COVID-19, The Cavalry, and Cyber – No One is Coming to Save You | Josh Corman

Episode 31 | Reimagining Cyber
COVID-19, The Cavalry, and Cyber – No One is Coming to Save You | Josh Corman

Josh Corman  00:03 

We had successful attacks in the last 18 months on the water, we drink the food we put on our table, the oil and gas that fuels our cars and our homes, the schools our kids go to, the timely availability of patient care during a pandemic with people dying. The municipalities are on our towns and cities, the federal agencies charged with state secrets national security stuffs on fire everywhere. 

Rob Aragao  00:31 

Welcome to the Reimagining Cyber podcast where we share short and to the point perspectives on the cyber landscape. It's all about engaging yet casual conversations and what organizations are doing to reimagine their cyber programs while ensuring their business objectives are top priority. With my co host, Stan Wisseman, Head of Security Strategist. I'm Robert Aragao, Chief Security Strategist. And this is Reimagining Cyber. So, Stan, who do we have joining us for this episode? 

Stan Wisseman  01:00 

Rob, we're fortunate to have Josh Corman with us today as our guest. Josh is a co founder of Rugged Software and I am the Calvary Initiatives. He has served in senior roles like the CSO for PTC, Director of Cyber Statecraft Initiative for The Atlantic Council, and CTO for Sonatype. Most recently Josh served for 18 months as the Chief Strategist for CISA regarding COVID health care and public safety. Thanks for being our guest today, Josh, anything else like to add about your extensive background? 

Josh Corman  01:32 

No, just that many people don't know what CISA is. But it's the newest federal agency a little over three years old now. And it's the cybersecurity and infrastructure security agency, with lots of focus on critical infrastructure protection, for which the pandemic did a doozy on healthcare delivery, vaccine supply chains, even water, food, oil and gas, you name it. So, it was an intense 18 months for the agency, no one knows exists. 

Stan Wisseman  02:02 

And we definitely want to get to that. But I actually want to start back a decade ago, you started these initiatives, Rugged Software, and I am the Calvary, and I think primarily was a response to the fact that we've become so much dependent on software, and it can really impact our lives. And I think it was, you know, the I am the Calvary initiative that you're trying to have us all become ambassadors to help ensure that this technology, if it impacts public safety, that we ensure that it's worthy of our trust, right. And so, you know, are these initiatives still alive and kicking? And you know, are they, you know, active because they certainly seem to be more important than ever? 

Josh Corman  02:48 

Sure, I'll contextualize it a little bit. I think chronologically Rugged Software came first, it was me responding to the fact that I read the Agile Software manifesto. And I saw look we did all this stack of cybersecurity for enterprise stuff, if we have to reinvent them all again and all over again, for application security, that seems inefficient. So, we looked at the source and said, the Agile Manifesto changed software development culture. Let's take a look at it. And we didn't see any recognition of hacking or threats or risk, we don't want to push our values onto them. But you could tell that developers really associated with that value set. And the Rugged Software manifesto was a short, sweet attempt to make kind of a Hippocratic oath for software developers so they can recognize the awesome responsibility that comes with writing digital infrastructure. 

Stan Wisseman  03:40 

You had a manifesto?  

