And Together We Crossed the River: A Decade of Change

please join me in welcoming Josh Corman uh to give a talk about how we cross the river [Applause] together all right now if we can only get this to work again um

hi so uh warning I'm feeling a lot of feels today so uh I'm not even sure where we're going to go with this but we'll find out um I can promise you this it'll be authentic um so I probably should explain the title and together we cross the river but I'm probably going to postpone that a little bit um so it was uh August 1st 10 years ago after being rejected from defc con uh Nick and I offered a talk titled the caval isn't coming and it was a conversation it happened in this room configured a little differently and uh Banshee and Jack and Damon moved Heaven and Earth to make sure that this important discussion

happened and uh and after some circulation of how the hell did this not get picked uh dark tangent gave us uh the keynote stage Sunday morning a couple days later uh at Defcon and I think we're still in one of the top 10 talks of Defcon um not because it was a flashy OD day but because it really tapped into purpose and a Northstar and how uh important what we do could be to our families our our societies Etc so I'm not going to there were in the buildup to this I had several competing theories one was I wonder if I could give the exact same talk and how it would hit a decade later so I

want you to think back to 203 I'm not going to do that um I want you to think back to 2013 okay I don't know where you were living I don't know where you were working I don't know what car you were driving like I don't know what evokes your memory there but people were pretty pissed off there was a trend towards increased criminalization of research hacker was a dirty word uh Snowden kind of shattered trust kind of amongst the community amongst govies uh President Obama said I'm not going to scramble some jets for some hacker um there was a lot of concern and existential dread amongst the hacker community that year um I felt moved to do this for some

very personal reasons and when I went and watched the video yesterday um some parts hit me pretty hard and and things I remember saying in that room I never actually said in that room so I might add some color and context today but uh and that will help make sense for why the talk has titled this um but what I did say in the room is that uh our dependence on connected technology was growing much faster than our ability to secure it and areas affecting Public Safety and human life uh and after doing a whole lot of looking high and low in the government and for the adults there weren't any and it was incredibly demoralizing to see

that the Cavalry isn't coming to save us after researching Anonymous for a couple years with Jericho and being concerned about the rise of personal power curve of the individual in a hyperconnected world the corollary to that is all right if they're powerful so are we and if no one's coming to save you it's also empowering because then you know it falls to you to you or nobody so you don't feel helpless you make a choice am I going to fight or not so the call to action was what are you willing and able to do can we be that voice of reason that technically literate uh honest broker can we be a helping hand instead

of a pointing finger can we transcend the Rockstar culture and the glory and ego culture and instead try to solve real problems and instead of bringing a pointing finger and and anger can we bring empathy and a helping hand instead of taking a tactical view of finding and fixing a single flaw and a single medical device from a single manufacturer in a big uh contested public debate um could we hack the incentives so that all medical devices were safer and we had no idea if any of this would work I I think it was at my feeling my most powerless and shattered when we made the call um and a decade later why does the world

look different so I don't know your personal touch point for 10 years ago but to to bounce between then and now quite a few times hackers are cherished in public policy circles we have government officials here today we have a defcom policy track we have a black hat policy track we have hackers on the hill we have hackers in the White House hackers helped write the white house National cyber security strategy hackers have passed federal laws hackers have passed UK laws hackers have influenced transparency regimes across the globe we went from a full disclosure Mantra now to every Federal agency has to have a coordinated vulnerability disclosure program now that was not an easy Journey from 10 years ago where

hackers were increasingly criminalized to having good faith research carve outs for dmca and cfaa and being invited to White House meetings and testifying to Congress and I have no idea how we did it I mean we can give you data points you can come to our track today and tomorrow and you can hear some of the success stories and some of the blueprints but Bo woods and I joked that if we ever wrote a book it would be called we have no idea what we're doing but it seems to be working but I think when we reflect on what worked and what didn't um something like this something as transformative this could not have happened outside of the bsides

family hackers are not a single tribe we're a tribe of tribes and sometimes Waring factions but this is the community that thinks of their place in the world that wants to Mentor others that wants to give people their first speaking I mean the very birth of besides was that firsttime speakers could never break into the cabal of the gatekeeping of the black hat conference we're hearing the same things over and over from the same name rock stars yes they're accomplished yes they're amazing how do you get new blood and new talent and it's very hard to break through so one of the spirits of besides was to um democratize that power instead of hoarding that power to inform Inspire

and influence and help and shape and cultivate and only this community could have given us that Refuge to ask this crazy thing 10 years ago all right I've been rambling this journey for me did not start with this

talk some of you know this I'm going to give a little bit of it not all of it a little bit of

