March 11, 2025 – Welcome to season 5! Our host Bryson Bort sits down with Institute for Security and Technology (IST) Executive in Residence for Public Safety & Security Josh Corman. Josh previously joined us on season 1, episode 2 to discuss his experience founding I Am The Cavalry, a grassroots organization focused on the intersection of digital security, public safety, and human life. 

Today, Josh walks us through his Cyber Civil Defense initiative UnDisruptable27 and his work to bolster the resilience of local critical infrastructure systems. 

What role can you play in making our communities more resilient? What risks do we face from a hybrid conflict? How can we better prepare for disruptions to critical infrastructure? 

“You inform, influence, inspire. You make sure people aren’t blindsided, and even if they can’t stop the natural disaster, they can at least prepare for it and make informed decisions and innovate locally,” Josh said. “And unlike natural disasters, where we only have a couple hurricanes a year, we may have concurrent unnatural disasters on plural U.S. infrastructure sites across the country with finite resources to respond and recover.”

Join us for this and more on this episode of Hack the Plan[e]t. 

Hack the Plan[e]t is brought to you by ICS Village and the Institute for Security and Technology. View transcript.

Apple Podcasts | Simplecast | Spotify

Transcript

Bryson Bort: I’m Bryson Bort and this is Hack the Plant. Welcome to Season 5! 

For today’s episode, I’m joined by Josh Corman, Executive in Residence for Public Safety & Resilience at the Institute for Security and Technology, where he is leading an initiative focused on the safety, security, and resilience of four lifeline basic human needs: water, healthcare, food, and power, especially at the local level

Josh is also the founder of I Am The Cavalry, a grassroots group of experts at the intersection of digital security, public safety, and human life.

We discuss his project, Undisruptable27, its focus on ensuring the continued operation and recovery of essential lifeline infrastructures, and how they are taking a more creative approach to ensure the public stays informed of potential vulnerabilities.    

Josh Corman: …when everything’s critical, nothing’s critical, and it’s not useful to look at the 16 critical infrastructure sectors as designated by the U S government. It’s not even useful to say we have these 55 national critical functions like provide drinking water or provide medical care because when everything’s critical, again, nothing’s critical.

So I tried to map these to Abram Maslow’s hierarchy of needs like food, shelter, safety, like if you have a choice getting mugged your wallet or your life, I hope you’re smart enough to give over your wallet and preserve the life of you and the loved ones in your care. And yet we tend to put way more time and energy on the cyber defense of credit cards and data than we do on the critical infrastructure operations and continuity of operations and resilience and recovery of the lifeline infrastructure, the water you drink. The food you put on your table, the power that heats our homes in the winter and cools them in the summer, the timely access to patient care where minutes or hours are the difference  between life and death.”

Bryson: What role can you play in making our communities more resilient? What risks do we face from a hybrid conflict? How can we better prepare for disruptions to critical infrastructure? And if he could wave a magic, non-internet-connected wand, what is one thing he would change? Join us for this and more on this episode of Hack the Plant. 

All right, Josh, what is UnDisruptable27?

Josh: Undisruptable27 is the working title for my every day, twice on Tuesdays, get out of bed in the morning and how am I going to try to make the world a safer place? It is a funded pilot housed at IST, the Institute for Security and Technology, funded by Craig Newmark, a philanthropist, technologist extraordinaire.

This is a logical extension and crystallization and concentration of a lot of what you and I came to know each other through, which is our passion for public safety, human life on critical infrastructure. But it takes a lot of the body of work from the last dozen and a half years of cavalry or seven, eight years of cyber med summit, or work on the Cisco task force, and it boils it down to a much more bounded, tractable, intense, and prioritized list of sprints.

So I guess we could do like the, who, where, what, when, how, why thing. But basically, the working title on Undisruptible is in part because my neighbors don’t know what a breach or IOC or a TTP or a threat actor is, they just know they’re seeing more disruption, larger disruptions, longer disruptions, more life safety disruptions, multi state disruption on the technology they depend upon.

And these might be from accidents like CrowdStrike, or adversaries that want their money through the ransom punishment campaigns on healthcare, used to hit individual hospitals, then big hospital networks across multiple states. And then things like Change Healthcare shutdown payment processing and access to medical records for 75% of the country for five months before fully restored and recovered.