Josh Corman  03:41 

Yeah, real short. We eventually did some summits and got a community practice to make an implementation guide and a handbook. But it was a little too late for agile, it, you know, the cement had dried, so to speak. But later, the DevOps community really loved it, the founders of the DevOps movement, they're like, yeah, yeah, let's do this. Let's be mean to our code. We should be resilient, we should, you know, let's do this. So, I think that became a change window with which to inject some of those defensible, resilient, maintainable, less complex chunks of code. But in parallel, a little over nine years ago, I had some tragedies happen. And I was deeply concerned about our dependence on connected technology in critical infrastructure. I had been researching anonymous and the rise of hacktivism and I was trying to warn the intelligence community that if we're not careful, you're going to see cyber caliphate. We didn't call it that, but and we did. We saw a UK honor student join, who went to jail for hacking Tony Blair's website, radicalized join ISIS. And when he got out, he moved to Iraq-Syria, and founded the cyber caliphate and was recruiting and training people to use social media and read rudimentary hacking skills to hurt they're enemies, and he was killed with a drone strike. But it was a real wake up call that as you connect, put software in everything you may get hackable and he connected to everything else, you make it exposed. And I was trying to get the message tying deep as I could government and realized after two days of doing so, at Fort Meade, General Alexander and five of my handpicked hackers that they loved our ideas, but they couldn't act on any of them. And it said bad things have to happen first. So that's when I realized the cavalry isn't coming. No one's going to save us. And after more of a personal story, told elsewhere, and takes longer. I realized that if something's missing in the world, we got to put it there. And at DEF CON later that summer I asked the hackers to be the adults in the room and say, if no one's going to come save us, what are you willing and able to do, you know when you make a personal declaration, or commitment to being part of the solution. And we knew we were ahead of the curve. And we knew that people would likely have to die first. But we wanted to build the trust and build the scaffolding and the prep work so that if something bad happened, we could have a more prompt and agile response. And it's been huge. So yes, it still exists. We stopped counting over 1000 numbers we have anything where bits and bytes been flesh and blood, automotive, medical devices, aviation, aerospace, maritime high speed rail, industrial control systems. It has been quieter since I went into federal service. And our number two most vocal member, Beau Woods, he also went into federal service with me. So, I think the combination of us being Feds trying to work within the belly of the beast 

Stan Wisseman  06:48 

Two of the biggest cheerleaders. Two of the biggest cheerleaders were occupied. 

Josh Corman  06:53 

But also, we tend to do an awful lot of live conferences like hacking villages, hands on demonstrations, hackathons. And our first in person thing we're going to start up again is going to be the Hackers on the Hill, when we bring hackers to meet with Congress people. So that's usually directly adjacent to Shmoo con. So, since Shmoo con, got delayed, we got delayed, but we're going to do it in March. So, I'm hoping both with myself leaving federal service and being able to speak more directly and publicly and with some semblance of in person events as the pandemic shifts to endemic as long as people are doing it safely and paying attention to things, then we hope to be more visible but in parallel. Many of our efforts and initiatives have borne fruit. I've been kind of like the godfather of s bomb for nine years now. And now it's crossing the chasm. It's an executive orders log for J's proving its necessity. And we pushed an IOT set of minimum hygiene standards and IOT law. And its second attempt became the law of the land a December before last after four years of trying. So, the cavalry remains engaged and active, but significantly less public than we had been. And then we prefer to be.  

Rob Aragao  08:20 

Suggestion sounds like maybe the cavalry is coming back to show its face, let's say here in the very near term, which is kind of exciting. Good to hear. Let's delve a little bit into your recent experience, if you can, at CISA. So, a little background that right, so that came to fruition through the Cares Act, right, which basically was looking for additional support relative to the COVID-19 response, I think and that ended at the end of 2021. But and I guess you know, your time and bows spent there. In the Belly of the Beast, as you said, I just thought you guys really opened up the reality of some things that are, let's say more difficult to move than we would all like to. But thank you, thank you for the work you did there and continue to do as we delve a little bit into kind of what you see or saw at the time around that COVID-19 response and relative to your focus and emphasis on cyber safety, right? And can you talk about as an initiation to, you know, your desire to drive into the space several years back? What do you see what did you kind of encounter right and going through some of the different things whatever you can share again, if there's any specific incidents without too much detail, but just you know, kind of what's the realization? 