it so there's a lot of feels in here for a lot of different reasons

I had researched the rise of anonymous and activism I was concerned that this was a significant moment that it was going it was the front line of what happens when large groups of postnational use opt out of social contracts and take direct action online it's an emergent property of the internet I felt that it erod social contracts cuz I'm a philosopher hacker systems thinker idiot altruist who spent way too long in the hacker Community but I was worried that it may Inspire things like cyber terrorism and it did uh a team poison member from UK named uh janed Hussein a Pakistani UK honor student from Birmingham joined team poison hacked Tony Blair's website got arrested went to jail and in jail

was radicalized and when he got out he moved his Anglo-Saxon punk rock wife and child to rock Assyria where he founded the Cyber caliphate and uh was recruiting and inspiring physical attacks in the US and abroad and hiring hackers and I was terrified at the concept of what could someone willing and able to take human life do with Showdown and script Kitty tools and the answer is a lot so I kept these to myself and I tried to find the adults in the room and I tried to whisper to people and government the intelligence community and allies and eventually I'm going to skip ahead for what happened with him but they eventually put him on the US kill list

and I think he was number four the most dangerous person for our interests and he was eventually killed by drone strike uh in raqqa but I was worried in a world of 7 billion people it doesn't matter what most of them would do it matters what one of them could do and it was way way too easy to reach out and touch someone so after successfully spotting false flags and predicting movements um the intelligence Community said how are you doing this and we showed them how and I got invited into Fort me for two days and I got to pick five hackers and I figured each one of them are really strong maybe we can form the team of

Avengers maybe we can see what we could do and the goal was to help General Alexander figure out his attitude on different legislative proposals for cyber there was no cyber security framework at the time there was no Snowden yet in fact this never would have happened had it happened in the wrong order but we brought um Kaminsky and uh HD Alex Hutton Jean Kim um David etu and we answered some really really important and hard questions like if you could add one sentence of legislation to have the most material impact on Public Safety human life and US critical infrastructure and the Hemorrhage of intellectual property from the uh US economy to China what would that one sentence be and it was

amazing to see their powers combined um part of the fs is you know somebody who's been gatee kept and never felt like I had something to contribute here I am talking truth the power to some of the most important people in the world and trying to put on their agenda that we're worried that we could have mass casualties and loss of life in our food supply and our hospitals and our power grids and I'm watching these people that are strong alone be so much stronger together and that's all great but what what else was going on in my life is my mother had had a stroke and uh we knew she'd have some speech pattern things to fix but in between day

one and two of the most memorable moment of my life what I thought was going to be the Pinnacle of my impact on the planet if you want to Dent the Universe I go to my car uh grab my cell phone I had 18 voicemails saying I'm so sorry Josh I'm so sorry Josh I'm so sorry Josh and uh finally when I got to my sisters I'm like finally figured out what they were talking about but it basically it wasn't just a stroke it was pretty aggressive aggressive brain cancer so we knew that we'd be um ending her life soon so I sucked it up went and taught a class went back didn't tell my friends

tried to do day two and we came up with breathtaking ideas and we answered all the Challenge questions and at the end of it when we did our readout uh the answers were we can't do that one there's no satory Authority for that one people would have to die first for us to try that one you're absolutely right about this one but good luck getting that through Congress and basically at the end of the readout we couldn't do a single one of our transformative ideas not even one so it was both magical and demoralizing and that was at the airport bar when none of us spoke for probably 30 minutes that I broke the silence and

I said half of the answer here I said the Cavalry isn't coming and we all got on our airplanes and we all flew home now meanwhile I didn't didn't have the answer to the other half but we start hospices my mom 58 years old trying to watch her die with dignity it came a point where we had to take her away from her home to my sister's house more closely uh close by and all she wanted to do as a superintendent of a school district and very active member of her church to say goodbye to her friends one last time and uh it [ __ ] luck it happened to be be the Sandy Hook shooting weekend so

she didn't even get to say goodbye to her friends because everybody was Shell Shocked all the teachers she was responsible for all the students everyone's afraid so for hours in that church we just heard her preacher say why is there evil in the world why is there evil in the world and I just remember being angry and hurt and I'm watching my little girls afraid to go to school I'm watching my little girls hug their grandmother who's dying and it was you know one of the most gutting at bottom moments of my life and then we fast forward and we're hosp in her for a little bit longer she dies in January I have to go back to

that church I have to walk back into the place where I last felt angry thank you [Applause] Jack I have to walk back into that place where I felt angry and I don't like to be angry I want to be constructive so I had to metabolize that and somewhere between walking in the front door and getting to the stage to give the eulogy because I was her oldest I uh I realized okay my mom got to be my seventh grade science teacher she was a phenomenal teacher somebody got hurt shouldn't have been allowed they made had to make an exception and of the many things she taught me Darkness isn't a thing it's an absence of light cold is not a thing

it's an absence of heat so maybe it's not the presence of evil but the absence of good and maybe that's why I was so angry the last time I was there um so I asked her family her friends her parents her siblings her grandkids what is the absence of of Marie and I didn't have an answer I just looked at him and I said we don't get to find out because it falls to us to do what she was doing now to get to something hacker related um I finished the sentence in my head is that if the Cavalry isn't coming if something's missing it falls to us to put it there so I didn't know

