Josh Corman

All right. The next speaker is Josh Corman, who's one of the best boundary spanners I've met in my career. He's a dear friend of mine who I met over 20 years ago, and I'm so proud of the many adventures we've had together. And some of them defy easy explanation.

We got to work together on trying to change the PCI Data Security Standards scoping standards, which he ridiculed as the No Child Left Behind Act for information security. What that meant was that it was meant to be a floor for security, but became the ceiling with others.

We attempted to bring information security into the DevOps fold, which is something that eventually became known as DevSecOps, or SecDevOps, or DevOpsSec. He attended his first DevOpsDays in Austin, where so many of you got to meet and work with him. He spoke with John Willis at this conference in 2016 about how information security and DevOps are like peanut butter and chocolate: better together.

But what is most remarkable to me is the impact that Josh has had on the regulatory environment. Dr. Steven Magill yesterday talked about the upcoming legislation, the 2021 Executive Order on Improving the Nation's Cybersecurity that mandated software bill of materials. And that was actually a direct result of his efforts.

Similarly, the first medical device cybersecurity legislation that made equipment manufacturers liable for the security of the products they sell was due to his efforts. And he served for nearly two years as a chief strategist for the CISA COVID Task Force inside the U.S. Department of Homeland Security.

I think his long journey and recent successes have some pretty fantastic lessons for any technology leader. So I asked him if he could share his story and the lessons that he's learned, and I'm so glad that he said yes. So here's Josh.

All right, buckle up. I'm going for the record on slides.

I missed you all. It's been a while. I was here at the first one here with John Willis, so what, eight, nine years ago? But I've really gone into public safety, human life things, and we're going to give a whirlwind tour about the last 10 years of this crazy journey called I Am The Cavalry.

First, I want you to look at the ceiling. It's a 52-story hotel of steel and concrete. And you've been in here for days, and not one of you looked at the ceiling the entire time in perpetual fear that this building would collapse upon you, because steel and concrete are dependable foundational infrastructure for society.

Part of how I met Gene is I wrote the Rugged Software Manifesto and said, as society increasingly depends on software, it's not nearly as reliable, dependable. In fact, it's chaotic.

Now, some of the work I did brought Gene into some strange places. There's a huge story here we won't get into today, but I had researched the rise of Anonymous and hacktivism because I said that hyperconnectivity and globalism was leading to emergent properties, erosion of social contracts, because first and foremost, I'm a philosopher by training.

We ended up in the hacker community. We got exposed to Goldratt and Deming to be a systems thinker, and now I'm a public policy guy. So when you put those things together, I was worried that cyber activism was going to turn into cyber terrorism. And it did.

And because of that, because the number four on the kill list was a script kiddie, a U.K.-born honor student from Birmingham who joined ISIS after being arrested in TeaMp0isoN from Anonymous and started the Cyber Caliphate. So when a script kiddie can reach out and touch someone, it doesn't matter in a world of seven billion people what most people would do. It matters what one would do.

And because I was successfully predicting things like the emergence of cyber terrorism and the Cyber Caliphate, the intelligence community took notice and started inviting hackers into their halls to decide, how do we better protect society as we're increasingly depending on digital infrastructure?

So I did not feel heroic enough. I asked a team of five of the smartest people I knew to form a complementary skillset and go in and try to speak truth to power. And in a two-day workshop, we were trying to answer questions like, if you could add one sentence of legislation to have the most material impact on public safety, economic, national security, and human life, what would that sentence be and why?

And this was 11 years ago. And at the end of those two days, besides a personal story I won't get into, we found out that they couldn't implement a single one of our brilliant ideas.

And at the bar at the airport that night, I said to each of these fine friends, "The cavalry isn't coming." And I didn't complete the sentiment. There was a silence and an exhaustion that no one's going to save us.

Now, subsequently, my mother's stroke turned into brain cancer. We had to hospice her. We went through a funeral process. And during her eulogy, I realized, if something's missing in the world, maybe it falls to us to try to put it there. So, I Am The Cavalry.

Later, on August 1st, 10 years ago, I asked the hacker community at DEF CON, just up the street, what are you willing and able to do if no one's going to save us?

