[1:10] Exploring the Essence of Cyber Safety with Joshua Corman
Rachael: I'm so excited to welcome Joshua Corman. He is the Vice President of Cyber Safety Strategy at Claroty and the founder of I Am the Cavalry, a grassroots organization focused on digital security, public safety, and human life. Josh, welcome.
Joshua: Hi. Excited to be here.
Audra: Josh, you have an interesting background and I've read speeches and things you've been giving in Congress. I've been cyber-stalking you. But I just wanted to say, you have a fantastically interesting background. Do you want to share your background a bit with our audience?
Joshua: Oh, boy. I'm not a hacker philosopher. I'm a philosopher by training in the hacker community. I have systems thinking and I want to be a superhero. I just don't have superpowers. So I somehow ended up in public policy trying to advocate for where bits invite me, flesh and blood. I don't know how I got here. I don't know what I'm doing, but it seems to be working. But I try to be a protector and tackle a hard problem.
It's not even clear to me how I got here. But I think I'm drawn to high-consequence things, and my philosophy and systems thinking background gave me unique perspectives that aren't normally brought to this space. It's allowed us to have new and novel impacts as a result. I don't know if I answered your question.
Audra: That's all right. So, I'm gonna quote you a bit to send you in the direction of things I'd like to hear about. One of the things you've stated is that attacks on healthcare are increasing in volume, variety, and impact, with consequences now including loss of life.
The Nexus of Cyber Safety: Unveiling Patient Security
Audra: The candid truth is that you're more concerned about cybersecurity in US healthcare than you ever have been. The majority of healthcare regulations have been focused on the confidentiality of records. If I could say that. However, you say cyber safety is patient safety. Can you talk about this and really explain it? I like the sound of it, but I want to know more.
Joshua: Sure. Well, even beyond that, I founded I Am the Cavalry.org almost exactly 10 years ago. August 1st is our birthday. It was born out of the hacker conferences in Las Vegas. Besides Las Vegas, there was the family launch, and then we had the main stage at Defcon the next day or two later. We focus on where bits and bytes meet flesh and blood. The challenge statement I gave to the hackers, coming out of a grieving process before I lost my nerve, was that our dependence on connected technology is growing faster than our ability to secure it in areas affecting public safety and human life.
It's in our cars, our medical devices, power plants, high-speed rail, everywhere. I'm worried about where bits and bytes meet flesh and blood. Unfortunately, public consciousness wasn't there yet. So if the cavalry isn't coming, maybe it falls to us to do what we can do to be a voice of reason, a helping hand, try to use empathy, and build a coalition. With the coalition of the willing, we can reach those in safety-critical industries or public policy areas, making us safer sooner. We said we'll eventually figure this out and address harm, but we want to be safer sooner. If we work together, we'll be ahead of the curve.
Collaborative Solutions Across Sectors for Cyber Safety
Joshua: That included hospitals, healthcare, and we thought we'd start with cars since there are only 20 car makers. So my first public writing deliverable was called the "Five Star Automotive Cyber Safety Framework for Connected Vehicles." Because there are only 20 of them, but there are 10,000 medical device makers, and in the US alone there are 7,000 hospitals. These are obviously international problems as well. We thought we'd build our muscles and technique on the 20 carmakers. But, to our surprise and delight, there was an incredibly brave, courageous, and heroic hacker that didn't know she was a hacker in Food and Drug Administration, Dr. Suzanne Schwartz.
She became and maintains the status of being one of the highest trusted, highest-impact collaborators of my life. We've done miracles together on a regular basis. So I think that biased me. In fact, a lot of folks think I Am The Cavalry is a healthcare initiative. It's not. We do tons with maritime, aerospace and aviation, high-speed rail, food supply, power, electrical, water, and wastewater. Wherever bits meet flesh and blood.
Audra: But how do you convince these different arenas that they need you? How did you convince the car makers like it? I have to admit, I've been around, in lots of different areas of security for quite a long time and sometimes pursuing, getting to market overrides, security. So how do you prove to them that they need you or they need to be thinking about what you're bringing to them?
Joshua: There's no single trick. We started with good heart empathy and our common cause and purpose. This empathy came from me being shattered from the loss of my mom and the impetus and thoughts of this.