So they see disruptions to payroll, disruptions to flight, disruption to patient care, and they’re saying to us: hey, I thought you guys had this taken care of. What’s going on? So the trend line from accidents and financial adversaries is unsustainable, hence the language that they use. Then, what is in scope?

Okay, well, when you and I have this old saw, when everything’s critical, nothing’s critical, and it’s not useful to look at the 16 critical infrastructure sectors as designated by the U.S. government. It’s not even useful to say we have these 55 national critical functions like provide drinking water, or provide medical care, because when everything’s critical, again, nothing’s critical.

So I tried to map these to Abram Maslow’s hierarchy of needs like food, shelter, safety, like if you have a choice getting mugged your wallet or your life, I hope you’re smart enough to give over your wallet and preserve the life of you and the loved ones in your care. And yet we tend to put way more time and energy on the cyber defense of credit cards and data than we do on the critical infrastructure operations and continuity of operations and resilience and recovery of the lifeline infrastructure, the water you drink.

The food you put on your table, the power that heats our homes in the winter and cools them in the summer, the timely access to patient care where minutes or hours are the difference between life and death. So Undisruptable says we’re going to focus on the continuous operations and recovery of water, power, access to emergency care, and adequate food supply.

So that’s what the, what is the controversial bit I picked 2027. I hope we talk about this a bit. It could be a year later, two years later, it may not be China. It might be Russia, Iran. But the idea here is if we have a conflict, the next conflict will be a hybrid conflict. And at least China as a public stated objective, they would like to take Taiwan as early as 2027 and they would like the U. S. to stay out of it. And in hearings going back to January 31st of 2024, the four horsemen of cyber and the U.S. government revealed declassified descriptions of Volt’s Typhoon, where we have found and evicted Chinese military actors from U.S. water facilities and other critical infrastructure. We’re there, quote, pre positioning. So laying essentially virtual bombs in these facilities, but that if we were to interfere, they could quote rain chaos on US soil to undermine public support for our intervention in Taiwan. So there’s lots of material there, but if we treat this like a Y2K, where we had some time to prioritize and buy down risk.

Not infinite time, but some time that was my early career was working on Y2K issues for life safety issues. Then what could we do? And I already have a little taste of this because, as you know, when I ran the CISA COVID task force, we didn’t have 10 years to just implement zero trust, or just do the NIST Cybersecurity Framework.

In the case of a lot of the suppliers to our medical equipment, we had six months, maybe 12 months. So I didn’t say, we’ll just do best practices. We got very pragmatic. And we targeted the 66 ball bearings, the small unguarded weak links in the supply chain that, if disrupted, could lead to mass casualties. And we looked at the most critical of the critical infrastructure workforce. And we tried to make sure that we had continuity of operations for our nation’s hospitals, and for water and for food supply as they were starting to see more disruption. That was things like, hospital ransoms were the first proof of loss of life after we did our data science and published it. It could be the water hacks in Old Marf, Florida, reminding us that whether this was a malicious actor or an insider or damaging or preventable or mitigated or not, if you connect things to the open internet you expose yourself to all sorts of actives and adversaries. Whether it’s Colonial Pipeline, disruption of oil and gas for the Eastern seaboard, whether it’s the JVS meat facility disruption. We had a little taste of it during the pandemic, and we didn’t just say platitudes.

We actually found the most important systemically important entities and brought down risk. So similarly, could we use the next two years? Working backwards like a Y2K or an Apollo 13 mission where you only have the time and the equipment you have in the capsule to save people. And these crucibles can be the mother of invention, right?

Necessity is the mother of invention. So we’re looking at what are practical, reasonable ways to not just write more papers and have more discussions, but actually engage, meet people where they are, identify and buy down risk. And how is this different? One last bit. Unlike previous efforts or just using the quote, public private partnerships of sector courting councils and ISAC, we see incredibly low participation rate across the country’s participation of critical infrastructure owners and operators.

If you look at, like, good ones, like the financial services ISAC, there’s a lot of the big banks because that’s where a lot of the risk is. But if you look at, like, healthcare. There were 7,000 hospitals when I did my 2016, 2017 Congressional Task Force, we’re down to 6,000. But there’s only a couple hundred in the ISAC and Sector Coordinating Councils. The big ones. 

Well, you can’t just fix the big ones. You look at water, 151,000 water facilities across the U.S. There’s about 650 in the ISAC. That’s not a good penetration rate, and they might be the big ones, that might be where the cities are, but we have an obligation to protect the wellbeing of citizens, irrespective of their zip code, and the overwhelming majority of the footprint of the U. S. is elsewhere. 