if it would work I didn't know if anybody would say yes didn't know he'd have a single accomplishment but I knew it was worth trying okay so the song um I was shattered um I was given the keynote at bside San Francisco and I nothing in the tank um and Jack my brother who just gave me a hug uh he had to scoop me off the emotional floor and take me to Wine Country at the end of this RSA week I couldn't even speak we just played music couldn't speak I didn't know if I'd stay in security I didn't know if I had any energy left and that pfer song came on The Humbling River is where this is coming from and

the whole idea of The Humbling River is this guy can conquer everything conquer climb the mountain win the more do all these things but there's one River he can't cross and over and over he tries and he's humbled cuz he cannot cross the river and as I'm listening to it feeling shattered and Powerless and that I've done everything I can and I don't see a path forward there twist the line at the end and says the hands of the many will join as one and together will cross the river so I didn't know what to do what to call it but I'm like all right I'm not done we've been doing this as so solo artist let's see

what we can do as a as a team so I'm not doing good on time management I told you I had a lot of feels but that different approach where we weren't looking for permission from rockstars where we weren't looking to point fingers or have combat where we weren't demanding something but we were offering something had transformative results and I'm not going to show everybody's face or everybody's name but I asked Nick initially Nick Boko you know if he'd try this crazy experiment with me a law professor andan mition have been coming to Las Vegas a lot during the rise of anonymous and Def conon she helped nudge me during Thon the prior year space Rogue whose cold dead heart

had closed off started like saying his heart grew three or four sizes that day so space Rogue kind of became yes that's a huge boot full of beer at Thon uh no beard you might not recognize them um but you know we're talking about what did and didn't work with Loft and maybe could we try something like that again um didn't even know Bo Woods Bo missed my talk he was giving a talk on how to dodge us tax codes by being a digital Vagabond and traveling the world didn't even see the call to action um and has become the first and most dedicated and longest last recruit that has helped to change the world that's

cause by the way you know we met people like Craig Smith who wasn't the Chris and Charlie Rockstar hacker but it had written more tools and democratized more access and helped start the car hacking Village we traveled the world got sworn by camels um we own we thought that that was our last dinner there on the on the left uh we started entering the halls of think tanks in DC as uh secret Invaders he became Dr Horrible to do the biohacking village we eventually ended up you know briefing and inside the White House on more than one occasion because they started to realize they needed help so people that were afraid of hackers a decade earlier are now

completely embracing us Jan Ellis was starting her own thing she also didn't see the talk although she knew I was going to do it she was over at black hat trying to like say that hacking its first amendment protected speech and she was deeply concerned that her friends might go to jail and she decided she had to do something about it so she started on her own journey to try to reform CFA and dmca and very quickly we combined forces we started investing in junior staffers this is one of two this is Nick lerson he's been here this is one of two Congressional staffers that first year with a computer science degree tomorrow you're going to see the other of the two

Jessica werson but we built trust with Junior staffers that most people would have turned their nose up to that man is now running most of oncd the office of national cyber director in the White House more Jen some of these became family Jen was my best man my wedding last year August 3rd aie um Jack married us um not me and Jen my wife does not like her photo online uh but Jack has been a brother and a often the one picking me up off the floor when I'm emotionally shattered I have a lot of feels lots of hugs we're going to make the calendar for charity uh we befriended sitting congressmen we brought two sitting

congressmen to Defcon 25 uh bipartisan will herd of Texas who's now a presidential candidate so I've had shots with a presidential candidate uh and uh Jim Lan who ardently fought to advance cyber security in the Congress he was founded the cyber caucus in the house he drove the formation of sisa I want to remind you we are 10 sisa is five sisa was in part fashioned after some of the Cavalry mission to do defensive work for critical infrastructure for cyber physical systems and he helped birth sisa cyber space sarment commission and fought to the end of his administ uh he just retired but to the end to advance hacker rights accordin to disclosure and as

been incredible teammate we befriended hackers who grew up going to Defcon and became Physicians and we started cyber Med summit.org a nonprofit to do ER hacking simulations and crisis simulations with doctors we worked with patients like Marie Mo who was both a cryptology PhD hacker and a heart patient who engendered empathy and gravity when we tried to reform public policy we befriended nurses like molinaa internet of dongs uh International hacker celebrities like Karen who'll be here Billy Rios who hated this idea at first um and was the one doing the prolific research and angry with the with the FDA learned that coming to the table and finding common cause and common purpose took his previously ignored research and

caused the first recall in history of a medical device for cyber reasons an unmitigated Pathway to harm the prior standard of care was somebody had to die first there' be proof of harm and enough proof of harm to Merit a corrective regulatory action but we convinced them that in cyber security an unmitigated Pathway to harm was enough and nobody had to die first Mike Mike left his own company to go to GE to make medical devic is safer cuz he heard the call and he led and he built teams and he mentored people and he trained stuff and he led by example and when he thought he'd done as much as he could and went to look out he

heard a talk after our Congressional task force and he's like no one's going to fix this I got to fix it he started scope security left his career again to put his neck out and Advance Medical and was also like Jack one of the people that picked me up whenever I Was

