on what I considered high consequence. I think most malware prior to that was for fun. Right? And then, it started to turn a little bit to crime. The startup I was working at did nation state espionage stuff before it was cool, before we had the APT acronym.
Bryson Bort:
APT, Advanced Persistent Threat, the nom de guerre of the shadowy underworld of nation states and independent third-party hackers with motivations to do great harm. Hackers are no longer the 400-pound nerd sitting in your mother’s basement, individually being able to do great harm. You need an entire team of various specialists across the entire attack cycle to be able to effectively run a significant campaign.
Bryson Bort:
That’s an advanced persistent threat, significant funding, significant organization, significant capabilities tied to the kinds of motives that a country would have.
Joshua Corman:
I always cared about high consequence things, but I still look at this as maybe just something I could marginally contribute to. I think it was when I saw the rise of Anonymous in hacktivism, I got really worried because, without getting too philosophical, my first reaction was, wait a second, you have large groups of post national young people opting out of social contracts and taking direct action online. This feels like an emergent property of global connectivity and social media.
Joshua Corman:
This might not be very good. We might not like this. So, I had a visceral reaction. It was a canary in the coal mine or a first mover or harbinger, and that the branches and sequels could be really bad. During the warm-up, I was saying like the state of nature is a state of war. That’s nasty brutish and short hubs, or if you’re locked, it’s a state of inconvenience. But our species is maybe 48 hours from Lord of the Flies of the state of nature if we’re not careful. And I paid significant attention to the rise of hacktivism.
Joshua Corman:
And through that, I started cautiously engaging them in a public dialectic with Jericho, one of the hackers from the DEF CON community. And we wrote respectfully but carefully through a blog series called Building a Better Anonymous. And it was not to judge them. It was that we found them to be wildly misunderstood. We didn’t understand a consistent ideology, but our open heart and curiosity said, “Let’s just engage and write.”
Joshua Corman:
“And we’ll get smarter as we go through the dialogue.” And the international public policy community really took to it. And some of that work was useful to governments and allies on figuring out what’s going on, who’s abusing it. There were a lot of false flag operations being done in the name of Anonymous. So, that really sucked me into a completely different world. And then, I realized my philosophy degree wasn’t mostly useless. It was a fresh perspective.
Joshua Corman:
And I saw ready allies throughout the policy community who had previously been afraid of white hackers and thought all hackers are criminals. And now, they’re saying, “Wait a second, this talent pool might be able to help us.” Through that trust I built up, I was able to bring a bunch of hackers into very sensitive places for challenge questions and workshops to try to focus on public safety, human life things that web was starting to care more about as we saw more premature conductivity for cyber physical systems that made me very nervous.
Joshua Corman:
And my basic plea was if we’re 100 of the fortune, 100 of loss intellectual property and trade secrets, despite spending $80 billion a year on cybersecurity, and every credit card merchant has lost credit cards despite being PCI compliant, we don’t have to protect anything. So, if we’re failure rate is 100% on low consequence things, what the heck are we doing putting software and conductivity in cars and power plants and oil and gas pipelines and water treatment facilities? This is not a good idea.
Bryson Bort:
Pulling out what you said about William Golding’s Lord of Flies that we are 48 hours from the collapse of the veneer of civilization, I think really highlights what we’re talking about here, water, power, finance, critical infrastructure. Those industrial control and operational technology systems are what underpins modern society. An attack on them, the degradation to the point that they no longer can support us means that we go back to the Stone Age literally overnight.
Joshua Corman:
So, I wasn’t a Luddite, but I was trying to go as high and deep as I could into the power corridors and the governments. And we did, we got as far as we could. And I ultimately did a workshop with five hackers and a very important office for two days. And at the end of that, they said, “We can’t take this recommendation. Can’t do that recommendation. Can’t do this recommendation.” People have to die first until this’ll happen. And we were just very overwhelmed and drank at the bar that night.