Navigating the Realm of Cyber Safety Through Empathy and Unity
Joshua: I realise that it wasn’t shattered or broken. It was like enhancing authentic human connection and really speaking to the heart of the matter. Or to common cause, common purpose, and shared values. So I found that we couldn't just point fingers at past failures. We needed to be a helping hand toward future success. So I found out that we couldn't use our jargon and lexicon.
We had to learn theirs, meet them on their turf, where they are, and figure out some common language, and common priorities. And that wasn't the same for every industry or stakeholder. But it started with we have a burden to go the extra mile to understand what they care about. If I squint and zoom out, I love the question because I haven't thought of it this way. One of the early successful sentiments I gave my teammates was, there's a promise and peril to connect to technology.
Of course, I want this connected medicine, these breakthroughs, to save more lives, be efficient, maybe cure cancer, and stop stealing our loved ones from us. And if we're cavalier about exposure to accidents and adversaries, we could shatter the trust. It was a pretty key moment at the National Highway Transportation Safety Administration event. Congress was yelling at them, why aren't you listening to hackers?
They're showing you can hack cars. We don't want people to distrust cars. The opening speech from Chairman Rosekind at the time was pretty defiant. He seemed frustrated, he had to be there. He gave his impassioned speech compelling about how many human lives are lost every year on the roads to human error, human choice, and humans are terrible drivers. That's why we have to get to autonomous and semi-autonomous vehicles sooner.
[8:49] Empowering Trust through Cyber Safety
Joshua: Even if no one's ever been killed by a hack. And even if we're gonna save many more lives than we're gonna lose, and I'm in a room full of good faith hackers from Academia or Chris and Charlie were there, the famous guys that hacked the Jeep on the highway. When he was done, and he had gotten that off his chest, the room was quiet. I took the first comment and I said, sir, I absolutely agree with you. You're completely right and any exotic attack triggering a crisis of confidence in the public to trust those vehicles will postpone your dream for five, to 10 years.
He couldn't refuse my truth either, because sometimes the opposite of a profound truth is not true. Really what we're doing is integrating what they want to accomplish with what we know. So we have a sized unquantified under, misunderstood risk. There's always a cost of benefit or risk reward. We want to integrate that, not supplant their cost-benefit decision, but enhance it. One of my first recruits met, he didn't even see the call to action in Vegas, but Bow Woods is one of our first recruits and best collaborators for the duration of the last decade.
He helped take the automotive five-star that we had written. He wrote it as a Hippocratic Oath for connected medical devices, the same five things, but in medical language. His beautiful finesse was something along the line of doctors, nurses, and caregivers since the dawn of the profession already inherently care about do no harm and the preservation of life. And increasingly, technology plays a supporting role in the fulfillment of that craft and trade and profession.
The Core of Cyber Safety Advocacy
Joshua: Shouldn't your technology support and subordinate your objectives? So we just kind of couch these things, not in what we care about, but what they care about. Part of the answer here is empathy, doing the work, spending time among the people you're trying to work with, and influence, then finding a common cause, a common purpose.
Rachael: I love that.
Joshua: It's the hardwork of trust-building. Not fear-mongering, but trust-building.
Rachael: Because there's always this desire for a one-size-fits-all right answer. That doesn't work, just doesn't exist, right? I love that thinking 'cause it's so critical if you're gonna make any kind of movement forward, particularly to your point earlier, the calculus is, we're gonna save more lives than it takes. But any loss of life is unacceptable. I guess, and well, for sure.
Joshua: Yes. Also that.
Rachael: I always struggle with that kind of thinking, we got to wait for the absolute bottom and death and destruction, then really take it seriously. It shouldn't have to get to that level. It seems like the tides are turning there. I mean, I'm talking like 10 years ago thinking, I love your perspective here, attitudes on that front are like, no, we need to get ahead of it. We need to be more preventive. Is the tide I feel that is coming along.
Joshua: Well, back to my philosophical roots. One of the lights, I don't even know where I amalgamated this from. But as a species, we tend to adopt technology for its immediate obvious benefits, but we're really bad at the cost-benefit analysis. The costs come later; they're less obvious. Take asbestos like we introduce asbestos on Target.
Balancing Convenience and Privacy: Navigating the Waters of Cyber Safety
Audra: There is a philosophy about that where humans flow like water. So if it's easy or appears easier, people tend to go in that direction. Technology has given us that, like how people give away their privacy through convenience. The convenience of my phone, well, I give away my privacy, location, and key details. Because it makes my life easier.
