[0:32] Championing Cyber Safety and Healthcare Resilience

Rachael: We're excited for you to join us today for this special part two episode with Joshua Corman. He is Vice President of Cyber Safety Strategy at Clarity and Founder of I Am the Cavalry. A grassroots organization focused on the intersection of digital security, public safety, and human life. He shares insights on everything from recalibrating the cost of connected medicine, "If you can't protect it, you can't connect it," the Omnibus Appropriations Act, and actionable insights on what we can do right now as individuals and collectively to make a difference. So without further delay, let's get to the point.

Audra: You're certainly answering a lot of them and probably raising some others. Do you think some of the normal people sitting at home on a regular basis are not necessarily reacting to what's going on because their healthcare, is expensive? Healthcare in the United States, in comparison, I mean, I'm UK, it's NHS; there's also private healthcare that you can pay for. But is it only if people are impacted in their own lives that they react and therefore put pressure on the government to do something about it? Or what do you think in terms of lots of people are kind of going, "Eh, it doesn't matter"?

Joshua: Well, without naming names, I was on some recent government planning, and public-private partnership groups by virtue of both my congressional task force and my emergency assistance service. I was there to ensure that we were solving for the national security needs, the national capacity, the national resilience, the national recovery. And I just kept finding them going back to, "Well, let's help the helpable, let's help them survive, the ones that are going to survive."

 

Reshaping Cyber Safety for the Collective Good

Joshua: And one of them out loud essentially said, "This is the capitalistic market like survival. If it's not, all of them are going to make it, and that's okay." And I violently disagreed with every fiber of my being. We only get one public-private partnership. Our job is to look at what's right for the public good, not for our individual private interests. And the notion of "save the saveable," I can understand that perspective if I try to put myself in their shoes. 

But it's an incomplete view. Because perhaps you haven't had to wait too long while you were bleeding or while you're injured because you had lots of alternative hospitals nearby. Perhaps the hospital in your area got ransomed, but it was okay because there was overflow capacity. But if you're one of those affected in a different part of the country or it's your loved ones that live elsewhere, it tends to wake you up. So as I started asking more of these questions and encountering more humans and the human aspects of this. 

I kept hearing more and more stories about having to drive my dad six hours to get the care he needed. Six hours they had to get a hotel. So that sounds inconvenient, it sounds abhorrent. But I'm afraid that they're going to notice that, no, I lost a loved one that was saveable because we couldn't get somewhere in time. And we studied a lot of that during the pandemic. I also fear that we're also at a time in the species where we're ignored to death. We had so much of it, we just went numb to it, and we've accepted that people are going to die.

 

Pioneering the Battle Against Preventable Loss

Joshua: Yes, at the macro level, people are going to die. And hospitals, before they were shattered, they knew that you can't save everybody. There's always a med student on ER or Grey's Anatomy or a favorite show that goes to their first loss. And then they're like, "I can't believe we didn't save 'em." Right? You're going to lose people, that's baked in the cake. What they forget sometimes when you double-click is there is a preventable loss of life, right? We're not going to save everybody, true. But we could have saved these ones if we had smarter technology if we had smarter policy, if we had better funding. 

So I think we are being very cavalier about the preventable loss of life. And as more of these hospitals close, I think more people will feel it personally, and then they'll do something about it. But usually, that's fairly late. So can we have an intervention before it's too late? So I'm not trying to tell you that I'm giving up. But the shattering moment is what I'm doing has been critically necessary and it's not going to be enough. 

The constraint is what we really need to do, and I don't have the right language for this; I'm talking in real-time with you. But as I try to have something positive here, we have hidden costs in connected medicine. We have to render those hidden costs visible. Just thinking like an economist, there are true costs; render the true costs visible. Then we have to factor that into the cost of the market and adjust accordingly. And what that probably means is the payer models and insurance models and the way we look at these will be quite different. 

 

Rethinking the Geography of Healthcare

Joshua: I don't actually think we are going to need huge hospitals in the places that are closing them. But we'll need some non-zero proximal care for urgent things. So we haven't really recalibrated the cost of connected medicine. And the fact that while we have new things that can make remote medicine better, it doesn't go to zero. 