Joshua Corman:
And I said half of my story, which is the cavalry isn’t coming. I didn’t have an answer to it. But I said out loud cavalry isn’t coming and we just kinda kept drinking our beers. Well, concurrent with that, my mom had a stroke that was the front wave of some terminal brain cancer. And we had to hospice her through a couple of months. And during her funeral, I gave a eulogy as the oldest kid. Her church where the funeral was, was also where I took her one last time before she had to be hospice.
Joshua Corman:
And it was the same weekend as the Sandy Hook shooting. So, heavy on my heart as a father of kids was the horror we saw with Sandy Hook, heavy at my heart as the son of someone dying too soon. I remember being pretty angry that day at the world and getting angry when her preacher would repeatedly say why is there evil in the world for about an hour over and over. Why is there evil in the world? So, when we’re back in that room and I felt angry again at my mom’s funeral, I didn’t want to let anger rule.
Joshua Corman:
So, I tried to channel it. In some combination, the following words came out of my mouth, where I told everyone I couldn’t figure out what was wrong and what frustrated me about asking why there’s evil in the world. But I think I just did. And my mom happened to be my seventh-grade science teacher because of someone got hurt or sick or something, she had to fill in. It was just a weird circumstance. And I said, many of the things I learned in that science class is that darkness is not a thing, it’s an absence of light.
Joshua Corman:
And cold is not a thing, it’s an absence of heat. So, maybe it’s not just the presence of evil, but the absence of good. And maybe if something’s missing in the world, we have to put it there. So, as soon as I said all that, I asked my family, “What’s the absence of Marie?” which is my mother’s name. And I said, “We don’t get to find out because now, it falls to us to do what she was doing.” And as soon as I said that, I think my life changed as far as cybersecurity.
Joshua Corman:
I think I realized no more imposter syndrome, no more waiting for someone else to fix this. If the cavalry isn’t coming, it falls to us to try to do something. So, later that summer at DEF CON and BSides Las Vegas, I challenged all the hackers and said, “What are you going to do? No one’s going to come. Will you be part of the solution?” So, I Am the Calvary was a personal declaration, not Josh or Beau or just a handful of people that are prominent.
Joshua Corman:
We wanted hundreds of willing and able hackers to use their talent for good to save lives. So, our challenge question was, our problem statement was that our dependence on connected technology is growing faster than our ability to secure it, especially in areas affecting public safety and human life. And I was deeply concerned about the relationship between technology and human condition. And if we think the government’s going to solve it for us, we’re wrong, we have to help them.
Joshua Corman:
So, we want to be ambassadors, translators, helping hand instead of a pointing finger. And we said, “We’re going to do this with empathy.” I think I was still pretty wounded from my grieving process and I’ve found empathy wasn’t a weakness, it was a strength. So, leading principle was empathy. It was focused on being safer sooner by working together across multiple stakeholders. And unlike a lot of hacker things, we wanted to do this as a team, right?
Joshua Corman:
Not solo action, not competitive, not zero sum, not for prestige, but rather for results. And the Cavalry, we don’t have official roster, but we think we’re somewhere between 800, 1,000 volunteers spawned and cofounded a whole bunch of the villages and things like CyberMedSummit, where we do ER hacking simulations with doctors and medical stakeholders and tabletop crisis simulations for ransomwares to protect municipalities or whatnot.
Joshua Corman:
We’ve had pretty profound impact on Food and Drug Administration regulations, automotive cyber safety. We work with folks like you in the Village for ICS and OT.
Bryson Bort:
OT is Operational Technology. It’s a catch-all term like ICS, Industrial Control Systems. Specialized equipment that does something in the physical world like maintaining a certain amount of throughput for water pressure, the systems that underpin critical infrastructure by affecting the physical world to deliver those services that underpin modern society, electricity, water, transportation.
Joshua Corman:
We’re just trying to fuzz the chain of influence and have a positive impact on making the world safer. We think we’re dependent on this stuff. It’s just not dependable yet. And we’ve been trying to sow primitives of security hygiene and cyber safety hygiene into as many public policy conversations as we can domestically and internationally.