And I didn't mean on fixing all the world's problems. But my basic concern is our dependence on connected technology was growing much, much faster than our ability to secure it in areas increasingly exposing us to loss of life, like medical devices, cars, high-speed rail, power, water, food supply. And we were messing with Maslow's base of the hierarchy, your basic human needs.

I was looking at the healthcare industry, and they're all concerned about your HIPAA data, your PHI. I said, I love my privacy. I'd like to be alive to enjoy it. We have more regulation to have a corpse with their privacy intact than to have safe, resilient delivery of patient care.

So to think of Maslow's hierarchy of needs, I'm going to jump forward and backward. During my emergency federal service, these are the things where you're not inventing iPhones or writing poetry when you have fear for want for the bottom: food, water, shelter, safety, basic human needs.

During my time at CISA, the newest federal agency, we had successful electronic compromise of the water you drink, the food you put on your table, the oil and gas pipelines that fuel your cars, your homes, and your supply chains, the schools your children attend, the municipalities around towns and cities, federal agencies charged with national security and defense, and even timely access to patient care during a pandemic with now-proven mortal consequences. My team proved it.

So to go back in time, a lot of the things I learned to bring to bear on this public safety mission that I want to invite you into, I learned from Goldratt. The Goal, the Theory of Constraints, fundamentally changed my life. I learned from Deming. I learned from Gene. I learned from the tribe that The Phoenix Project built. I learned from each of you.

And I hope you can see that some of those ideas, to have empathy, boundary spanning, humble seekers looking for global optimums, were brought to bear not just on making our shopping carts faster or our movies better, but maybe society better.

So in the before times, we had to learn empathy. We couldn't just go to doctors and nurses and say, "You should be more cyber secure." They don't care. We're in the way of business. You heard plenty of conversations the last few days about that. What we learned, though, is how they think and what their love language is.

And it turns out that someone did a study in 2017 that found that if you have a heart attack during a U.S. marathon, you have a statistically significant more likely chance of dying in that city. Not because you're a runner, but because it takes 4.4 minutes longer to get the ambulance to the hospital. And that 4.4 minutes was sufficient to drive morbidity and mortality for heart attack victims.

What does that have to do with cyber? Nothing and everything.

What we know is delayed integrated care affects mortality rates for stroke. It's called the golden hour, or golden hours. One, three, four hours are the difference if you can walk again, if you can talk again.

Because of the work and the trust we built with I Am The Cavalry, because we used empathy, because we invested in their love languages, because we were boundary spanners, because we were generative, I got asked to serve on a congressional task force.

The headline at the end of that task force report was that healthcare is in critical condition. Of the 7,000 hospitals in this country, 85% are small, medium, rural, and don't have a single qualified security person on staff. We knew if they showed up and had a cyber disruption, they were going to have a very bad day. We were wildly underprepared.

They told me, "Josh, if you gave us a ton more money, $10 million more, we're not going to spend it on cybersecurity. We're going to buy more ambulances or a da Vinci surgical robot. We're going to hire more nurses." They said, "Until people die, we're not spending a penny on this."

So like good hackers, what did we do? We started killing people.

We started the CyberMed Summit. We worked with physicians, and we took ER simulations they do all the time to practice their exotic skills, and we added actual proof of actual demonstrable hacking into the medical delivery of care to see: can they notice? Does it affect the outcomes?

In every case, patients coded. We were covered on Nightline, and we showed them in a palpable, visceral way in which they were not prepared. And that was good prep work, but that was not anything compared to what happened during the pandemic.

What you're about to see are some slides made by Hired Thought, Ben. So they're a little making fun of me, but that's okay.

The pandemic changed everything, in part because the trust that we built during the congressional work, when the pandemic was declared, the newest federal agency went to Congress and said, "We need some emergency help. We are not prepared for such a multidisciplinary, massive issue."

So they hired me to be what became the chief strategist of the CISA COVID Task Force. And our mission was to do two things: protect Operation Warp Speed and its successors on things that were related to diagnostics, therapeutics, and vaccines for a novel coronavirus, but also to protect the nation's 7,000 hospitals under record-high cyber disruption.