Defeated Dan was there before there was a Cavalry Dan stepped up behind the scenes in front of the scenes whenever we needed him too and he reminded the old school hackers that were sabotaging us and backstabbing us and gatekeeping us it's not about us it's about them it's about the people true hero and a huge loss Damon has not perished Damon has been uh supporter I feel happyy uh I'm just going to Rifle through a lot of this we had quasi govies like uh art Manion we have our honor rooll of government hackers who helped us save the world like Alan Friedman who's here not only did Allan help on sbom uh and iot labels but also

on coordinated vulnerability disclosure and had we not suffered the slings arrows and attacks from some of your historically favorite rock stars we would not have had carve outs in dmca and cfaa we had to normalize and demonstrate value for coordinated vulnerability disclosure so Allen continues to take up the unpopular sexy controversial topics and make them boring for gobbies Leonard Bailey from doj specifically wrote the prosecutorial guidance that if you feel like Prosecuting a researcher acting in good faith don't Suzanne Schwarz who will be here tomorrow has been an incredible hacker she even made her hair purple at one point um she has demonstrated bravery Head and Shoulders among any others and every time she had a victory

with us we were able to use that to cause pressure on other regulators other executive to do what she was doing so she set the pace as a sprinting partner for this and uh our greatest achievements besides decriminalizing research have been in medical and specifically because of her and her teamwork and partnership on changing the world we had some Media Partners I only grabbed one but Lori seagull put us in Time Magazine did two CNN documentaries on hero hackers and on the rise and fall of cyber terrorism and just took the time to lean in and make sure that the stories were told well uh Sunil you and I uh he's going to be your keynote

tomorrow seil is one of the smartest men alive um Bryson always reminds me right in front of me that seil is the smartest cyber security person he knows um we got invited this year to the UN General Assembly in January and it was the most surreal thing I can explain I had world leaders introducing introductions of introductions of introductions and every one of them with some accent to some degree said something like our dependence on connected something something is growing faster than something something in areas affecting Public Safety and National Security something something and I had this oscillation of incredible pride and validation and incredible Crush defeat that it's we wasted a decade and then said but at least

they're getting it now but then realized oh no they're going to go for information sharing first and then I and then I just kind of threw my script away and seal and I just spoke from the heart and hopefully we've saved them another decade of wasted time but like we have this community is finally a decade later in the International Security mindset and of course our celebrity member of Dwayne The Rock Johnson that's a joke um he did say that and he spelled it correctly so my biggest regret about the Cavalry is the name um no but seriously um not not only is it always spelled Calvary because it's a real word where they killed Jesus

of Nazareth completely different tone than cavalary um but also you know we've lost something in the last 10 years um the C I am the Cavalry was not Josh it was not Bo it was not Jen it was not the thousands of volunteers wasn't the early adopter like Adam Rand it was meant to be something you said like this was your personal commitment this is not a spectator sport and while we do love the praise or the the thank yous we get sometimes what we really want is your participation because some of the biggest contributors were not Elite hack Sor they were nurses they were policy lawyers they were Junior staffers and uh in the last 10 years I

fear we may have become a crutch so as I asked myself at the 10-year Mark what do we do with the Cavalry is it mission accomplished did we succeed can we end it do we transform it to solve the new missing pieces and take on a new Mission or two or do we combine it with other initiatives to get to critical mass in the last decade we've not taken a penny of funding it was a choice often debated but I wanted to be free of any sort of appearance of conflict or any way for someone to add hom and and dismiss our efforts how am I doing on time terribly

right I don't know what that means five minutes oh my God okay so we're not going to do what I intended to do okay um so so verbally here's some accomplishments okay and this is not a Josh thing we did this we crossed the river okay we we said we focus on wherever bits and bites meet flesh and blood and that meant any cyberphysical systems we started with cars we published a five-star Automotive cyber safety framework on our first birthday it said anything all systems fail you should avoid failure by take uh having safety by Design to avoid failure coordinate disclosure to take help avoiding failure capture study and learn from failure prompt an agile response to

failure and contain and isolate failure a year later we did a hypocracy in that same year we got the first ever recall and nobody died because of the trust we built we put pressure through Congress on Nitsa the national highway Transportation safety administration to try to regulate cars similarly she changed the pre-market guidance to bring medical devices to start requiring cyber security things she later changed the post Market to encourage coordinated vulnerability disclosure gave them an incentive that if you have a coordinate disclosure program and you can mitigate your issue in 30 to 60 days then we won't give you a recall there's a little more to it than that that work engendered enough trust that when the