Bryson Bort:
Cyber hygiene is the concept that if you’re with somebody else and you’re being chased by a bear, you don’t have to be faster than the bear. The bear in this example, while it is the code name reference for the Russians as the APT, the bear is any APT. The bear is any malicious hacker out there. You just have to be faster than the other person. The bear catches him or them, they’ll leave you alone. Cyber hygiene is the concept that if we have a certain level of awareness in our users, that makes us a harder target. Hackers make easier targets versus harder targets on average.
Joshua Corman:
Now, our hygiene is so terrible that we’re exposed to a whole bevy of accidents and adversaries, right? Like Beau Woods who you should have in the shows of course. He had a great line. He says, “Malicious intent is not a prerequisite to harm, it’s accident and adversaries.”
Bryson Bort:
So, the thing about malicious intent, the difference in malware is rarely even a few lines of code. What that means is I could have a piece of code over here that does something for reasons it was designed for, and then something very similar to it that would be called malware. Not because there’s something in it that some ticking time bomb, or there’s an obvious thing that we joke about called the evil bit, but because of the intent of how I’m using that software.
Bryson Bort:
And fundamentally, the biggest difference behind what code does is the intent on how it’s used more than it is the code itself.
Joshua Corman:
And some of the most devastating attacks in the last few years weren’t even on purpose, right? WannaCry was a deliberate ransom, but it didn’t mean to take out or affect 40% of the healthcare delivery in the UK for Mother’s Day weekend three years ago. Not patchy. It was a deliberate attack against Ukraine, but as collateral damage, it did over a billion dollars to Merck Pharmaceutical alone. I think 20 billion is the last number I saw for the total damage. And sometimes, just internet noise can provide a denial of service or a failure.
Joshua Corman:
In fact, the one that scared me after TriCk’s death the most that motivated a lot more action was a Hollywood Presbyterian Hospital shut down patient care for a week due to a single job at deserialization flaw and a single job of library and a single medical technology. They were even warned that there was an attack happening against JBoss. And hospitals said, “I don’t know what a JBoss is. Am I affected? Where am I affected?” They had no idea so they got hit. And they had to move critical care patients, cancel surgeries, divert ambulances in LA traffic.
Joshua Corman:
I was terrified. Because I said, “If an accident can take out Hollywood Presbyterian, what could TriCk do to all hospitals in the area or in the country?” And I was very happy he was dead. So, it was around then that I had a really heavy weight on my heart. And Beau Woods and I decided to take a break from our private sector jobs. And I went into the Atlantic Council to drive this cyber statecraft initiative. And he came in as my deputy.
Joshua Corman:
And we had no business in some ways being in a public policy think tank, working with NATO and UN folks. But we really wanted to put cyber safety on the map and have a surge because most of the policy discussions prior to that were focused on deterrence models or nation state actors only. And the assumption is, well, they’re so good at offense that even if we got 10 times as good at our current level of defense, it still wouldn’t matter. And a lot of that thinking is very nihilistic and fatalistic, but it’s also sound in general.
Joshua Corman:
What I wanted to do is expand their horizon and say, it’s not just the high-end high-capability nation state actors where you can use sanctions and deterrence models and whatnot. It’s how do you do an economic sanction on ISIS. How do you do a UN sanction on a subnational, sub-state actor? What we really have to do in addition to everything they were focused on and their aperture, look at those high intent low capability actors who were more likely to act. And then, you put people like North Korea in the middle, right?
Joshua Corman:
It’s maybe not as good in a capability set as some of the top tier, but also maybe more unpredictable. And then, over time, we started realizing that, geez, if we’re going to skirmishing the real world, of course these other countries are going to use their cyber arsenal more aggressively. And not sure when this is going to air, but I recently saw an article about Israel admitting a lot more brazen activities on their water treatment facilities and ICS systems from other countries.
Joshua Corman:
And eventually, that no-fly zone or this respect for not attacking civilian infrastructure is going to erode even during peace time, but maybe by accident. But it’s certainly going to get hot during actual skirmishes. And I don’t think the country or the Western democracies or the allies are ready for that. Because we are so dependent on this connected technology.
