Host Intro (Gene Kim)

So, the next speaker is Josh Corman, who is, as I introduced him in Las Vegas two months ago, one of the best boundary spanners I have met in my entire career. He is a dear friend of mine, who I met over 20 years ago, and we have had so many wild, fun adventures trying to elevate the state of the practice across a whole bunch of different domains.

And I will just read one of them. We got to work together to try to change the Payment Card Industry Data Security Standard, which he ridiculed as the No Child Left Behind Act for Information Security, where what was meant to be the floor for security became the ceiling.

He was certainly instrumental in getting the Sec in DevSecOps. So, with that, Josh, can you introduce yourself and tell us what you have been working on these days?

Josh Corman

Sure. Hello all. I have met many of you. Josh Corman. Hopefully, my audio is working, and video, and hopefully, you can see some slides as well.

Gene Kim

Absolutely. And I am so glad you can give a recap of partly what you presented at DevOps Enterprise two months ago.

Josh Corman

Sure. So I am a philosopher who ended up in the hacker community for a couple of decades and learned systems thinking, Theory of Constraints and Deming, and all that fun stuff, and then kind of accidentally became a public policymaker.

I have been trying to pioneer for the last 10 years, through a group called IAmTheCavalry.org, the idea that the cavalry is not coming on where bits and bytes meet flesh and blood: the idea of cyber safety as we add software and connectivity to things that can lead to loss of life or physical harm. I was deeply concerned.

The idea here is we are over-dependent on undependable things, and when we finally reveal the true costs or the true risks, then we can have a proportional dependence for proportional trustworthiness and transparency.

So, if you want the longer version, go watch the recording from Las Vegas, and if you want the even longer version, there are plenty. But this came out of Gene Kim, myself, and a few people going to Fort Meade to talk to General Alexander and Anne Neuberger to try to help nudge the US government on its posture for defense and offense on cybersecurity.

And after two days of breathtaking ideas from some of the best minds in the business and the most compliments, they could not really do any of it. So I said to the guys at the bar, "The cavalry is not coming. No one is going to save us." And that is both depressing and empowering, and there is a more personal story to go with that.

But I am going to try to recap a few pieces to give you the texture, in case you did not see it, so that to enable the back and forth for Gene and I as we close out today, day two.

So the idea here is you think of Maslow's hierarchy of needs. You cannot invent the iPhone or change the world or do beautiful works of art if you want for food, shelter, safety. And increasingly, as we have added software and connectivity to the bottom of Maslow's hierarchy, our food supply, our water, et cetera.

While I was at CISA, the newest federal agency, the Cybersecurity and Infrastructure Security Agency, based on my work for I Am The Cavalry, we saw successful cyber attacks, another set this last week, on the water you drink, on the food supply you put on your table, on the oil and gas that fuels our cars, our homes, and our supply chains, on the schools your kids attend, on municipalities that run towns and cities, on federal agencies, and more importantly, on timely access to patient care now with proven mortal consequences.

So this has been a journey I have been on since August 1st of 10 years ago. Our group turned a decade old. Now we are asking ourselves, do we end it, transform it, or combine it? And I am in the throes of those heavy decisions.

But we learned using empathy and character and tabletops and dinner tables, like Admiral just referred to, to use the love language of the people we were working with. And in the medical world, we know that time is brain or time delays affect mortality. So whether it is a 4.4-minute longer ambulance ride can elevate mortality rates for heart conditions, or the golden hour and golden hours for stroke of one, three, or four hours can be the difference if you walk again or talk again. We put that into the now growing, unsized, unmanaged risks of hyperconnectivity in healthcare.

I served on a congressional task force for healthcare industry cybersecurity, and our report came out Mother's Day weekend 2017, and we said we are in really bad shape.

Now, the hospitals all said, "Look, privatized medicine in the US, we cannot afford this. We do not need more money. If you gave us $5 million more, we would buy more nurses. We would buy more ambulances. We cannot do this. Until people die, we are not doing anything."

So, like good hackers, we started saying, "Fine." We started killing people in ER hacking simulations, where we would take actual simulations for their profession of treating patients, and we would introduce demonstrable real-world hacks into the equipment to see if they could adapt. But that was really our fire drill. The five-alarm fire was really the pandemic.