Josh Corman  09:42 

I’ll do some broad brushstrokes. When I launched I am the Cavalry, one of the problem statements and it's mutated a little bit so I might not get this verbatim, but I think the problem statement I used was that our dependence on connected technology was growing faster than our ability to secure it in areas affecting public safety, human life and national security. And when you frame it like that, you have two choices. You can either depend less upon those undependable things, or you can make them more dependable. Truth is I want to advance both, right? We're upside down in our mortgage already. And in a lot of these efforts, including the congressional Task Force I did on health care that finished in 2017. You know, we essentially said things like we've always been prone, we've always been prey, we just lacked sufficient predator activity. Well, that's over. It was already arguably ending before the pandemic, but boy did things change during the pandemic. The level of brazen emboldened activity from ransomware changed the economics, changed the target selection, changed the fact that it was unchecked aggression, that people were just paying the ransoms gave them more R&D dollars to come back harder. So, a lot of the seeds were planted prior to the pandemic, but things got really bad. So aside from the pandemic work I was directly hired to work on, let's just look at a couple uncomfortable truths from last year. We had successful attacks in the last 18 months on the water we drink, the food we put on our table, the oil and gas that fuels our cars and our homes, the schools our kids go to, the timely availability of patient care, during a pandemic, with people dying. The municipalities around our towns and cities, the federal agencies charged with state secrets, national security, stuffs on fire everywhere. And these aren't isolated accidents. These are deliberate campaigns. In fact, just last week, there was some a Wired article talking about one of the sets the communications intercepted between the ransomers deliberately screwing with hospitals at the first winter peak. And they were taking joy in the fact that they can cause panic, and people would pay. And we're in a whole new place now where it was one thing to be prone and prey. But now that they're taking interest, taking action and taking advantage, it's going to take a very long time for us to right size, our dependence and make things more trustworthy. And these aren't just you know, small, medium businesses, these are critical infrastructure providers. So that's one thing as a threat landscape has gotten much more active. Number two, I think a lot of the federal government and the public private partnership made unhealthy assumptions that we had more time to get our act together. Like I think we're on the right arc. But we're late in our beginning, and we're not moving fast enough. So, one of the things I had to really drive is while I was primarily focused on keeping hospitals functioning and keeping the vaccine, diagnostic and therapeutic supply chains running, that was the initial focus of the task force. What I had to drive into CISA, and is now part of CISA’s enduring mission is that not everybody goes to an ISAC or does best practices or understands what the SANS top 20 or CIS top controls are. In fact, of hospitals, one of the uncomfortable truths we found during my congressional Task Force is that 85% or so of the hospitals in the country don't have a single qualified security person on staff, not even one person. So just saying let's just do best practices, or this cybersecurity framework is flippant, or just do zero trust is just unhelpful. So I inverted the thinking that the overwhelming majority of the owners and operators of critical infrastructure are target rich and cyber poor, I was channeling when you neither living below the security, poverty line truth. And what I mean there is your cyber poor for a deficiency in one or more of the following three things, you're either Information Awareness poor, there's a deficit of carrots and sticks or incentives, which is the case for some of the high profile victims last year. And in many cases, though, they're actually resources poor. And when that's true, if you want to identify and buy down risk, you have to meet them where they are, and find realistic on ramps to crawl, walk, run. So, some of the fruits of that inversion was I found some very strategic weak links in the vaccine supply chains for the DNA and mRNA. And when we finally met one, they had three IT people, none of them were security people. And we had to help them anyhow. And to do so I started looking at let's stop talking only about best practices, and I thought of the bad practices. Yeah. So, we have something called CISA.gov bad practices. It's currently three, I think it's about to be a fourth. And these are the things that are dangerous. The use of unsupported software and service of critical functions, the use of hard coded fixed maintenance passwords, the use of a single factor remote authentication for critical infrastructure, we actually have the phrase is dangerous. And then there's other things in there like, you know, don't just fix everything. See what’s on search we call the SOS get your stuff off search your get your stuff off Shodan, for example. And your assets are showing, see what your adversaries can see what's your own attack surface. And then juxtapose those not with fixing every vulnerability. But what are the known exploitable vulnerabilities, the KED lists that you've seen mop up and emerge. And fortunately, after being the granddaddy of s bomb, it's been assigned to assist for operational use as part of that executive order. So, through the fire log for J, people got to see how that might aid and assist. So, we're trying to get to this pragmatic set of minimum things you can do with a very small team while you digest and get educated and then crawl, walk, run. And we had to implement quite a few of those things, including lightweight tabletop exercises, simple cyber hygiene scanning, they're not going to make you hacker proof. But they may be the difference between a hospital functioning for a month and a hospital being offline for a month, during really elevated needs. 

Rob Aragao  16:02 

Well, better than nothing right, Josh? At the end of the day, it's if you can at least make a little bit more difficult for the attacker, then maybe they move on to the next guy. So that at least helps. 