Joshua Corman:
We like the benefits of it, but what happens when large chunks of power grid are not working or water treatment facilities aren’t trustworthy because we were too arrogant or too brazen and are rush to hyper-connectivity before we actually figured out how to secure it well.
Bryson Bort:
We see time and time again, function first, security second. And Israel’s response to the attacks on the water treatment facilities is noting that a cyber winter is coming, which leads me to think about those in glass houses probably shouldn’t be throwing stones in reference to your Western country comment. Going back to the comment on IT versus OT. So, we talked about information technology, which is the computers that we’re all used to seeing in our offices and desktops.
Bryson Bort:
And operational technology, which is what underpins all of this critical infrastructure. And a lot of folks, I think don’t realize how brittle it can be. Which is why we need different techniques and technologies to be able to work and defend with it. So, critical infrastructure is made up of a number of systems, all interconnected that combined delivering a particular service is the infrastructure that underpins that service.
Bryson Bort:
An air gap protects those assets by preventing the regular internet to be able to get to them. A hacker can’t hack what they can’t touch. The creation of the internet made it easy for anybody anywhere in the world to be able to access any computer on the internet. Clearly, that’s an issue for critical infrastructure. Air gaps prevent that direct access. That brings us to part of how you’re helping with this.
Bryson Bort:
I Am the Calvary, the organization that you formed with a thousand volunteers and growing day by day reminds me of Keren Elazari’s TED talk, where she talks about hackers are the internet’s immune system. So, Josh, what is a hacker? How do they help? And what else do we need to do?
Joshua Corman:
The definitions I’ve always liked include something around curiosity, puzzling, can you take something apart and put it back together? Depending on the historian you are. There’s a book about the MIT Model Railroad Club being the first hackers. But I think culture tended to think of hacker equals criminal. And I think we use it as a pejorative in movies and television and headlines. I like to say hacking is like magic, right?
Joshua Corman:
There’s good wizards like Gandalf and Hermione and Harry Potter. And thank goodness we have them to fight the bad wizards. So, I think culture has mostly heard about the bad wizards. We want to use our powers for good to fight the darkness. And so, at a minimum, hacking is just a capability set to take things apart, put them back together, use them in ways they weren’t intended, maybe enhance them. And how that skillset is used is what really matters.
Bryson Bort:
The relationship between hackers and government and commercial enterprise has been fraught for decades. Many of us, including Josh, spend a lot of time trying to bring all sides to the table so that we can all benefit from a safer and more secure society.
Joshua Corman:
One of the things that’s been pretty transformative in building trust with some of these policy makers, specifically, we had a breakthrough with the Food and Drug Administration is not only are hackers are not just bad but the helpful hackers have even different motivations. And they all start with a P. There’s more than five, but these five were pretty useful. There’s protectors that want to make the world a safer place. There’s puzzlers that do it for challenging curiosity.
Joshua Corman:
They want to take something apart, put it back together, solve the Rubik’s cube. It’s prestige that do it for glory or ego, to be the first to do something, to be the best to do something. They tend to be in the rock star class of our community. There’s profit. They do it for personal or professional gain. And this is a capitalistic society so they are free to do that. And lastly, there’s protest, or sometimes we call it patriotism.
Joshua Corman:
But hackers do something for or against some ideology or cause. So, with protectors, puzzlers, prestige, profit, protest, how you engage these helpers will vary. And what I think we’ve done with the Cavalry or I Am the Cavalry is we created a namespace and an umbrella for the protector class that would lose sleep if they couldn’t get a safety issue reported and fixed, and they’re just trying to help. And it was pretty hard to help.
Joshua Corman:
And through the trust we built with the FDA and the Department of Justice and others, we’ve done a significant amount of work to soften some of the laws that had had a chilling effect on research. The DMCA or Digital Millennium Copyright Act could be used to prosecute good faith research. And we’ve got specific research carve-outs now. The Computer Fraud Abuse Act can be used to prosecute good faith hacking.