I took a lot of the Deming work. I took a lot of the Toyota supply chain work. I took a lot of the Theory of Constraints. And when we looked at the seven vaccine candidates that got tons of money, and there are 23 named special suppliers who got tons of money, and all the king's horses and all the king's men to make sure they didn't have a bad day in cyberspace or physical security, I was given a list of 4,000, actually 1,000. We turned it into four smaller unprioritized suppliers.

And I asked at that moment, what are the ball bearings of the supply chain? What are those small, unguarded weak links that, if disrupted, means there's a lot of dead people?

And very quickly, using a lot of what I learned from many of you and from history and from World War II and from recovery in Japan, was we basically looked for scarcity, dependency, and other things. We found 66 ball bearings that, if disrupted, could kill millions more. And we had to marshal our resources in record time to try to protect them.

We also had to look at massively multidisciplinary, multisector issues like dry ice and ultra-cold storage. When Pfizer was released, desperately needed to get it to older people. The 85-year-olds with four or more comorbidities were dying. Critical infrastructure workforce was dying.

It turned out we didn't have enough ultra-cold refrigeration in the country for Pfizer's requirements. So we had to turn to dry ice. Dry ice sublimates across space and time. We couldn't talk to one agency or one state. We had to do this massive logistical analysis to find what were the constraints and the bottlenecks in the precursors.

And they don't speak this language. They don't know what a Wardley map is. They don't even know what value chain mapping is in a lot of cases, because they're very, very siloed.

And then there's freaking Wisconsin. They had all of the dry ice they needed, but they had it pre-committed to their cheese exports for Christmas.

So let me go a little faster. This was go time. People were dying.

So when you talk to hospital professionals, they say it's all about caring capacity. Can you get care where you and your family need it, when you need it? And that is the three S's. This is their love language: space, supplies, and staff. Such that if you have 100 beds of space, you don't have a 100-bed hospital, because you only have 80 staffed beds, and you actually only have enough supplies for 60 of those 80 staffed beds. So your capacity is the three S's.

And that's all they could see during the pandemic. Every single one of them was stressed beyond belief, and no single agency could understand how to ameliorate those.

I had to modify and enhance their truth. I couldn't replace their truth.

And what I showed is when we saw 150,000 excess deaths at the one-year mark of the pandemic from non-COVID conditions, 150,000 of your friends and family, primarily 25- to 44-year-olds, were dying. I said, I bet you those are time-sensitive, latency-sensitive conditions like heart, brain, and pulmonary.

So it's not just keeping people alive. It's, are we thinking about the latency impact of care delivery?

And number two is medical technology. They don't care about cyber. They can't afford to care about cyber. But in the medical technology context, technology is a huge force multiplier of staff. A single nurse in a neonatal intensive care unit for babies can handle three babies safely in 1990. Armed with modern technology, they can do 12, 15, 18 concurrently, remote nursing stations.

So if that med tech is a force multiplier, the unavailability of it is a force divider, and people die. They don't just die in the narrow sense that technology determines our total yield. So if you can contextualize the impact of ransomware, the unavailability has a cascading effect on your space, supplies, and staff.

This is what happened to a baby in Alabama. On October 1st, 2021, on the front page of The Wall Street Journal, we learned of the first named victim of a ransomware attack in an ongoing lawsuit, where the ransomed hospital chose to admit patients anyhow. And doctors and nurses essentially admitted to each other that, had they had access to the dozen or more pieces of technology they need to deliver safe care, the baby would not have perished. And ultimately that baby lost their life.

On the very same day, we published the first statistical proof of loss of life, where we could show, using data science, we published in the CDC, their Morbidity and Mortality Weekly Report, that we could track that the leading indicator of those excess deaths, that 25- to 44-year-olds, was ICU strain above 75%.

So if the nation hit 75% or higher, you would see 18,000 dead Americans in two weeks. If you hit 100%, we saw 80,000 dead Americans in two weeks. And we hit those thresholds three times.