So you’ve heard me use the phrase target rich, but cyber poor. So pulling this all together, I think Undisruptable is: average everyday citizens are seeing an unsustainable trajectory from accidents and adversaries who want money, let alone weapons of war, and while we have had proof of intent, and we have had compromises from Chinese actors, Russian actors, Iranian actors, on our U.S. water facility, and certainly plenty of criminal activity on our hospitals, we should focus on water, food, power, access to emergency care. We should take some urgency into how to identify and buy down risk. It may be shields up, it may be a connection down.

It may not be adding cyber, it may be removing complexity. What can actually work? And then let’s do this in a novel way, where we engage new types of teammates. Like I don’t know, emergency management folks, crisis, all hazards, folks, local leadership. Let’s not do this in D.C., let’s do this out in the heartland.

So if you can meet people where they are, use language like hurricanes, right? You don’t say, well, no one could stop this hurricane. Let’s not warn them. What you do is you give them the chance of, hey, this is what we know, this is what we don’t know. You inform, influence, inspire. You make sure people aren’t blindsided, and even if they can’t stop the natural disaster, they can at least prepare for it and make informed decisions and innovate locally. And unlike natural disasters where we only have a couple hurricanes a year, we may have concurrent unnatural disasters on plural U.S. infrastructure sites across the country with finite resources to respond and recover.

So I think while this may have something, we hope there’s no disruption like a Volt Typhoon triggering things, there might be a ladder of escalation I think we should discuss, from deterrent to warning shot to full out chaos. We hope that wouldn’t happen, but you and I both know that it can happen. Our owners and operators are naked on Shodan, with hard-coded passwords, with known exploited vulnerabilities, using compromised equipment, and all we’re kind of doing is hoping our predators don’t attack the prey. 

So, the question right now when you discuss this with the public private partnerships isn’t, is there a Volt Typhoon? It isn’t, do we have more time? We might have some time in the margins. It might be. Maybe we don’t go to a conflict with China over Taiwan, maybe the negotiation is reached, but I’m going to remind us that we have the cyber army of Russia reborn has compromised water facilities in Texas. The Cyber Avengers have compromised Israeli-made equipment in Pennsylvania and other states. The North Koreans are doing stuff to fund criminal slash nationalistic objectives. And we have tensions with Russia over Ukraine. We have tensions with Iran and the Middle East. We have tensions with China, and whether it’s them or just some accident, I don’t want our nation’s water supply to be exposed to every accident and every adversary and just kind of hope that they don’t do anything with that accent.

One of the phrases we use is, ‘we are overdependent on undependable tech, exposing us to accidents and adversaries.’ And I think at some point we’re going to get our sanity back, and where our dependence will be proportional to how dependability – how dependable that tech is, and to the consequences we incur if that trust is misplaced.

But at the moment that overdependence is not right-sized, and we’re in a messy middle between being overdependent and right-sized dependent, and it’s not going to be a pretty couple of years. 

So. I say, if you put a boundary around that, Undisruptable says we’ve got about two years, plus or minus, to get serious about identifying and buying down risk in our most basic lifeline needs so our individual citizens and communities can be less disrupted or maybe even Undisruptable, from this sometimes reckless dependence on connectivity.

Bryson: So, your career, I Am The Cavalry, the things that you’ve done professionally lead to this point, but what was it specifically that coalesced this project? Why this project? Why this way? Why now?

Josh: It was probably the confluence of a few things. One, as you know, I was pretty crispy after coming out of CISA. On the CISA Task Force, we did a lot of really good things and high impact things, but I also saw a lot of dysfunction in the public private partnerships in the interagency, and there really wasn’t that sense of prioritization about which of our lifeline critical functions matter most number two is I was starting to get success teaching the world that.

Very little participation in the public private partnerships. It’s basically the, the target rich cyber poor are absent, their needs are different, their knowledge is different, their resources are different, and they just don’t show up. So a lot of these public private partnership turn into regulatory capture and lobbying by another name and sometimes unethically and illegally. But the real trio that put me over the edge, knowing what I already knew, is the January 31st public hearings about Volt Typhoon and how matter of factly and starkly they were saying really uncomfortable truths out loud in unison. You gotta watch that, some of the lines from Christopher Wray or Nakasone or whatnot were things a lot of us knew, but they were saying it out loud.