Joshua Corman:
And we have some prosecutorial discretion on that. The Food and Drug Administration encourages coordinated Vulnerability Disclosure Programs for medical device makers. You saw the Hack the Pentagon Program, and then subsequently, we’re nearing a point where every federal agency will have a Vulnerably Disclosure Program. And I think we’ve really turned the tide on this, where government sees hackers as helpful.
Joshua Corman:
They’ve at least gone from hacker bad to, okay, there’s good and bad hackers. And even they’re starting to understand who you engage. So, maybe you don’t engage the most famous person on a topic from the white hat community, but you engage the ones that are willing to roll up their sleeves, use the right nouns and verbs, look and listen twice as much as they speak to try to really wrestle through tough policy questions so that we get it right the first time, or at least the least wrong the first time.
Bryson Bort:
What else could we be doing there to make this even easier and have that relationship be less tenuous than it has historically been?
Joshua Corman:
That’s a great question. It’s a campaign, it’s not a single activity. We do a lot of different things to try to build trust. And it can’t just be the obvious ones like Congress or specifically just a regulator. It can’t just be federal, it should be state level as well. It can’t just be US, it has to be international. So, there’s probably a two-pronged approach that we’ve used. And we don’t know what we’re doing. Beau and I joke that if we ever had a biography about the rise of the Cavalry, we were going to say, the working title is we have no idea what we’re doing, but it seems to be working.
Joshua Corman:
But I think with just being sincere, acting directionally in good faith, we’ve figured out that it’s a kitchen sink approach, right? We try to be worthy of trust. And then, we try to build that trust on a number of fronts, relationship-wise. And we do things on that front. We brought two sitting congressmen to DEF CON for the first time at DEF CON 25. A bipartisan group, we gave them lots of private tours and lots of important things to give them experience. In the spring time, we do something called Hackers on the Hill.
Joshua Corman:
Beau was a real driving force on that innovation where folks are in town, a lot of hackers are in town for the ShmooCon event. And then, we capitalize on that trip they made, and we do some presentations from congressional staffers and Congress folks. And then, we break them up to go do their very first congressional briefings on topics that the Hill cares about and we care about, and we try to do matchmaking.
Joshua Corman:
So, those types of battle rhythms are pretty useful for getting face time and realizing that the other group is intelligent, is engaged and willing to listen to each other. We have setbacks on those fronts. I think the bulk of the work is with regulators. Because of our public safety mission, I Am the Cavalry went really deep with National Highway Transportation Safety Administration, with the Food and Drug Administration, with FTC, with parts of the Department of Energy and ICS players.
Joshua Corman:
So, our focus was really on the cyber physical things. But what we found is even though we were doing that, the primitives we were talking about for policy like devices should be patchable. You should encourage according to Vulnerability Disclosure Program. You should have safety by design principles like X, Y, and Z. You should separate critical systems from noncritical systems. So, hacking a stereo in your car should never be able to shut off the brakes in your car, even though they currently can.
Joshua Corman:
So, things like those primitives, those are four of the five things we put in things like the Hippocratic Oath for connected medical devices. We picked five postures towards failure. How do you avoid failure, take help avoiding failure without suing the helper, capture study and learn from failure with tamper-evident, forensically-sound evidence capture, have a safe response to failure through patching, and then contain and isolate failure through a segmentation isolation and fail safe modes.
Joshua Corman:
And those five things became a 50,000-foot regulatory blueprint, which the FDA has embraced fully. And to a lesser extent, the automotive industry has embraced. These types of primitives being seeded into enough places means that no matter where they’re acting, state, federal, international, through standards organizations, they’re fairly consistent in the types of things they’re approaching. And none of this will stop a sophisticated targeted adversary, even if we do it all. But at least it puts us in the fight.