nation asked for a congressional task force on Healthcare I was the one and only hacker at name to that 21 person task force we told Congress this is not about your hip of privacy I love my privacy I'd like to be alive to enjoy it and we essentially pivoted them from a data privacy regime to a patient safety regime we started that task force with a uh the first dramatic uh attack on us hospitals it was Hollywood Presbyterian hospital in early 2016 shut down patient care for a week they had to cancel surgeries divert ambulances in nearby facilities in LA traffic it was harrowing people may have died but they didn't measure it right and we ended the task force with W to

cry shutting down 40% of UK hospital Healthcare delivery so we were trying to add gravity uh to encourage more tight collaboration with us and we're going to skip a bunch of stuff in the middle but the marai botn net happened and it showed that even cheap consumer iot stuff could shut down the internet for a day so it was unpatch Internet connected unpatchable with default passwords and Senator Warner spent hours with Bo and I and crafted this the iot cyber security Improvement Act of 2017 which failed thanks to lots of lobbying but in the following Congress during the pandemic it was reintroduced in a watered down way and in December of 2020 while I was

at my low running CIS of Co task force it passed into [ __ ] law hackers passed a [ __ ] [Applause] law also when the globe hit a pandemic some of you don't even know I did this and I have scars the rest of my life from doing it but director Krebs of the newly minted sisa fashion in part in our image when the pandemic was declared he asked he called and said do you want to serve your country for a year um I don't know what you do when you get a call like that but I became the chief strategist for the CIS Co task force and our job was to protect the 7,000

hospitals in the country during record high Ransom activity from a larger volume in variety and record low supply chain resilience and then we asked got asked to protect the vaccine Supply chains so I did that for 18 months to the day and a bunch for free on both ends and I'm kind of traumatized but I'm going to give you a hurricane tour of a couple things those are the good news okay don't make me forget the patack before he gives me the hook okay here we go the idea of the Cavalry is no one's coming to save us what are you willing and able to do generally speaking whenever I testify I say something like

we are over-dependent on undependable things in areas that can cause loss of life over-dependent on undependable things some context um many of the Cyber physical systems that are exposed are what I called it sisa and now it's one of the best things we've ever done by the way is hacked the Lexicon the number of things coming out of public policy officials that we uttered uh you hack the Lexicon you hack the world you got to change their mindset and reframe things so one of them was called Target Rich cyber poor building on Wendy nathers classic living below the security poverty line this was a phrase they could they could stomach and the idea is forever bad guys

targeted The Fortune 100 and Fortune 500 why that's where the money is and forever the RSA conference floor and the black hat conference floor would Target the same people because that's where the money is ransomware changed everything because the unavailability of anyone can be monetized so adversaries figured out how to monetize The cyberport Defenders still have not and the result of that is we are seeing disruptions on a regular basis at the bottom of Maslow's hierarchy Food Water Shelter safety so when we started the Cavalry I was worried that things were flammable and I wanted people to see that hacking is not just [ __ ] credit cards it's not just [ __ ] privacy it is Public Safety

human life and during my time at sisa we had successful hacks of the water you drink of the food you put on your table of the oil and gas pipelines that fuel your economies and your supply chains of the schools kids attend to of the municipalities who run towns and cities of federal agencies charged with National Security and of timely access to Patient Care during a pandemic with now proven mortal consequences my team published proof that Ransom attacks strain hospitals sufficient to lead to loss of life the federal government is broken this is 16 silos of designated critical infrastructure written by PPD 21 doesn't don't read them there's 16 silos they act like silos each one of them has

an owner in the federal government a sector risk management agency each one says stay out of our lane why are you in our lane this is our lane even though risk is inherently cross sector there's military grade enforcement and as a hacker in a federal government during the pandemic we broke down every wall and barrier we could and I got the scars to prove it but it's not built for collaboration each one has a public private partnership which usually means a really dominant private sector tells us tells the SE the government don't regulate us and a really weak sector risk management agency says okay but that's changing then came sisa sisa was like hey you guys should not compete with

each other to hire and train and retain cyber security talent and physical security Talent so they became a shared Workforce they also said hey you can't manage risk at the sector level you need to do these 55 National critical functions I'm not going to explain they are one of them is provide medical care can you get timely access to care when you need it where you need it well in the before times we learned from our empathy that a 4.4 minute longer ambulance ride during a marathon had a statistically significant mortality rate so 4.4 minute delay is enough to lead to loss of life for heart we know from Strokes that there's a golden hour or