And when I heard that, I think it just kind of said, we can’t ignore these advancements anymore. We, we, the cyber security community have kind of failed the public. We have allowed them to believe. falsely that it was safe enough for us to start connecting this tech without being able to pay the bill for doing it responsibly. So that public hearing was one trigger. Number two, I went to this thing called Common Good Cyber with many of our friends where it was a confab for a couple days on how do all the non profits get more organized, more effective, not just write papers but have more impact. There’s a dearth of funding sources, so I’m in a room with like a whole bunch of people who care about more than just themselves, who have dedicated years or even decades to trying to make the world a better place. And I just didn’t see a cohesive vision about what’s most important, no systems thinking, no shift to making our jobs irrelevant, like we should be actively working to get ourselves out of a job when we weren’t. So I got a little frustrated that I’m in a room full of like minded people, but there wasn’t enough kinship on fixing problems. We’re more studying and admiring problems, but there wasn’t a sense of urgency to do something. And I started self imposing and asking others to add a sense of urgency, especially in light of an old typhoon, public revelation. And then as we’re at that conference in February, change healthcare gets hacked.

An entity that most Americans have never heard of, and I’ve been in a multi year fight to try to make, raise the minimum cyber hygiene of hospitals across the country, so they could better defend themselves against ransomware, and here we are, this isn’t a hospital, this is a payment processing middleware, that if disrupted, is essentially a ball bearing, right, it’s a It’s a systemically important entity, systemically important critical infrastructure.

While we’re not even doing a good enough job on protecting individual hospitals, the hospital could do everything right. And that disruption to cash flow, disruption to patient care, disruption to workflow, can still endanger and imperil the financial solvency of more hospitals, the timely active patient care for your loved one, the ability to get drugs you need when you need them. And I think that trio just kind of said to me, all right, we got to do something different here. And I think the cavalry has long prided itself on not taking a penny. We just didn’t want to be in perpetual fundraising mode. We wanted to fix problems. We wanted to build trust and initiate projects. Then hopefully, if we say medical devices are unsafe, we did enough work and trust building with the FDA and with Congress that now there’s a law requiring minimum cyber hygiene for medical devices.

So we don’t have to like, perpetually focus on medical devices. But I think when I looked at this, I said, I’ve been so focused on slow incremental progress and wins that I haven’t noticed how in parallel the public at large has been able to falsely and confidently. I think it’s safe enough to do these things.

And I think the real, as we were negotiating, should we or shouldn’t we do a funded project with Craig? I think he was very much interested in helping IST was willing to house it. They’re more famous for the ransomware task force than for critical infrastructure, despite The partnership with you on this podcast and on the conference critical effect in D.C., bringing together OT/ICS. folks and policymakers for mutual understanding and progress. So I think the trio of Craig being willing to put some money behind this, IST willing to house it, gave me the instinct that no single community should be blindsided by something like Volt Typhoon, which is fast approaching and the whole, what do you know?

When did, you know, it kind is of where we have an obligation to say, warn people, even if we don’t have perfect solutions, but I want to make sure that we respect the public enough to let them know what we know. We meet them where they are with their love language. We trust them enough to ask the right questions and do something.

With their local innovation and resources, this might finally reach beyond the public private partnerships to those targets. I report that long tail and bring them to the table. So I don’t know if I had to say it in 30 seconds. I was already sort of on this path for the neglected long tail target rich cyber poor the trio of the revelation of Volt Typhoon. Being in a workshop with all the other non profits concurrently and seeing insufficient urgency and then seeing that these disruptions like Change Healthcare can have a one to many, many effect if we’re not careful. And I just don’t want to exclude the public anymore. So I want to talk to owners and operators in the last mile, to municipal leadership that run these towns and cities, and to individual citizens if we have to, so that they can have more resilient households, towns, counties, and states, instead of just top down paper writing and hand wringing at the federal level.

Bryson: You framed the problem, what are we going to do? And even better than that, I know the product security team from Emerson listened to this. I know a number of folks who work substations at Southern Company listen to this podcast. I know a handful of academics and policy folks who listen to this podcast.

So not only what are we going to do, Josh, what’s your ask of them?

Josh: That last bit is the harder one for the current supply chain. So thus far, our project plan is easier to show visually, but for the first three to six months, we were doing the project planning, scoping, concept of operation, a whisper campaign to make sure there were no surprises, I call it the no surprises tour.