Joshua Corman:
That’s why we phrased everything around failure. If you can’t notice failure and take help avoiding failure, respond to failure, those types of things, you’re really just a punching bag. And that punching bag is pretty disappointing when it’s your credit card. It’s really problematic when it’s available healthcare delivery. In fact, a lot of our cybersecurity brother and sisters were very frustrated at how much we were talking about hospital ransomware.
Joshua Corman:
And just think about it right now, imagine those same WannaCry outages during a COVID response in a hotspot. Imagine the lost lives. We’ve already shown through our CyberMed Summits that even a denial of service on imaging systems can affect loss of life for stroke patients that have three hours to get diagnosed properly before you can issue the right treatment. If denying imaging access can affect life on them during peacetime, what do you think would happen when you’re already at overcapacity in a hotspot like New York City with a denial of patient care for degraded or delayed care?
Joshua Corman:
These types of things are becoming very, very dangerous. And if we lose confidence in the sixth of our economy like healthcare, if it delays or degrades our COVID response on the research for the supply chain or patient care delivery, this is avoidable harm, it’s elective harm. And while ransomware and these low hanging things like being patchable aren’t sexy, they are essentially public safety issues.
Joshua Corman:
And I’m really hoping that the broader hacker community that hasn’t heard the call yet can at least shift from negative to neutral, but maybe even ask themselves, “How can I use my skills to help be part of the solution?” I don’t know what you do for your day job if you’re in cybersecurity, but there’s probably a way you can help.
Joshua Corman:
And I don’t know what you’re doing in public policy or in critical infrastructure sector who listens to this podcast, but be sure you can recognize helpful hackers when they’re there, willing allies that can bring you either information, education, inspiration, or even recommendations on what to do. Because the consequences of failure are getting higher and higher with each day.
Bryson Bort:
If you could wave a magic non-internet connected wand, what is one thing you would change?
Joshua Corman:
I mean, I really do think we need minimum hygiene standards for anything safety critical. Just because the failures we have are going to be much more devastating than people realize. It’s one instinct. It’s a tough question. I mean, I think we are making progress but just not making it fast enough. I think we like to wait. I don’t want to use the word think tank, but I would love to see a multidisciplinary group of experts focused specifically on cyber physical systems and public safety, human life issues.
Joshua Corman:
I was really happy to see this layer and report echoed a lot of the things we’ve been pushing for. I think that was struck on the broader issues of cybersecurity. But I don’t think there’s yet a full awakening as to how much difference our physical systems are for public safety, national security, economic stability, and the confidence of the public. So, I think our level of investment is disproportional to the impact.
Joshua Corman:
And I think one of the things that COVID has reminded us rather than taught us is that humans are really bad at the low probability high impact events. We were much better at dealing with the immediate obvious high-frequency things like credit card breaches. And while it should be rare that you have a mass casualty event, maybe even never if we’re lucky from a cyber physical attack, when they happen, the ripple effect is going to be devastating. I don’t like to be a doom and gloom guy.
Joshua Corman:
I just think about this. What I really wish I could wave a magic wand on is give policymakers a full-throated eyes wide open capture of just how prone we are in a way that does not scare people so they at least know what we know on how easy it is to compromise these things and the technology policies we would need to make to change our fate, but in a way that doesn’t scare the public, right? So, I want full enlightenment with very little public panic.
Joshua Corman:
Because it’s going to take years to fix these things. And we’re in a race condition. Can we raise awareness on policymakers, affect policy and enact policy before we hit some of these high consequence failures? Or rather when we fail to meet that race condition, if there is a high consequence failure, are we five years into a 10-year fix? Do we at least have a head start so that when we have to deal with a crisis of competence, we’re in a better position and we can inform and inspire a more expedient fix?
Joshua Corman:
My fear right now is that to me, these folks are waiting for the bad thing to happen and don’t realize that it could be another 10 years after the bad thing. We often talk about left of boom, right of boom. And a fear I’ve had a couple of times now is, has the Cavalry’s proactive left of the boom education and investment reached a parade on maximum. Have we run out of preventative progress we can make? Now, we’re in the waiting for the boom so we can help with the cleanup.