So when the nation and the world encountered the COVID-19 pandemic, emergency hiring authorities allowed CISA, the newest federal agency, to rapidly hire outside experts to work arm in arm with their teams. Ben Mosier helped make these funny graphics.

But it turns out that while my cybersecurity expertise for hospitals and vaccine supply chains was important, I found myself using Theory of Constraints, Toyota supply chains, Deming, value chain mapping, Wardley mapping on a regular basis to make sure that you and your families could stay alive and well.

So one example of that is the vaccine supply chains. We knew that Operation Warp Speed had funded seven vaccine candidates, 23 direct suppliers, but I was given a list of 1,000, later 4,000 tiny suppliers, none of which we knew which were important. And I used World War II ball bearing thesis and things I brought to bear for software bill of materials to really hone down impact, dependency, scarcity using Wardley-like concepts to get to the 66 ball bearings, the small, unguarded weak links in the supply chain that, if disrupted, could lead to loss of life. So that was not really cyber, but sort of cyber.

We also saw that when Pfizer crossed the finish line and we wanted to save our elderly in the first batch of vaccines, we did not have enough ultra-cold refrigeration. We did not have enough dry ice. So again, value chain mapping and boundary spanning and talking to logistics people and chemists and physics people across the 50 states, including Wisconsin, allowed us to identify and avert weak links in those value chains.

We also had to turn to hospitals. Now, hospitals are trying to keep people alive, and while there were 500,000 dead Americans at the one-year mark from COVID, there were another 150,000 dead Americans from non-COVID excess deaths, the difference between actual deaths and expected deaths by state, by condition, by demographic, and by cause.

So doctors and nurses, their love language is caring capacity is what keeps people alive. If you have 100, the three S's of space, supplies, and staff. If you have 100 beds of space, you do not have 100 beds of caring capacity if you only have staff for 80 of those 100 beds and only enough supplies for 60 of those 80 staffed beds. So this is their love language. I had to enrich and enhance it because all of these were getting stressed and strained and a lot more people were dying. Again, 150,000 at the one-year mark.

So based on the empathy we had built, we said, "I wonder if these excess deaths are the time-sensitive conditions like heart, brain, and pulmonary, where minutes or hours matter." And they were. So it is not just keeping people alive, it is priority queuing.

We also could not get them to care about the technology, but the difference here is a nurse in a neo-intensive care unit in 1990 could probably handle one or three babies concurrently, safely. But armed with modern technology, they can handle 12, 15, or more in a remote monitoring station. So if medical technology is a force multiplier of your staff, then the unavailability of that is a force divider. And the unavailability on a regular basis with several hundred ransoms affecting US healthcare, small, medium, rural, and large alike, allowed for delayed integrated care.

There was a baby that sadly lost their life in a 2019 ransom that was made public on October 1st, 2021, and this changed the world because we went from thinking that this is a victimless crime, or a data crime, or a financial crime, to realizing this is a threat-to-life crime. And with all these technologies that we depend upon to provide safe care on those patient-to-nurse ratios, the unavailability of those hurts the patient.

On the very same day, my team used qualitative and quantitative and very Deming-esque and Goldratt-esque methods to show that the protracted hits to US medical care also led to loss of life. We published that if the US hit 75% ICU strain for adults, you would see 18,000 dead Americans in two weeks. If it hit 100%, you would see 80,000 dead Americans in two weeks. So very large numbers. Again, not cybersecurity, but looking at the unsized complex systems risk and constraints, we could see that not only were those dying from saturated hospitals, but ransoms could make it worse.

In fact, we used this qualitative and quantitative math to show that when ransoms affected the state of Vermont, in the same state, the same pandemic with the same conditions, adjusting for hospital type and size, you could see that the regions hit by ransom achieved these excess deaths sooner and stayed there longer than their peers. So this is some pretty heavy stuff that really was not cyber, it was really star-star risk.

And when you look at the way the federal government, in a longer presentation, tries to divide critical infrastructure risks into 16 categories, you would think that Health and Human Services has responsibility for this provide medical care. But the truth is much more complicated in that you need water, you need electricity, you need chemicals from other sectors. So these are multi-sector, multi-level risks.