Josh Corman  16:10 

Yeah, and I think too much this is not to negate the innovation, and the hard problems that need creative solutions from the private sector and vendors. But too often we sell to the fortune 50. And to the you know, really elite hacking crews facing the most lucrative targets. But when it comes to having reliable water, and food, and healthcare, and first responders, we have blitz right past the basics, it's, you know, if there's no door on the front of your house, like putting multi factor authentication on the window, and the upstairs is missing the point. So, there's quite a reckoning that has to happen to identify and buy down risk for the most exposed and most vulnerable that are now in the crosshairs of these more brazen adversaries. 

Stan Wisseman  16:59 

And it's interesting, you're talking about, you know, just what's visible through searches, not even like doing a vulnerability scan, just you know, go on Google and see what they can find. Yeah, that's exposed. That's so basic. 

Josh Corman  17:14 

And, and I'm not turning into a nihilist either. I mean, I, a lot of my career has been, you know, the rise of the chief product security officer. That's what I teach for CMU and the grad school, it's important to look for and find and fix vulnerabilities in classes of vulnerabilities. But I think people forget that only about 3% of CDs are ever exploited. Only 3%. And part of the Art Forum here isn't just randomly taking action and countermeasures. It's better understanding what your exposures are, how they're being exploited. 80/20 rule of what you can do with the staff you have while you get the staff you need, and there's going to be reckonings and more recovery and minimum standards. I think one huge game changer that's coming is that almost every insurer lost money last year. And they're not in the business of losing money. So, people that just thought, I'll just buy insurance, so I don't have to actually, you know, lock the front door. If you're not doing some sort of shared responsibility on some of these negligence things, you're going to either be uninsurable or very costly to ensure. And there will be adjustments made. And I think we're, sadly have to burn your hand on a stove before you know it's hot. And I think a lot of people have been burned and changes are coming, I hope they're intelligent and timely. 

Stan Wisseman  18:34 

We just did an episode on cyber insurance and how the requirements from the underwriters are increasing and the costs are going up. You're not able to renew as easily as you might have thought. And so, you're going to have to raise your ability to ensure the underwriter that you're able to put in place some of those fundamental controls that they're seeing, exploited, or seeing the weaknesses or the gaps and those controls exploited. 

Josh Corman  19:07 

I can't wait to listen to that episode. I think we're going to go through some gyrations, right, it went from being too cookie cutter and didn't hold up to contact with the adversary. I think it's it could go easily too far the other way where we start orphaning people who need the coverage, but it is a shared responsibility. And as we get smarter, we can right size. What we're really asking for and what your responsibilities are as the insured and as the insurer. 

Stan Wisseman  19:36 

Now you're one of those forward thinkers. Right. And I know that you just made that comment that we have a practice of addressing those that are in the top 50. As opposed to the basic needs that we're seeing exploited by the critical infrastructure, but what do you think is necessary as far as we evolve our view of what cybersecurity is or how to become more resilient. What would you like to see us address next? 