Joshua Corman:
So, the stubbornness in Beau and myself is we know we’re never going to give up, we’re just going to try something new every time we think we hit a wall. But we are finding that certain things just won’t happen until there’s really high consequence failures. And that’s why we’re trying to take a close look at the COVID response because this is a good example of how culture knew we weren’t prepared for a pandemic, knew we had to do strategic reserves, knew we were cutting corners on how many ventilators that we might’ve had in hospitals.
Joshua Corman:
But we were trying to do the economic thing and we weren’t doing enough for the low probability high consequence events. And I would love to at least create maybe two schools of thought for risk management, not just the enterprise one, which is what do I do to protect my little kingdom and my insurance and my stakeholders and my company and my shareholder value. But a similar set of what’s the risk management best practices for the public good, for the public safety. We always talk about that public private partnership, which is important.
Joshua Corman:
It just tends to be an abdication of the balance, right? If all we ever do is we say, we want the private sector to lead the way, all the knowledge of the private sector, great, but the private sector doesn’t have the mandate or mission to look out for everybody. So, the people have a mandate mission to look out for everybody. If we subordinate our guidance too much to the private sector, then we’re never really doing our part. I mean, the chamber of commerce and different trade associations hate some of these public policy things we pushed because it’s work.
Joshua Corman:
It might raise the cost of goods. It might increase accountability, but and these technologies underpin financial markets. They underpin keeping the lights on, they underpin drinkable water. So, it’s going to have to be a balance between competing truths of what’s right for shareholder value for a single local optimum in the private sector and what’s right for public safety, national security, economic stability, and preserving our values as a Western democracy.
Joshua Corman:
So, those things, I think, have been out of phase and I’d like to see a lot more public policy, public good focused security initiatives, security talent. And I think we should differentiate. Here’s the best advice for which stakeholders, not just what are best practices, but what are best practices for a company versus an individual, versus a government, versus a critical infrastructure sector. And we have not gotten that good at that yet. I think some folks in government, some of our teammates are getting quite good lately.
Joshua Corman:
And that gives me hope. But there’s still much, much more to do there to create that political will. Because we still don’t have that bill pass, for example, because I don’t know why we can’t even agree that hard-coded passwords are a bad thing. But we still have debate because it sounds hard. So, we’ve got to get to a point where we can put aside local private goods to understand what’s the minimum viable product for public good and public defensibility.
Bryson Bort:
Well, Josh, you waved your magic wand. Now, let’s see if you can peer into your crystal ball. Five-year prediction, one good thing and one bad thing that you think will happen.
Joshua Corman:
Oh boy, one good thing, one bad thing. Maybe not thinking far enough out, but one good thing is I’ve been an advocate for a very specific type of transparency called the SBoM or a Software Bill of Materials that I think will be transformative to developing and maintaining defensible digital infrastructure.
Bryson Bort:
SBoM, the Software Bill of Materials, primarily advocated by a government official named Allan Friedman. This is a concept that’s being advocated to make it easier to identify pieces of issues versus trying to tackle the entire issue all the time because critical infrastructure runs on software like everything else. So, no longer a software, just a whole package, but that it’s built up of discrete components inside of it. So, if there’s a change or there’s a threat that comes out, you’re able to dial in to the specific part of the software that needs to be addressed to defend yourself.
Joshua Corman:
It’s required now by the Food and Drug Administration for medical device submissions going forward that hard requirement for one type of device got US Commerce Department NTA to host a multi-stakeholder working group for, we’re in our second year now, for voluntary best practices for all software, for Software Bill of Materials. I’m seeing quite a bit of interest from government procurement and defense procurement to do something similar to the FDA.
Joshua Corman:
So, my prediction is we are going to pilot that with Food and Drug Administration, it’s going to show significant benefits to the medical device in hospital ecosystem. And that will start to matriculate into the water system for lots of kinds of software as we see the benefits. And I think that’ll give us a fighting chance so that when there’s a new attack in the wild, we can answer, am I affected, where am I affected pretty quickly.