Joshua: Yes, sometimes not in good ways. Cyber asbestos was a term I used early on. Haven't used it in a while. But asbestos was pushed by underwriters laboratories because it was flexible fire retardant. It was a miracle. We didn't know until much later that it caused mesothelioma and cancer, and had to condemn schools, factories, hospitals, and the like. We're in a rampant adoption phase of everything. I know this conversation won't be about AI. I listened to that great episode you did with Casey John Ellis from Bugcrowd about this. But we're not just going faster than sound.
We're going at ludicrous speed; we've gone plaid. It's crazy how much we adopt. What we wanted to do was try to show, you can deliver the hard truth if delivered candidly or kindly. A lot of us sound like heretics. Even if you're right, you can be wrong. You can be right and still be wrong in your delivery. We've also had to take a long view. I told the team early, we have to be patiently impatient. I try to set their expectations. So we're gonna be tenacious and on goal at our mission, but we're never gonna steamroll somebody because that'll backfire.
Turning the Tide: A Journey Towards Cyber Safety
Joshua: What's that old proverb? If you wanna go fast, go alone. If you wanna go far, go together, or something like that. It's been a combination of these things, but the tide is turning a little bit. Sadly, it's because we had to have a lot of harm. A law professor, Andrea Ion, has been with me since before the beginning when I met her while researching Anonymous and stuff. When I was launching this, she said, Josh, everyone's waiting for a Cyber 9/11 or Cyber Pearl Harbor.
And not only are those offensive metaphors that trigger people, but it's also gonna be more like a cyber Cuyahoga. She told me about the Cuyahoga River on IO caught fire and stayed on fire from pollution. Before we would do something about it. She said it didn't just catch fire once. This is about where the Rock and Roll Hall of Fame is, by the way.
She said it wasn't just once. It caught on fire multiple times and burned down bridges, factories, enough was enough. Someone caught a photo that finally tipped consciousness, and the Clean Water Act passed, then the EPA shortly thereafter. But I did my research, caught on fire, what was it? Like, 21 or 22 times across a 70-year period before people said, enough is enough. She was trying to set our expectations that you're gonna have to see harm, reach a critical mass, and then you'll see political action. While I was at CISA, gonna talk about some of that. I went into emergency federal service when the pandemic started I was asked to be chief strategist of what became the CISA COVID Task Force to protect hospitals, supply chains, and ultimately vaccine efforts under Operation Warp Speed and its successors.
[15:51] Navigating the Path to Cyber Safety Amidst Crisis and Change
Joshua: While I was there working on hospitals and the pandemic during that time period, if you look at the bottom of Maslow's hierarchy of needs, the things we need to survive as a species, food, water, shelter, safety, we had successful electronic disruption of water we drink, the food we put on our table, oil and gas pipelines fueling cars, homes, economies.
Schools your children attend, municipalities running towns, cities, federal agencies, timely access to patient care during a pandemic without quantifiable loss of life as a result. Stuff’s on fire. So that kind is blazing. When this happens, you start to see political will. In a bipartisan manner in the House, Senate, White House, the new office of Cyber, National Cyber Director, ONCD, traditional NSC, National Security Council – there's very unified recognition that volunteer-only, free market forces only taken so far. We cannot be cavalier about providing trusted, trustworthy, resilient food, water, shelter, safety, time, and place to use federal power.
The time is now. Trying to rebalance, reshape more trusted, trustworthy digital infrastructure. Its been a long road. I mean, my road on this started before Cavalry, but I don't want to get into the rugged software manifesto. But I started realizing software was becoming critical infrastructure, like stealing concrete, but not nearly as reliable. Yet, we're putting it everywhere. This journey's been long, and we are not out of the woods. Gonna get a lot worse before it gets better. But I think when you build trust before they saw the harm, then they see the harm, they turn to you instead of lesser ideas from lesser people with lesser motives.
Reimagining Cyber Safety
Joshua: They're still sabotaging, trying to prevent progress. But we're at the table in a way that I don't think we would've been without the hard work and investment so long ago.
Audra: Should we jump into a bit more? I'd like to dive into the current state of hospital cybersecurity if you're happy to do that.