Josh Corman  20:11 

Oh, a lot of it goes back to where we started. The reason I, I've always tried to put more emphasis on fire prevention than Firefighting is, we're trying to defend indefensible things in my course, in some talks, I've given an RSA in the past, I use this zombie apocalypse, survival pyramid thing. And I think I could do it from memory here. But picture four level pyramid where the most important stuffs at the bottom and the empty calories are at the top like the food guide pyramid. And what I say is, if you're being chased by hordes of the undead that want to eat your brains, the most important survival element is not security, it's do run towards that dilapidated wooden barn to your left or towards this brick school building to your right. It's do we choose defensible infrastructure? Do we have a fighting chance? Are we fighting bravely and dying quickly? So, it's we really are trying to defend indefensible things with too much complexity, too much attack surface, too much bad or old code in it. Which is why it's so important to do things like software supply chain hygiene and complexity reduction. And like, number two is it's also not security, either it's do your fellow survivors act as a unit and keep their cool and act cohesively and calmly or do they panic and run around with their heads chopped off. So, it's operational excellence, Jean Kim did a project with SEI long time ago called visible ops, and they studied the top performing IT organizations in the world and of the 100 Plus patterns they matched. Three mattered the most, you know what you have, you know when it changes, and do you tolerate zero unplanned changes, so operational excellence from the CIO, based on defensible infrastructure? The third is, do we fight blindly and die quickly? Or do we have floodlights and cameras and door sensors to know who's attacking from which direction? How many are there? Are they zombies? Are they vampires or werewolves because you need different countermeasures for each? Can you radio other survivors and other parts of the countryside to see who they're facing? So, this is situational awareness. And we were starting to figure that out about five years ago, with things like threat intelligence and information sharing and data driven security decisions or broad instrumentation instead of anti threat. And then the tip of the pyramid is really your countermeasures and stuff where most of the cybersecurity industry cut its teeth and spends all its time. You know, like the silver bullets and the pickaxes and the whatnot. But, you know, I think when you contextualize these things, you want to use the right tool for the job. So the real defense comes from having defensible maintainable infrastructure that's well owned and operated, well instrumented. And then and only then do you use your specific fit for purpose, countermeasures. And most CISOs, eventually figured out, it's not what you put into the system. But what you take out of the system that really makes it safer. It's about reducing complexity. It's about increasing rigor. It's about taking human error out. And a lot of the DevOps movement does this natively, and instinctually, because it also drives stability, and predictability, and maintainability and extensibility. So I think the way we approach IT is just fundamentally unsustainable, we have too much code, more code, more problems. It's too old. We don't know what we're using, where it came from. And everything I've been trying to push on the fire prevention side has been about transparency, about hygiene, about ruining elective attack surface elective complexity, elective code bloat about Threat Modeling, and trust boundaries. And the move to things in the DevOps, the tippy top of the DevOps. Innovators are doing things like instead of CIA triad of confidentiality, integrity, availability, Sunil U likes to talk about it in terms of D.I.E. of distributed, immutable and ephemeral. And the more infrastructure you can build, it's distributed, the less availability is threatened. And the more you have it as immutable, than integrity, risks aren't a concern if it's completely headless. And the more it's ephemeral, the time to live is so short that even if someone compromises you, it's gone. So as we choose that brick building versus that wooden barn, the increasing choice of microservices distributed immutable ephemeral infrastructure, better threat models and reference architectures to begin with fewer and better open source libraries, knowing when there's a new vulnerability, knowing if that's the type that gets exploited. We can design more defensible, maintainable, resilient infrastructure we just haven't been motivated to. And now that we might be it's going to take a long time to fix, but we can at least create the best attitudes are the principles that should be sought after, as we select future digital infrastructure. 

Rob Aragao  25:08 

So, Josh, I mean, you've taken us on this journey, right? That I think, opens people's minds and eyes to the reality of what's actually happening out there. And it's unfortunate at times that you think through and it is the reality that until something happens, people don't necessarily take the right actions, right. But I appreciate the approach you've taken and telling the story. And, amplifying what your mission is all about. I really like the zombie apocalypse in The Walking Dead scenario, by the way, that was really nice, Made it all tie together. So thanks for coming on. And joining us today and sharing your journey on this and the continuation of that that we're seeing here. And I think the March timeframe sounds to be very exciting. We're looking forward to it. Josh. 

Josh Corman  25:49 

One alibi, I guess since I still talk like a gov, one of the lines that I'm most fond of from the executive orders, I'm like, dang, you're like first principles. The line is, in the end, the trust we place in our digital infrastructure should be proportional to how trustworthy and transparent that infrastructure is, and to the consequences we will incur if that trust is misplaced. And my plea to each of you listening is as the world increasingly depends on software and digital infrastructure, they increasingly depend on you. We need you to be your best. 

Stan Wisseman  26:23 

Good message. Thanks, Josh. 

Rob Aragao  26:25 

Thank you, Josh. Thanks for listening to the Reimagining Cyber podcast. We hope you enjoyed this episode. If you would like to have us cover a specific topic of interest, feel free to reach out to us and you can find out how in the show notes. And don't forget to subscribe. This podcast was brought to you by Cyber Res a Microfocus line of business where our mission is to deliver cyber resilience by engaging people process and technology to protect, detect and evolve