Audra: Agreed. 

Joshua: And we have a very large geographic area, and since you're from the UK, I'll give you a bonus item. Part of my heartbreak is, I mean, many of the problems I just described are for two things that the US has different than the UK. One is we don't have a national health service, it's still largely capitalistic privatized, and broken. And two, we have an incredibly large landmass, geographic space, and time to cover for proximal alternative care. 

It's going to be harder on a map this big versus a map the size of the UK or pick your favorite country here. But those two differences are quantifiable, right? But NHS is failing as fast or worse in some ways. And when I looked at what's common mode failure between the two, given those two really material differences. A lot of it is no nurses and doctors, even before the pandemic. We were kind of outsourcing to take nurses that were cheaper from Africa, from India, from Malaysia.

Audra: Commonwealth, we always advertise for teachers and nurses and doctors from the Commonwealth countries. 

Joshua: And when everybody's got the same strategy and there's a finite resource pool. I mean, my eldest daughter's in nursing school right now. It's going to take years before she's able to help replenish all the lost nurses we've had. 

 

[7:19] Forging a Better Cyber Safety Future in Healthcare

Joshua: So the rate we're losing them is exceeding the rate we're growing them, and we don't pay them right. And we don't treat them right, and we don't train them. And so there are really fundamental challenges here. I think what we have is fairly old models of capacity planning and payment and incentives that were wildly disrupted by adding connectivity and innovation. But never got recalibrated or recalculated. So we need a big reckoning for this. 

And the philosopher in me says if you're overdependent on undependable things, which we are. And if that level of connectivity exposes you to accidents and adversaries 700 times a year if you can't afford that if you get punched by ransomware and you can't get back up. Maybe the answer is to disconnect. If you're overdependent on dependable things, you have two choices. You can make these things more dependable. Which I have started to do with the patch act and we have more to do for hospitals. That'll take time. Or you can depend less. So make it more dependable and/or depend less. So I have a five-pronged plan for keeping.

Audra: So are you actually suggesting an air gap? So air gapping our hospitals?

Joshua: Air gaps never really existed. They're kind of like fake, and they're certainly being perforated on purpose by business incentives and connectivity, like telehealth. There is a benefit to that connectivity. But go ahead and finish your thought before I assume I know.

 

Balancing Connectivity and Security in Healthcare

Audra: That's alright. No. So I was just curious. Are you literally talking about disconnecting hospitals still having connectivity within for the things that you need to do in terms of so that things can work but actually disconnecting from the internet or putting certainly the things in the way in terms of how things get in? So we have certain solutions that literally cleanse everything that comes in. And anything that could potentially be dangerous, like links, gets removed. Are you talking about implementing more of that kind of approach? Or do you literally mean let's unplug and go old school?

Joshua: I'm going to sort of reframe this. Because I can't tell individual hospitals what to do or how to do it, and I don't know. But I can say the strategic framing is this, and I keep changing it. So it may sound different if you ask me a month from now. But I've been asking my super friends from the congressional task force, from CISA work where we're doing hand-to-hand combat with Russian ransomers and whatnot. And I said, what could we do to stem the bleeding right now? 

Because the real fix is going to take 10 years, 15 years, even if we give a ton of money to everybody right now and say, "Go fix your hospital." We're still going to be ransomed in the next 10 to 15 years. So if we accept that, we accept that I liken it to 9/11 hijackers trying to get on commercial aircraft and turn them into missiles. Were we going to get rid of all airplanes because of that? No. And we did a lot of stupid things in the wake of that event. 

 

Strategic Priorities for Hospital Security

Joshua: The only smart thing we did was we said, "They're going to get on the plane, let's make sure they don't get in the cockpit." So the steel-reinforced cockpit doors. So here are my five things, badly worded, that I just go to whenever someone's saying, "What do we do right now?" And I said, "Okay, in the wake of ransoms, what are our steel-reinforced cockpit doors in the hospital? Can I have a ransom hospital that can still provide time-sensitive care for heart, brain, and pulmonary issues? 