And back to Maslow's, out of the 55 or so things that the US government considers critical infrastructure services or national critical functions, about 10 of them are time-sensitive, latency-sensitive, and if you shut them off, lots of people can die. And a lot of this work really showed the gravity that not only are we not doing value chain mapping and constraints analysis on critical infrastructure. We are really good at these things in our day jobs. We are doing a really bad job at taking these insights and breathtaking innovations and putting them into public interest and public safety.

So with that, each flu season, we get to these record high strains again, and unless and until we can get the government and ourselves to identify and map these, we are going to have a circular problem with preventable harm.

So without doing the rest of the presentation, just to tie this off and pivot to the next chunk, one of the sadder parts here is that even the public-private partnerships we have with the private sectors and government tend to focus on the haves, not the have-nots. And about 85% of the owners and operators of critical infrastructure in the private sector are target-rich but cyber-poor.

So we had to start inverting the way that CISA thinks about this and say, "Let us not utter best practices or zero trust. Let us look at the bad practices, the most dangerous. Let us tell people how to get their stuff off the naked internet so that you do not even need hacking skills. You can look at Shodan and get your stuff off Shodan and other search engines. Do not fix all the vulnerabilities. Only 3% ever get exploited, and even a smaller set hit critical infrastructure."

So CISA started publishing the known exploited vulnerabilities so we can be more targeted and data-driven. And if those bad practices were not enough, the White House asked them to build upon that and create cyber performance goals, which is the crawl stage of crawl, walk, run.

I also wanted to give everybody a fighting chance, and this community has loved Software Bill of Materials, which I have fought for 10 years, but now it is in laws and regulations, including in medical devices, where now to bring a new medical device to market, we passed two federal laws. In December of last year was the most recent, called the PATCH Act, which is the leading indicator of how SBOMs can both be made in safety-critical environments and provide tremendous benefit up and down that supply chain.

Tried to take a lot of these lessons learned and put them into White House thinking, international diplomacy, on things like looking at software liability finally, looking at shifting the cost burden, looking at being more economic and constraints-based, looking at investing in open source. Congress is doing similar, the international community is, but the bottom line is do not mess with the bottom of Maslow's hierarchy. People die.

And what I really want is, since the government has not yet poised to do this, we have got to stratify. When everything is important, nothing is. We have to focus on the most critical time-sensitive ones, which are inherently cross-sector with lots of target-rich, cyber-poor. We have got to help CISA rise to meet its awesome responsibility, and its siblings need to let it and help it do so.

In the meantime, I do not think they can do it. They do not have the training or experience, so I need our constraints-analysis boundary spanners and systems thinkers like yourself to maybe think about donating a little bit of pro bono work in a public interest.

And the reason this could hit home is we are now seeing across the 7,000 hospitals in the US, some of them are closing their doors forever. We have had 200 rural hospital closures. This one was brave enough to say that their ransom event was a key contributing cause of its death. And the only thing worse than having a ransom knock down your hospital for six weeks or so is knocking it down for good. And across the continental US over the last several years, we have had 200-plus rural closures, and this might be where your family needs timely access to care. So this is not just about doing something for the general public good. The life you save could be your own.

So what am I asking for? The risk community, the cybersecurity community. Gene asked me 15 years ago, "Why are you still in cybersecurity? All the best people have already left cybersecurity." And I knew there was work to be done, and we had to grow up a bit. But I am now at the point where we are not going to do this on our own. We need your community to help be that missing link between the outside world and what we know about risk, because risk people hate the way things are and hate making changes.

But Gene, I think you had a question or two for me.

Q&A

01Gene Kim

By the way, yeah. That was, yes, I was like, "Why are you still in security? Most of the smart people have moved out of it to work on things like ops or DevOps." I remember that.

Yeah, in fact, so much of the sessions over the last two days have been around communicating value. How do you sort of look to get the mirror neurons in someone else to fire, so that we can convince them that we have a common goal? And my reflection on your story is that you have been so, you have done many things, but one of the things is that you are so good at rhetoric and changing the language of some of these things, so it is not about something abstract, but it is about hospitals are killing people, killing patients because they are not doing certain things.

Can you just talk a bit about the use of language? To what extent was that deliberate? I know it is deliberate. And to what degree can that be taught, and how important is it?

02Josh Corman

I was taken by many of the people today and yesterday. They were gifted rhetoricians, I guess. But I think you need the right lexicon and framework to be able to talk about things. And in fact, just even, I added this this morning after hearing a few things. Like AI and LLMs, they kind of have given me pause. Of course, there is great promise, but there is great peril.