golden hours at one three or four hours time is brain is the difference if you can walk again or talk again if you breathe in our Congressional task force report we said Healthcare is in critical condition published Mother's Day weekend of 2017 the hospital says we can't afford to protect it we don't have any money if you gave us another $5 million we'd hire more nurses and we said you both can't afford to protect it and can't afford not to but they didn't get it so we said until they said until people started dying we're not going to listen so we did what good hackers do and Christian uh DF Jeff Tully Bo and I

started cyber Med sum we started killing people in ER hacking simulations not for real and we knew that but during the pandemic everything changed okay so I did not make this graphic my friend Ben did but when we went into the belly of the Beast for and bokim as well and a couple other hackers we had to secure the vaccine Supply chains protect hospitals I'm going to skip the ball bearings stuff protect hospitals um generally speaking hospitals and stakeholders want to keep people alive how do you do that you need carrying capacity how do you get caring capacity it's three s's This Is How They see their world we have to meet them where they are space supplies and staff such

that if you have a 100 bed hospital you don't have 100 beds of capacity that's your space if you can only staff 80 of those 100 beds and if you only have supplies for 60 those 80 you have a 60 bed capacity so it is the coefficient of the 3 S's and that's all they want to spend money on especially under Financial constraint but I tried to enhance that and enrich that because as we tried to keep people alive during the pandemic at the onee mark of the pandemic 150,000 people died from excess deaths from nonco conditions and my instinct was I'll bet you these are time sensitive like heart brain and Pulmonary and unlike the 500,000 coid deaths these

were young people the fastest growing demographic was 25 to 44 year olds young people who would have lived but for timely access to Patient Care disruptions so I enhanced their model and I said it's not just keeping people alive what are the latency sensitive think like hackers what are the latency sensitive things were minutes or hours or difference between life and death and also they didn't realize this but the medical technology is a force multiplier of Staff a neonatal Intensive Care Unit nurse in 1990 could handle a single digigit number of babies concurrently safely but armed with a bevy of modern technology they can handle 15 kids at a time through remote monitoring stations so if the technology is a force

multiplier of the staff then the unavailability of that is a force divider and what they couldn't understand is that unavailability dramatically affected patient care for the most time-sensitive and Urgent Care which is exactly what happened in the first proof of loss of life on October 1st this is not the baby but October 1st of 2021 front page of the Wall Street Journal revealed a court case that's ongoing where a baby lost their life in Alabama when the hospital was ransomed and the unavailability of Technology compromised the quality of care and the nurse to Patient ratio is sufficient the baby subsequently perished in this neonatal Intensive Care Unit there are more than a dozen connected technologies

that are vital to the delivery of safe care for those patient to caregiver ratios and when they go away it affects the patient on the very same day with a named victim of a cyber incident we we published the first statistical proof of loss of life using data science and I'm not going to do the data science now but basically we saw strong positive correlation between excess deaths and ICU bed strain so when hospitals got over 75% nationally of their ICU strain you saw 18,000 dead Americans two weeks if it got to 100% you saw 880,000 dead Americans so when we say we care about saving lives this is where the rubber meets the road folks and unless and

until policy makers could understand that a cyber disruption can strain a hospital sufficient to lead to loss of life so we took this measurement that has nothing to do cyber and we applied it to a state hit hardest by ransomware and in the same state with the same population adjusting for uh Hospital type in size we could see that the affected regions achieve these excess death stress levels sooner and stay there longer than their peers and could quantify minimum maximum and most likely loss of life corroborated by state level data so now we have the first name victim and the first statistical proof of life and we can go to Congress and tell them you got

to do something about this and they have so this is a hot mess don't try to study it but basically what we realized is to provide medical care it's not just HHS and there just their public private partnership they depend on other critical functions from other sectors and if you take away water you don't have a hospital anymore you take away power you don't have a hospital anymore you take away supplies and transportation so back to maw's hierarchy what we realize is the way the government and not just ours the UK and Australia they're all listening to this new framing is that when everything's critical nothing's critical so we have to stratify so one way I did it is latency sensitivity if

you shut this critical function off for 24 to 48 hours does anybody die and what you end up with is less than 10 of the 55 are latency sensitive enough to lead to mass casualties so these are some of them poorly plotted but provide medical care is probably the most important of all and they depend upon each other so any disruption in inde dependency could fact your ability to provide medical care in a region and as people suffer excess deaths it's cutting into the workforce that allows those things to say resilient so it's a positive feedback loop with negative consequences and because of these uncomfortable truths PPD 21 or presidential policy director 21 which is the Obama era definition of

the 16 critical infrastructure sectors and the shared responsibility models is not getting a refresh it is getting a rewrite informed from hackers and systems thinkers and hopefully we'll start to look at cross- sector risk but the overwhelming majority of those things I just pointed out are Target rich and cyber poor they don't have cisos they don't have security budgets they don't participate in public private Partnerships they don't have someone to send to an ISAC or the money to pay for one and EM is going to talk about some of these Target cyber poor in the talk and to start the Cavalry track but with each wave of the pandemic we were further cutting into the workforce so