Joshua Corman:
So, I think SBoM has crossed the chasm and will change in some obvious and some less obvious ways. I think it will trigger and catalyze an upward spiral of making better software, more defensible, maintainable, and allowing us to avoid elective harm. So, I think five years from now, you’re going to see things like Software Bill of Materials have triggered some very positive valuable transparency and shaken out bad actors and bad products from the market.
Joshua Corman:
A bit of a reckoning, I keep saying transparency is coming like Game of Thrones: Winter is Coming. On the bad side, I think just given how year over year more brazen the use of cyber-munitions have become from between nation states and countries, I think the collateral damage from one of those is going to be a watershed event, maybe like a Chernobyl where bad stuff happens. We didn’t realize how bad it was going to be.
Joshua Corman:
And it’s going to be pretty devastating. I think we saw a preview of how bad it could be with NotPetya, right? All those attacks on Ukrainian companies did the $1 billion of damage to Merck Pharmaceutical, interrupted 20% of global shipping logistics through Maersk. All sorts of others hit pretty hard. So, if each one of them is increasing in damage, I think one of the victims isn’t just going to be a manufacturing line, it’s going to be a mass casualty event.
Joshua Corman:
And if you read the Sandworm book from Andy Greenberg, I get one of the last words in there where during NotPetya, I happened to be in Israel for cyber week. And so, most of the International Public Policy cyber folks from the US and our allies through the Munich Security Conference. And it was that day I floated the idea of we should maybe put in place something like a cyber no-fly zone for hospitals as a way to tamp down the use of cyber-munitions.
Joshua Corman:
Because at least with other traditional types of munitions, you can target them, you can contain the blast radius, you know what’s going to get hit. And if there’s proximal collateral damage, and if you’re violating international laws. But with cybersecurity and the entanglement of IT, it’s really tough to contain and constrain your attacks. So, I suggested that any attack, any use of cyber-munitions that affects hospitals deliberately or otherwise would be tried as a war crime, we’ll see you at The Hague.
Joshua Corman:
And not naively believing that no one’s going to use cyber-attacks to advance our national interests, but rather that they understand the consequences of using them. And the bar has to be very high so they’re used in a way that only hits their intended targets lawfully. Because same thing for chemical weapons, it’s very easy to make chemical weapons. But it’s tried and punished severely in international war crime courts. I think we need a similar kind of posture here.
Joshua Corman:
So, my prediction, sadly, is that we won’t get the appetite for such a posture until the next one of those attacks escapes instead of blast radius and does significant harm to the civilian population. So sadly, as species, we need to burn our hand on a hot stove to know it’s hot. And I think with each new brazen action, even the one you just referred to from Israel, we’re blurring the lines and getting more sloppy, and just how entangled and interconnected we are. We don’t even know how big that blast radius will be until it’s already manifested.
Joshua Corman:
So, when that moment comes, I’m hoping it’s the reason we adopt some of these security hygiene primitives. I fear and maybe a reason we do a knee jerk reaction that actually makes things worse. So, that’s the whole gambit here is can we inject primitives and technically literate policy suggestions before boom, so that when there’s a boom, we can have a head start and have seated the conversation with helpful security investments instead of harmful ones. There will be a policy reaction, question is will it be helpful or harmful?
Bryson Bort:
Josh, I want to thank you so much for talking with us today. Been a big fan of yours for years and look forward to all the great things that you’re going to continue to do for us. Thank you for listening to Hack the Plant, a podcast of the R Street Institute and ICS Village Nonprofit. Subscribe to the podcast and share it with your friends. Even better, rate and review us on Apple Podcasts so we can reach even more listeners.
Bryson Bort:
Tell us what you thought about it and who we should interview next by finding us on Twitter at RSI or at ICS_ village. Finally, you want to know more about our RSI, ICS Village, visit rstreet.org or icsvillage.com. I’m your host, Bryson Bort. Thank you to executive producer Tyler Lowe of Phaedo Creative, creative producer William Gray and editor Dominic Sterett of Sterett Production.