And armed with that data science, we could look at the state of Vermont, which had a protracted disruption just after the U.S. election. And in the same state, with the same pandemic conditions, adjusting for hospital type and size, we could see that the ransomed communities achieved these stress levels sooner and stayed there longer than their peers.

So we knew maximum, minimum, most likely, we could actually prove the mortal consequences of the unavailability of that care, both in that you couldn't survive the ambulance ride to the next-nearest facility if it was more than an hour away, and that the stress levels of those hospitals went up.

Now, you all know Conway's Law. Ostensibly, provide medical care, the national critical function, belongs to HHS, Health and Human Services. Except that it's not like that.

We know in Conway's Law that your product eventually resembles your org chart. But the real world is messy, and public safety, human life is messy. And truth is, if you don't have water, you don't have a hospital. If you don't have electricity, you don't have a hospital. If you don't have the movement of patients and goods and chemicals, you don't have a hospital. So it's really complex, and we don't operate that way.

And Conway's Law is unfortunate for your products. It's lethal for your federal government.

So we tried to say, when everything's important, nothing's important. I'm trying to reimagine and metabolize this anger and frustration. If the bottom of Maslow's is too squishy for you, I said, let's map these 55 national critical functions to latency sensitivity. If you shut it off for a day or a couple hours, does anybody die?

And out of those 55 things, only 10 of them are lethal within 24 to 48 hours. And they depend upon each other. And this is value chain mapping, and this is dependency graphs, and this is the Theory of Constraints applied to your public safety and your way of life.

And worse, as we fail to provide medical care in a timely manner, we're cutting into the workforce for water and wastewater technicians, longshore and supply chains, which is just a death spiral.

So when I looked at most of these critical infrastructure things, they are multisector in nature. They're target rich but cyber poor. They don't participate in public-private partnerships. And we are messing with Maslow in a way we cannot and should not continue.

I'm going to go real fast at the end here for some of the victory lap.

Ten years ago I started a journey to introduce software bill of materials. So if you like it, you're welcome. If you hate it, tough luck. We need software supply chain transparency. We're all in a supply chain, mostly vendors in the middle. And our tolerated vulnerabilities are passed into those small, medium, rural hospitals.

Eventually, when we had political will and we knew that people were dying, I testified to the Senate last May, and in the last minute the PATCH Act passed in a law.

These are mandatory and minimum cybersecurity hygiene for medical devices. They must be patchable. They must have a coordinated disclosure program. They must have a software bill of materials. This will make hospitals safer, whether they're large, medium, small, or rural.

But here's the problem, guys. I want you to close your eyes for 30 seconds. I'm going to go one minute long.

Picture the hospital nearest your home. What does it look like? What's it called? When was the last time you were there? Were you seeing the birth of a child? Did you take an injured family member in an urgent and panicked situation? Were you saying goodbye to a loved one for the last time?

What's the name of that hospital? How far is it from your house?

I want you to open your eyes, because where would you go if it was ransomed? Is it across town, east or west? Is it the next town over, the next county over? Is it owned by the same company? Would it also be ransomed?

Now what if it closed its doors forever? Because that's what happened to St. Margaret's in Illinois.

Most of these small, medium, rural hospitals in the country have one to four weeks' cash flow on hand, and they're already on the ropes. If they get a ransom and they're down for six to 12 weeks, they're down for the count.

So here's a map of the 200-plus closures of rural hospitals in the last five years. And with 700 ransoms a year, that's 700 more times to have them knocked out for good, or part of a predatory merger and acquisition where you're going to have diminished quality of care.

Now, if you have plenty of hospitals in your town, you're fine. But in large parts of the country, there's no care for four or more hours. And if 4.4 minutes can kill you, and four hours will kill you, what do you think this does at this trajectory?

So what are the constraints not for your company or for the goal of making profit? What are the constraints on society? How do I take and lift and shift everything that you all know and do for your companies? And to quote Dr. Spear, how do we maximize value creation for society?

I need a hero. I need a lot of heroes.

So my ask is, will you humble seekers and system thinkers and boundary spanners take all the talent you've built and try to help us make sure we solve these bigger societal problems?

Because no one's coming to save you. We know how to win. We now need to scale it.

Thank you.