So if I’m going to go start talking to these four sectors. I don’t want the sector leadership to be surprised by that. I don’t want the sector regulators to be surprised by that. I don’t want the committees of jurisdiction in Congress to be surprised by that. So a lot of this was that no surprises tour, but we’ve really gone deep on this pilot for the nexus of water and emergency care.

That’s the scope of what Craig initially funded, the broader remainder of the project is supposed to pull in the other, of course, we’re touching all four, but this was really spending a lot of time with operators in water and operators of hospitals to find out how do you solve the bigger problem? And this isn’t maybe, say, a ransom. Let’s just take a threat model of if you were to map a dozen different towns’ architectures for where the water plant sits relative to the hospital. You know, we’ve unearthed from these workshops and private tabletop simulations that no water means no hospital in about four or six hours for some pretty stunning and clear reasons once you articulate them. But this is not a matter of we can tolerate a whole lot of downtime without significant loss of life to the community and crisis of confidence to boot. So what we started doing is mapping, okay, if this is our attack surface and exposure for the plant. What could an adversary do? How do you rank those threat scenarios?

And then we bring up novel things. I think a lot of cyber people think everything, you know, they’re a cyber hammer. Everything’s a cyber nail. But a lot of this was maybe, do you need to be connected? A lot of the communities don’t. If you have to be connected, what’s your internet attack surface on Shodan or Census IO?

 How might we harden that and buy down risk? But more importantly, when you start bringing up threat scenarios that are the most consequential for the longest period of time, it’s things like a water hammer. Most of the public doesn’t even know what a water hammer is, but with the access that many adversaries have already demonstrated, a sudden change in pressure on a line can have the force of a hammer, small, medium, or huge, to burst pipes and break infrastructure and how loud ground seepage that depending on where it is and how extensive in the hundreds of lines of pipe you may have could be six plus months before you could restore water pressure to that hospital. So we’ve been doing the local work of identifying the archetypes and blueprints of what are our various exposures.

Models, how you mitigate or eliminate some of those scenarios in cost effective ways. And sometimes it’s adding cyber, sometimes it’s reducing complexity, sometimes it’s shields up, sometimes it’s connectivity down. And since no two communities are the same. We’ve been enumerating those blueprint of and causing the tabletop conversations for the equities discussions so that the water of people are there, the heads of the hospital there, the city planner is there, and they’re talking through the most realistic scenarios and the most cost effective mitigations before the public has to even be worried.

Some of our thesis here is we’re going to engage the owners and operators first for the first six months or so, so they have a chance to go through their five stages of grief. Then we’re going to go to municipal leadership that has to broker between the power, the water, the hospital, the manufacturing, the food supply, the citizen.

And we’re going to do private conversations with them about what’s the worst that could happen and what’s the best things you can do. Are there available resources to bring to bear? Are there failure modes? Like installing the circuit breaker on the water line, something that can absorb a water hammer.

They exist, we just don’t deploy them everywhere. So could you prioritize certain services and service lines within your community to prevent the worst case outcome? So there’s things like that. And then the third mode, which I think you and I have debated at times, is do we owe it to the public at some point to let them know that we may have inclement weather coming and there’s things that they could do or questions they could ask at town hall, but the whole sequencing of this, at least at the moment, has been finding out the love language of each stakeholder group, giving them time to grapple with these uncomfortable truths, and ask their questions.

Give everyone a chance to be the hero of their story before intensifying the stakeholder. Expanding the stakeholder pool and intensifying the interrelated dependency needs, but we want to make sure that there’s some chance for water facilities aren’t flat footed, towns aren’t flat footed, citizens aren’t flat footed, and at a time in which the questions start to flow, we have confidence maintaining and or competence building answers to these questions.

This project has an incredibly low probability of success, and yet I do feel like we have a moral responsibility to not allow people to be blindsided and everything else we do above beyond that is. Hopefully equipping them to make intelligent decisions with the time they have and the resources they have and then I’ll break there, but separately, you can’t just tell people about problems were also trying to make much more available technical resources to assist them and removing technology barriers to give those people some tools, but I don’t think the answer is always more cyber.

I think thus far, most of the answers have been analog mitigations to these cyber exposures.

Bryson: The answers are definitely not more paper.