Joshua: I'll give you a choice. My entire worldview got shattered recently. I could tell you how I see it today. Or I could show you how I saw it just before and then modify it with what's changed in the last two months. Which would you like?
Audra: To be honest, I'd love to actually understand how and why it was shattered. If you're okay with that.
Joshua: Sure. I told you before, I'm a philosopher hacker who's spent 25 years in the cybersecurity community trying to make sure people understood this. We invest properly. I still am gonna fight that cause. The latter one, I don't even know if I can do the first one I offered you. I'll make the minimum pivot to your desire here. This cavalry thing's been 10 years.
In the meantime, we started another nonprofit called Cyber Med Summit, where we work with doctors, ERs, and hospital administrators to show them experientially that introducing a compromised device into a clinical setting can have a loss of life. So we kill people in simulations. We've been doing the work to make sure people understood this. Pandemic, we got some proof of loss of life, both in our front-page Wall Street Journal article we could touch on, or some data science my team did at CISA.
The Journey to Mandating Minimum Cybersecurity Hygiene for Medical Devices
Joshua: But I've been trying to ensure we can finally get the political will to have mandatory minimum cybersecurity hygiene for medical devices. Technologies we depend upon for care delivery and operational environments of hospitals. In December, slash January, the omnibus package. Despite testifying last May for Senate HELP, the first loss of life to, in part, get enough political will to pass the Patch Act. Which is essentially seatbelt laws for medical devices. Mandatory minimum cyber in statute so FDA can regulate safer medical devices in the future.
Some medical device makers did not want that. They spent a lot of money fighting against it. My testimony helped cinch political the will for the Senate side to fight like hell to get it squeezed into the omnibus belt. And they did. So it's law of land now. There's a story we may wanna circle back to on that. But that was a major milestone and accomplishment to make sure hospitals, large, medium, small, and rural can benefit from safer devices in the future. But then we wanted to shift to hospitals. Senator Warner was concurrently writing a paper called "Cybersecurity is Patient Safety" based on much of the work we had done together and events that had happened in the world and the pandemic work.
In the House, Robin Kelly of Illinois had been working for years, even before the pandemic, on some mandatory minimums for hospitals. But also a stimulus for small, medium rural hospitals that don't have the finances to meet those minimums because they're the target-rich for the cyber report. We thought, okay, there's a canary in the coal mine here that there's the political will to say no to industry, to lobbyists, and do the right thing to make people safe. Let's go to the hospital next.
Cyber Safety Imperative: Navigating the Path to Mandatory Minimums for Healthcare
Joshua: I've been on this journey really hard, and we see political will. The White House added to it, more evidence of harm in hospitals. So I was at this place where I think we're on a path, even though the private sector is fighting it, where we're gonna have mandatory minimums and fund it properly. We're gonna identify these risks and common connectivity. During my congressional task force for healthcare in 2016-2017, we said if you can't afford this, hospitals said, we can't afford it.
And I said, if we can't afford to protect it, you can't afford to connect it. They didn't like that much. So I tried to sound more like Stanley, and I said, okay, fine. With great connectivity comes great responsibility. And once you added this digitized care, you expose yourself to accidents, adversaries, and predators who have taken notice.
And since 2016, healthcare has been the number one target of ransoms worldwide. In fact, currently, I'm gonna say some uncomfortable things. Of the 16 designated critical infrastructure sectors, healthcare and public health, specifically the delivery of care within healthcare and public health. Has the unenvied position of having more ransom disruptions, larger disruptions, longer disruptions, and the most life safety disruptions.
In fact, the other day, I just saw a report from IBM stating that the global average ransom, which in my opinion is the least important metric, was around four points something million dollars. But hospitals average around 11 million dollars. So they're also the most expensive of the ransoms. You don't want to have the most disruptions, largest disruptions, longest disruptions, and most dangerous disruptions. You don't want that position, but we do.
[23:33] Cyber Safety Crucible: A Harrowing Reality for Healthcare
Joshua: So here I am working on, and I'm getting to your inflection point, and it looks promising, but it's gonna be a hard fight. There are really two camps that have formed. There are those who believe we're doing the best we can, then there are those who know we aren't. That latter camp includes me, the Ed Summit guys, House and Senate in Congress, bipartisan ways, and the White House. We need a bigger boat. We're in very bad shape. So there I am cooking along, and you might be saying, okay, well, what shattered you?