And what I realized is, as I look at the language and lexicon, we just do not have the right way to talk about technology risks. So a few ways that I have shifted even since two months ago is if we cannot equip mainstream Americans or engineers or VC-based capitalists to think and talk the right way, then we are going to be pushing a rope or we are going to be always playing catch-up. And with the velocity of change, things are getting weird.

So my new focus is really on when you look at the few times technology has gone wrong and really affected the species, whether it is asbestos, Levodopa, Chernobyl, gain-of-function research, or bioengineering, there is really a couple ways we could try to anticipate and size and have proportional humility and proportional restraint to the type of impact we could have.

And we hope that these are rare events, but really one is complexity that is simple and causal. Is it complicated? Is it complex, complex adaptive systems? Is it unknowable? Is it velocity of harm slow-moving, and you have time to course-correct, or is it rapid and instantaneous? And is the blast radius going to take out a person, a company, a region like Chernobyl, or maybe the entire planet through a pandemic?

And we have, you could use this to stratify maybe category 1, 2, 3 type hurricanes, and we have got 3 or 4 concurrently. And what I would love to do is tap into the skills that we use for our enterprise or for site reliability from this community and find some way to take what you know and how amazing and transformative you are, and could we, like lawyers do, think pro bono, and could you help a bit, a few hours a month, on some sort of public interest technology?

And if you do not know all this stuff, and you do not know cyber civics or how a bill becomes a law or some of the international stuff, do not worry, I will help there. But what I really need is your talent and your interest in making sure that we have a balanced relationship between technology and the human condition. And that needs humility. It needs people that want answers. It needs systems thinkers, and most importantly, boundary spanners and good rhetoricians. But it also needs urgency.

03Gene Kim

And by the way, I just want to apologize. I am laughing at some of these things, not because it is funny, but because it is so overwhelmingly horrible in terms of gain-of-function research in AI. Not something to really laugh at.

04Josh Corman

All these things can be transformative. They also carry great potential for harm, and we have lacked the ability to properly talk about and size risk. With drug trials, we do not know how they work with the human body, so we are very careful, and we put them out in phases.

05Gene Kim

Right.

06Josh Corman

And we watch to see if bad stuff happens. We cannot always just do damn the torpedoes and full steam ahead. So I agree with the prior speakers that we are going to need creativity and character and compassion and charisma, but let us make sure that we are applying it not just to our day jobs, but also to humanity and society at large.

07Gene Kim

Oh, absolutely. By the way, I want to credit you for the crack. It was Admiral John Richardson: like, "C does not stand for cigar. Instead, C is for charm and charisma."

08Josh Corman

Yes.

09Gene Kim

That was you, not me. And so, speaking of pro bono work, you have certainly, over your career, spent so much time helping elevate the bar, raise the state of the practice. You are now in between gigs, and so if you could wave a magic wand, what is it ideally that you would ideally be working on? And because here is a rare chance to potentially snap up someone as talented and experienced as Josh Corman. So Josh.

10Josh Corman

Well, as a philosopher and hacker and systems thinker and someone good at public policy, I feel obligated to lean into some of this AI work in a conscientious way. Not to stop it, but to ensure that we magnify the promise and mitigate the peril. Knowing how and where to do that is more challenging, so I am looking for ways to better equip the population with this risk lexicon, and need teammates who speak different languages than I do and bring different skills to the mix. So I am in a couple more months of deciding what the next 10-year mission will be, but it is certain it is in this vicinity.

11Gene Kim

So good. All right, so I heard two, a request and an offer. Let us see here. So if you are interested in exploring what some pro bono work in the tune of hours per month might look like, why do you not DM me, and I will pass on that information. I will just make that direct connection.

And, hey, if you have any interest in tapping some of Josh's skills, also hit me up on, send me a DM and I will make that connection as well.

Josh, any other words of advice for technology leaders trying to make an impact on their organization and achieve their own personal goals?

12Josh Corman

Takes a village. Make sure technology supports and subordinates to what makes humans better, not the other way around.

13Gene Kim

Very good. Josh, thank you so much as always. And, again, if you are interested in that offer, or want to respond to Josh's request for help, just send me a DM. Thank you, Josh. Looking forward to continuing this and for years to come.