hacker going to hack I'm skipping a bunch of other stuff here but some of the leave behind so that we can live off the land later uh is I said screw uttering best practices and just do zero trust and just do n we need to talk about the bad practices so we named three bad practices uh things like the use of unsupported and endof life operating systems and service of critical infrastructure and National critical functions is dangerous and materially elevates risks to Public Safety economic National Security in human life this dangerous practice is especially egregious on internet connection Ed Technologies in other words if you're using an end of life operating system on showan it could lead to end of life of

humans so we wanted these things to be negligent number two I couldn't say [ __ ] and I couldn't say showan so instead of saying get your [ __ ] off showan we publish get your stuff off search so if you have zero security play at least get your [ __ ] off Showdown see what your adversaries can see because often that's enough to disrupt things the most important vulnerable weak Link in the vaccine Supply chains for four the candidates was a single soul sourc manufacturer on the planet they had one plant three it people zero security people and they were all over Showdown you could have sneezed on them and killed another couple million

people so we might feel good about our public private Partnerships we have neglected the target rich but cyber poor in ways that could affect your life to their credit sisa finally Accel cated and started publishing the Kev list the known exploited vulnerabilities list that takes the out of all the cbes ever written 3% ever get exploited and they win it down to the ones that are known to have caused harm in critical infrastructure you should be living by this not cbss stuff they also made the cpgs the Cyber performance goals the White House really liked my bad practices and really liked my crawl walk run kind of get your stuff off search and said what do you do after

that so this is 30 of the 400 30 controls of the 36 controls of the 4 100 page n cyber security framework because 10 years after the voluntary cyber security framework what's been clear is most owners and operators of critical infrastructure have volunteered to ignore it so if you can't do all of it do the crawl stage of crawl walk run I've been pushing transparency and s bomb saying s bomb's coming it's here the patch Act is an acronym but in early 2022 Congress in a bipartisan way introduced the law saying we need mandatory minimum cyber security requirements for all FDA approved medical devices the lobbyists lost their freaking minds but part of why they did it is we

are starting to see losses of life and we need to preserve the trust and safety of the public so it was introduced in a bipartisan way and passed almost unanimously in the house it was almost dead on arrival in the Senate because of millions of dollars spent to kill it in May of last that year I testified to the Senate um I considered playing that five minute for you but the job was to convince one particular hold out Senator if he should fight for this or not and even though all the patch Act was stripped out of all the legislative vehicles and it should have been dead in December while I'm on my belated honeymoon with

Audie uh he fought his ass off and he got it stuck in the Appropriations Omnibus Bill and the patch Act Act is law of the land hackers passed a second [ __ ] [Applause] law this was a team effort to be sure Kevin Fu's original work the fda's courage hell staffers bow lots of people raised this Village raised this child that said you cannot bring a medical device to Market anymore if it is not patchable if it does not have a coord ated vulnerability disclosure program to work with good faith hackers and if it does not have a software building materials and threat models and a bunch of other stuff so it won't fix the Legacy problem we have today but

going forward large small medium rural hospitals will have more safe and defensible things hackers helped write most chunks of the White House National cyber security strategy Senator Warner is doing it again he wrote a paper that said cyber security is patient safety and he's intending to introduce regulation on the hospitals who are too fragile uh to care so what we have to do what the hackers have to do is ask how do you take the fact that for the next 15 years no matter how much help and regulation we push hospitals are going to be routinely ransomed they're going to successfully be ransom for the next 15 years so one of my analogies is after 911 we had we

recognized you can have hijackers get on a plane and turn the plane into a missile and we did a lot of stupid [ __ ] as a country and as an AAL community in response to that but one of the smart things we did is we added steel reinforced cockpit doors so they'll get on the plane they won't get in the cockpit is the idea so I've been asking what are the steel reinforced cockpit doors of hospitals what if what things if you shut them off could lead to loss of life it's electronic medical record system it's heart brain and Pulmonary we also have to ask what's the regional impact of the 7,000 hospitals in this country if a hospital goes down

here in Vegas there's another one within driving distance maybe to not have loss of life but if a hospital goes down in the middle of Rural America you're probably going to see elevated loss of life so which systems are too isolated to fail unfortunately they're failing in droves so I've been asking how can the hackers help here not to hack things in hospitals but the things that are truly connected to loss of life or national security resilience same thing for the food supply hackers are turning to the food supply while you've probably seen a dozen hacks like JBS or pilgrims prider Dole or amold uh the newly forming ISAC for Foods because we've never had an ISAC

for food until now because we didn't care about food um they've tracked over a hundred successful electronic compromises in their database so we want to see what's the food supply CU like the healthc care supply the food supply depends on chemicals on water and waste water on cold chain on electricity and you're going to hear about hungry hungry Hackers from sit codes and uh Casey John Ellis and you're going to hear about it from Paul Roberts you're going to hear water water everywhere after that so I'm very concerned about these water food electricity and emergency care that are Target rich but cyber poor and geographically isolated that if disrupted could lead to loss of life or