Well, even though I knew this isn't the first and it won't be the last, sometimes you have to see it in print and have something acknowledged out loud. But St. Margaret's Hospital in Illinois closed its doors forever. And it's not the first rural hospital closure, we'll touch on that in a second, but it's the first officially cited ransom event as a contributing cause of its closure. And it's not even the majority cause. I mean, hospitals are strained, hospitals have been in a death spiral for a long time.
So in the course of confronting this really uncomfortable truth, I'm saying to myself, we're at record high financial strain. Most of the hospitals I talk to that are small to medium, where all these target-rich and cyber-poor, they'll tell you they have one to four weeks of cash flow on hand. That's about it. And then I think about it for a second, I'm like, we're on track for over 700. We've had over 700 ransoms on hospitals per year for the last several years. We're on track to shatter that record this year. A typical ransom can be six to 12 weeks in duration.
Unraveling the Shadows of Cyber Safety in Healthcare
Joshua: So if you've got one to four weeks of cash flow on hand and a ransom can go six to 12, the only thing worse than being down for six weeks is being down forever. That's not the shattering part. One of the reports I hope we touch on from CISA is we used a natural experiment to measure and quantify excess deaths after a very large impact on a state and region. So I know how to calculate these things.
What we know, I'm gonna say the next minute, I'm gonna avoid saying cyber. What we know from the New England Journal of Medicine article about heart attacks during the US Marathon is that if you have a heart attack, a 4.4-minute longer ambulance ride can have a statistically significant elevated loss of life or mortality rate after 30 days. So 4.4 minutes is enough to elevate the loss of life for the heart.
We know for strokes the golden hour is one to three hours could be the difference if you walk and talk again if you're breathing. So these are time-sensitive issues that need proximal care. So 4.4 minutes can kill you for heart, four hours can kill you from a stroke. What if four weeks in the state of Vermont when it was down? So we were looking at proximal access to urgent care.
If you put a pin on a map and draw a circle around it or just the driving distance around it, let's say the non-cyber part for 60 seconds, I delayed it. So here you go, ready? Over the last five years, of the 7,000 hospitals in the country, 85% of them are small, medium, and rural. 15% of them are huge, okay? Of the small medium and rural.
Vulnerable Healthcare Ecosystems
Joshua: We have seen that they don't really invest in IT or anything like that. But what we've seen is they're the most financially strained and 200 of them have closed in the last five years from financial insolvency. When that pin on the map is removed, anyone that lives nearby and doesn't have proximal alternative urgent care is more likely to die from a heart, brain, car accident, gunshot, or whatever, because they can't get timely access to patient care where latency matters. On top of that, what's harder to measure is how many of them were financially distressed enough to be acquired into a capitalistic predatory M&A or merger and acquisition where they're not dead.
But they're on life support and they're gutted, they're strip-mined, they take the good nurses and doctors, they take the good equipment. There was a front-page story in the Wall Street Journal from Melanie Evans a couple of weeks ago about how maybe they're not shutting down. But they're canceling and removing lots of procedures. So if it's a latency tolerant thing, fine drive four hours, five hours. It's offensive to me, but it's not fatal. But if you need time-sensitive care and there's nothing for several hours away, a lot of Americans are gonna die.
This is not just a US problem, by the way. So I'm looking at this where 7,000 hospitals, maybe like 700 of them are either closed or on life support or in a coma, essentially, because they've been strip-mined. And that was before the pandemic. The pandemic made it worse. They couldn't make high-margin, high-profit procedures. Their beds were full. Many doctors, nurses, and surgeons retired, died from COVID, and died from non-COVID excess deaths that we studied, which were in the hundreds of thousands.
[28:38] Hospital Crisis: Cybersecurity and the Precarious Future of Healthcare
Joshua: So doctor and nurse shortages are leading to 200-300% traveling nurse premiums. So payroll went way up. The net result on the other end, is now that the pandemic is "over" and some of the monies and safety nets are gone if you want to borrow to make up for your financial string. Lending is non-existent or unfavorable right now for small and medium rural hospitals. You might be wondering why I'm talking about all these non-cyber things. If you're already on the ropes and we're already losing hundreds of hospitals to closure and/or for-profit strip mining.