Josh: And I think you have seen we’re using some creative art budget as well so that we have, we don’t just have conference talks or podcasts or papers, but we actually make this visceral and visual and we engage their imaginations to understand just how interdependent and interconnected we are and how a failure on any one of these lifelines can have cascading effects across these lifeline.

So. The potential for harm is incredibly high, but we’ve done a very poor job storytelling and doing the narrative in ways that the public can understand, and I think we are experimenting and fuzzing to find the best way to get this information in front of them so that they are seeking help and can tell good help from bad help, and then armed with that information can make excellent local decisions.

And there’s messaging we have to those three stakeholders of owners and operators on the target of cyber poor for municipal leadership in every community in America. And to individual citizens that have the ability to reduce their personal dependence and do something within their household. The UK government, for example, asked their citizens to have three weeks of water on hand.

We could encourage life straws and iodine tablets and water barrels and victory gardens and common sense easy ways to make sure that we’ll be okay while our community adapts to a disruption without being doomsday preppers. There’s common sense, good preparation people could do and good questions they could ask.

So those are things we’re asking the general public to do. In parallel, though, we call it helping the helpers be helpful, and we’re trying to get I. T. and cybersecurity professionals with skills that could be brought to bear to volunteer to help and to be a mentor or an advisor or engage with the local authorities in lawful ways.

Like we had the Cyber Resilience Corps in Michigan. You should talk to Ray Davidson about that multi year path if you haven’t before. There’s different authority in Wisconsin, for instance, in response to the National Guard. There’s a completely different way of doing it in Texas or Arizona. So we are kind of studying and aggregating all of these volunteer army that have direct assistance programs, and we’re putting them in one place.

Craig kind of encouraged a lot of his grantees to get better organized on volunteers. So we call it the Cyber Resilient corps, C O R P S. And it’s being co-run by the Berkeley Center for Long Term Security, CLTC. Sarah Powachek and friends. But also Adrian O’Gray, and the folks over at the Cyber Peace Institute, Cyber Peace Builders, had a technology platform that we’re expanding.

And the goal here would be anyone can volunteer to be of assistance on any cyber topic for any marginalized group or critical infrastructure or any cyber topic. And then we do matchmaking so that when someone needs help, they would know to go there and find out who’s willing and able to do which piece of the work in which part of the country within which authorities or rule without getting in trouble.

So we’re trying to accelerate and scale the volunteering. So if you’re listening as a practitioner, you want to make sure that your community is safe. That would be a good place to start. And then we’re asking a lot of the vendor suppliers because they didn’t answer that part of your question. But the security providers that will be need to be brought to bear, let’s at least reduce the free services from CISA and other places. There’s some free tools that GCA is aggregated, but there’s some things that need professional grade tools. And if we’d get those free near free at cost, heavily discounted for our nation, critical infrastructure, Google and Microsoft, for example, give a lot of free kit to rural hospitals.

Let’s extend that instinct to make sure that if we do have professional helpers helping and they’re being helpful and they’re helping that they have the ammunition to do the job. While I don’t expect much from the federal government at this moment, just because even if we passed a law tomorrow, it wouldn’t matriculate in the time horizons for which we speak, irrespective of who won the election.

What we’re really asking for them is to do no harm and maybe use the power to convene and public hearings and public statements to put some pressure and oversight on the existing federal resources that can scale the assistance they already have. So they’ll play a supporting role. But in this particular case, we have a lot of inclement weather coming.

I hope it doesn’t, but we are exposed to active adversaries and even military enemies, and I’d like to do something to reduce that exposure and or mitigate the worst case outcomes that are about to happen. I’m hoping none of these conflicts go hot, but it should discomfort every one of you that in our appetite to connect everything to everything else, we have most of the nation’s water and hospitals and power to the last mile, pretty exposed.

So I think there’s a way for you to get to volunteer in a more effective way than in the past. And we want to, in parallel, equip you with recipes and playbooks that are truly helpful and not harmful or not. Window dressing, like we don’t want to just, you know, add a few little cyber things in the margins while you’re still exposed on short answer and census IO.

The harder question, but one that bears asking is the manufacturers, the heavy equipment people that sell into these operational environments. You play a role here too, and your life cycles are long, but many of you are using on support end of life hockering systems. Many of you are guilty of some of the bad practices. Much of that is technical debt before we knew better, but we know better now.