loss of food supply so the idea here is uh maybe one of the futures for the Cavalry is focusing on these target-rich cyber poor basic human needs like food and water and shelter and safety okay I'm basically getting the hook I'm going to stop that line of thought and tie this up I'd like to tell you I'd like to tell you A Tale of Victory I

can't because while I thought the cavalry could end and we could say we did a good job I thought I could tell you that I thought I could say well maybe the Cavalry should transform uh maybe we should just focus on food and and water and electricity and that's what the track today is about and then I said well but if I spent the next 10 years on hospitals alone I'm still not sure we could succeed because it's one thing to get the medical devic is safe but this map guys this map or h Hospital closures there's 7,000 hospitals in the country 85% of them are medium small and Rural 15% are large the 15% have a siso they go to isacs the 85%

don't in this timelapse photography these are hospitals that have closed forever if there isn't a nearby hospital the people that live in those zip codes are going to have a higher death rate for heart brain and Pulmonary they are closing and no one's replacing them now they were closing before the pandemic they're further strained during the pandemic and many of these small rural hospitals have four weeks or less of cash flow on hand four weeks or less so where does cyber security come in in preparation for this keynote about about two months ago St Margaret's in Illinois closed forever it's just one hospital it's not the first closure people like ah hospitals close we'll we'll buy them we'll put

them in but a lot of these aren't getting bought they're just going away some of the ones that get bought because they're distressed they get put on life support stripped for parts they take the doctors they take the equipment they shut down services so they're basically in a coma so you're seeing hundreds of these 7,000 hospitals where people live going away and if you it's more than three hours away you're going to see a lot of dead people from strokes and heart and we're not replacing them so here's why St Margaret's gutted me it's the first hospital to site as part of their cause of death their Ransom dist stress because if most of these

hospitals have four weeks cash flow on hand and a typical Ransom will shut you down for 6 to 8 weeks 6 to 12 weeks it's a death sentence so while it is not the the thing that made them financially distressed privatized medicine did pandemic did it's the straw that breaks the camels back and we're having 700 plus ransoms a year so how many more rural hospitals where you or your families live are you willing to see go away forever so I can't fix the Health Care System outside of cyber I'm not even sure I can fix or we can fix the Health Care System inside of cyber but what I know is they can't afford to invest in

minimum cyber hygiene they can't and they can't afford not to and I don't know what to do about that and if we spent our next 10 years on this I'm not sure we would fix it so I am humbled again while we have crossed the river and we have done exactly what I said out to do I didn't want to fix a single medical device from a single manufacturer I want to hack the system and the rules for all medical devices we did that and on the other side of that River I can now see more and more turbulent Rivers ahead so we are not Public Health officials but we have failed to integrate into their hazards model that

if you don't spend enough on Cyber resilience you might go out of business so we have to have empathy for their situation but also advocacy that if we don't do anything we could see another several hundred closures or predatory Acquisitions and you may not get timely access to care it's one thing if it's a consult and you have to drive overnight to get to it it's another when you're in desperate need of time sensitive care so I'm basically out of time but when I look at this and I zoom out it's by the way straw ofra the camel's back um when I zoom out I've been asking since January do we end the cavalry do we transform it into

something else like the bottom of maow like Pure Health Care or how do you get scale because what we're doing at current course and speed it's not enough and we've asked a lot of you if you look at BO or Jen we're exhausted so if there's new recruits if there's new leaders then maybe we kill the Cavalry and we start the Cavalry Academy what if we make a boot camp and a recipe book for if you want to save the world if you want to make the world a safer place we will Mentor you accelerate you boot camp you so an incubator accelerator for people that want to change the world this only works if someone in this audience wants to

pick up a project and have the audacity to try to pass laws or change incentives or connect the dots that make sure those hospitals are not just evaporating on our watch we did not cause these problems but we have a unique ability to solve them so I'm still trying to answer that question question Friday was my last day in the private sector I'm uncertain what the path forward is but I'm committing myself to spend the next up to three months seeing who reveals themselves I didn't even know who Bo Woods was when I made the last call to action and he helped me change the world some of you in this room can help for the next

decade so I don't know if there's any of you or which of you but if you'd like to do something bigger than yourself as the world increasingly depends on connected technology they increasingly depend on you so who wants to change the world find [Applause] me and we do have a mic and a little time for questions please be very careful anybody going by the projector here it's got a broken leg and it will topple right over and break

I should have um uh the best place to find me for the next two days is in the Copa Lounge for the I'm the Cavalry track and several of things we touched upon will be explored in Greater detail you can find me online most places at Josh Corman j o s h c o r m a an i the Cav Twitter or I am the Cavalry on Twitter