What if we have 700 more chances per year to hit that button that they won't recover from, which is you lock them up for more than the cash flow they have? And maybe you're wondering, well, isn't that what insurance is for? Except that most of the cyber-writer insurance lost money in 2020 and 2021. Some left healthcare entirely, some made it cost-prohibitive through what's called risk selection where they only insure the insurable. Some of the hospitals I worked with paid eight times as much for 50% of the coverage as it used to have. So they're just in a death spiral.
And I have to ask myself, how do you make the powers that be in the public-private partnership in the federal government care about the cybersecurity of hospitals when they don't care about the existence of hospitals? It's not a defeatist tone, but like, is this a pimple on the ass of a terminally ill cancer patient? We are a part of the dysfunction. But the heartbreaking part for me is if we don't make them more resilient to these attacks, we could see elective closures of more hospitals where people live.
Cyber Safety: The Unseen Threat to Vulnerable Healthcare
Joshua: The idea of putting more cost burden on them when they're on their ropes just feels untenable. Back to the empathy thing, I feel for these organizations who can't afford to invest in more resilient care and can't afford not to. And as I've been escalating this, it's difficult to find anybody responsible for the strategic capacity planning of what we used to fund called critical access hospitals. There are 50-bed hospitals where we might otherwise have a care desert.
We've had closures, but not many additions. It just feels like something that got orphaned in the increasingly privatized medical world. I'm not making a social comment, other than basic human needs at the bottom of Maslow's hierarchy that keep us from being Lord of the Flies or killing each other are food, water, shelter, and safety. When we lack access to those basic human needs, bad things start to happen. My hunch was somebody in a strategic planning office, I just need to find their name. They probably expect this many closures this year from financial ruin. I wanted to warn them, there's a new variable in your formula of ransom disruptions that will affect it.
Sadly, when I went to the big hospital trade associations, they were indifferent to this. They think these hospital closures are good because they get to buy them. They believe they're better off in their care. And when I went to the public-private partnerships, they don't see this as an issue. They think the future is telemedicine or hospital in the home, all of which are true and valuable. Except you can't do emergency stroke treatment at home, and you can't do emergency cath lab for the heart at home.
Navigating the Precipice of Healthcare's Existence
Joshua: There's still a non-zero point of presence that has not been factored in. So I watch these pins on a map evaporating. With or without a cyber attack, I'm uncomfortable with the number and velocity of closures happening in the country. And I know Cyber can make it worse. I don't see the obvious critical mass path to fixing that, especially when we're fighting each other. When the real enemy is the scourge of ransomware, unchecked aggression, not just in healthcare. They're pivoting from food to water and wastewater, critical infrastructure.
If there are conflicts, we're prone to further disruption, not just by criminals, but by nation-state intent. I'd like to stop being overdependent on unreliable things. While we've had a decade of incredible success with unfunded grassroots volunteer hackers who want to make the world safer (and I don't mean idiot hackers), the attack density has gotten worse, and the dependence has gotten worse faster. We're reluctant to do the necessary things to regain and deserve that trust. I'm not sure if I'm answering your questions, by the way.
Rachael: And hate to do this, but we're at the end of today's podcast. To all our listeners out there, thank you for joining this week. For our new listeners, welcome. If you're enjoying the conversation, please subscribe. We're on all major podcast platforms. Until next week, everyone, stay secure. Thanks for joining us for the To the Point Cybersecurity Podcast, brought to you by Forcepoint. For more information and show notes from today's episode, please visit forcepoint.com/govpodcast. Don't forget to subscribe and leave a review on Apple Podcasts, Google Podcasts, Spotify, or Stitcher.
About Our Guest
Joshua Corman is Founder of I Am the Cavalry, a grassroots organization focused on the intersection of digital security, public safety, and human life. He was formerly chief strategist of CISA’s COVID Task Force, where he advised on the pandemic response, provided cybersecurity expertise on healthcare infrastructure, and supported control systems and life safety initiatives. Prior to CISA, Josh was SVP and chief security officer at PTC, where he accelerated cyber safety maturity across industries. Previously, he served as director of the Atlantic Council’s Cyber Statecraft Initiative, on the Congressional Task Force for Healthcare Industry Cybersecurity, and in leadership roles at Sonatype, Akamai, IBM, and the 451 Group.