And a lot of that connectivity that communities have, they have in part because your contracts connected them to some cloud or remote administration. I’m not calling you villains. I’m saying that your technology introduces connectivity and risk. And I want you to be good stewards over the next few years that the connectivity you introduced is well managed, well modeled.

And if you have ways to harden and reduce that attack surface for these target rich cyber poor. This is a good time to start asking how you might do so. So look at your elective risk that you’ve introduced in the system and maybe make it a bit more overt so that people have agency and choice as to how much elective risk they have.

We’re not going to go back to the Stone Age. and disconnect everything everywhere. However, there’s a promise and apparel to all technology. You’ve been adopting and pushing these things for their promise, but we’re about to start seeing some of that peril manifest. And as good stewards and part of this ecosystem, we’ll see in the margins what you can do with your roadmap, with your configuration, with your install base.

To reduce any sort of elective exposure between now and when the shooting starts, there’s awesome responsibility that comes to those who build and deploy digital infrastructure. So use that power responsibly.

Bryson: All right, ready for the lightning round? 

Josh: Sure.

Bryson: You could wave a magic, non internet connected, fantastical air gap wand, what is one thing you would change?

Josh: I’ve thought about this a lot since my last answer, and I encourage people to go hear that episode two of season one. And compare, but I think my current answer is a bit from the movie Inception, like if you could put like one little idea in everybody’s head, what would it be? I think you and I and others know there’s a real cost to connectivity that with great connectivity comes great responsibility, that promise and apparel to connect to technology.

I feel like if I could wave a magic wand, I would want every citizen. Every individual to know the cost of that connectivity, like just how dangerous some of those could be, because there is a time and place to use internet connected remote administration, and there is a time where is wildly inappropriate, not a perfect example, but I asked a room of people at Venable who thinks carbon fiber is a strong and durable material, and every single person raised their hand.

And I said, is it appropriate for submersible? Because that’s what the Titan submarine was made of, and the answer is no, right? So. I’d like to get to a point where, back to that line, our dependence on connected technology should be proportional to how trustworthy and transparent that technology is and to the consequences we will incur if that trust is misplaced.

Software is a risky, weird material and we should use it deliberately where we know we can pay the cost to secure it. So if I could wave a magic wand, I want everyone to know the true cost and exposures to accidents and adversaries when you decide to add software and connectivity to things.

Bryson: You waved your magic wand. Now looking into the crystal ball for a five year prediction, one good and one bad thing.

Josh: It is currently 2025, so even if people think we have more time for the Taiwan conflict and we don’t bubble over with Ukraine or Middle East, I believe we will have had a hybrid conflict in the next five years and we will have a demonstration of harm for just how much damage that over dependence can, be, just how much damage it can do.

And we will be humbled by that. And it will have a non zero body count. But I think while that could be, the silver lining could be that we learn the hard way how over dependent we are on our impenetrable things. My concern, my real concern is not the actual property damage or the actual loss of life costs, but the psychological costs.

As you and I lived through, it only took two buildings being hit and the Pentagon to have the psychological costs and effects to send us to war for 20 years and institute a whole bunch of policies, many of which we regret. So I think the cost five years from now is some people will have allowed unsound connectivity that pays a price on civilians and U.S. soil. And we have a teaching moment from that. but I do fear that the reaction to those failures could be as bad or worse than the failures themselves. So that’s the bad side. The good side, if the groundwork and the scaffolding that you’ve done, that the cavalry’s done, that CyberMed Summit’s done, that our good faith partners on the Hill and in the White House have done.

If we have some shovel ready, more matured and advanced ideas at the ready, if we’ve started a lot of the right corrective fixes, these moments could be where we stop hand wringing and just writing papers and having tired debates and we start to realize that we should place obligations and liabilities on those in the best position to identify and buy down risk, that we right size the incentives finally.

Part of the reason we are defending indefensible things is our incentives have never been properly placed. And sometimes a crisis can be that moment that humbles us enough. What is the way we describe democracy is the worst possible idea except for all others. I fear that unfortunately it will take some of these high consequence failures to get us there, but we will finally have the impetus to right size incentives and place accountability onto the parts of our technology supply chain that can best identify and manage that risk, right?

We should do this economically and morally such that when you depend on a technology, it is dependable, and when you trust something, it is trustworthy. And for the most part, none of that will really happen with technical solutions. It’s going to happen with incentives. So my silver lining is we will finally start dusting off some of those decent ideas to properly size and place incentive.