And the systems that if they go down, people die. It's the EMR, it's heart and brain. It's systems in the critical path of heart and brain treatment like imaging for a stroke, is it a clot or a bleed?" Because if it's a clot, there's a clot buster that'll save the brain, save life. If you give that clot buster and it's a bleed, you'll kill them. They'll bleed out fast. So what are those systems that are too critical to fail at hospitals that are too isolated to fail? In the financial meltdown, we said too big to fail. 

I'm saying too isolated to fail. So number one is we should focus our surgical fire on the system. The subsets of those hospitals that are too time-sensitive to go down. So have a ransom hospital, pay the finances to clean up, but don't let these systems go down. Have analog backups, have downtime procedures that work, or have equipment that's not connected. So what are those steel-reinforced cockpit door strategies? Number two, not every hospital in the country is equally risky to this. Because we should do a look at the geographically isolated hospitals that if disrupted, there's no proximal alternative care. 

 

Hospital Security Roadmap

Joshua: You can do that with math and assess which ones need asymmetric help, outside help to shore up that they don't go down. Or that if they go down they get back up quickly. Number three then is a world where all these buildings are flammable. We need more fire trucks. So we need, at least in the interim, a lot more money thrown at crisis management and instant response from CISA, from HHS, it's called ASPR, from FEMA. Maybe when these are inevitably hit, we drive in with trucks, with money, with staff, with alternative equipment. And with incident response help to clean up and evict these guys faster because these are the longest disruptions of any sector. 

Number four, there's some very dangerous equipment and legacy equipment in here. A lot of my relationships show more than 50% of the equipment in the hospital has an FDA recall associated with it. So these are not only unsupported end-of-life operating systems that are more likely to get disrupted and be the point of entry, maybe into a ransom to the hospital. But also that they could empty a three-hour dose of a calcium channel blocker in your body in 30 seconds as we showed with bedside infusion pumps. 

So these recall devices, we should have active prohibition. FDA has done wonderful work raising the bar and warning people when something's dangerous, and then hospitals are not required to get rid of them. So we have cash-for-clunkers-type ideas under this banner where Senator Warner mentioned it as well. I put it in my task force report in 2017, and he put it in his report. 

 

[13:45] Protect Hospitals from Within

Joshua: But can we either make prohibitions and/or cash-for-clunker stimulus to or even just if we have to keep using them, better isolate the most dangerous, most vulnerable equipment that can do the most harm? And lastly, this can't be a volunteer effort. When there was a crisis of competence and institutional trust had been broken in financial accounting from Enron's scandal, we did Sarbanes-Oxley. This became a board-level concern with criminal penalties for the CFO if they didn't follow general accounting practices. They had an audit regime. 

And this will not be done out of the kindness of people's hearts when they're cash-strapped. This has to be baked in, funded, and accountable to reestablish and maintain the public's trust in their safety and reliable access to care. So there's a lot baked in there. But essentially, steel-reinforced cockpit doors, and time-sensitive equipment, which regions suffer the most when hit hardest. Let's provide more help to them, and beef up our fire response vehicles while we're building fire prevention for the future.

Drain the swamp of the most dangerous devices. Whether dangerous is defined by FDA recall, unsupported operating systems, or known exploited vulnerabilities. But let's focus surgically on the most dangerous devices that can do the most harm to humans. And this has to be a regulatory carrot and stick financial change, or it's not going to happen. The safety of your community cannot be predicated on the persuasiveness of the champion within the team. Especially when out of those 7,000 hospitals we started with during the task force report in 2017, 85% of them don't have a single security person on staff to even be that champion, let alone effective.

 

Stemming the Death Spiral in Healthcare

Joshua: So we are in a bit of a death spiral, and we're going to have to stem the bleeding now to prevent preventable closures. And we're going to have to fix the incentives and assist those most in need of help for those time-sensitive conditions. So I start with those things: time sensitivity, and geographic isolation, and then bake in the incentives. In parallel, the great work we did passing the Patch Act is going to matriculate slowly. But if a typical medical device is in the field for 15 years, it's going to take 15 years to phase out the really dangerous stuff, a little bit at a time over the next 15 years. 

I don't know, it's pretty dangerous times, but I'm not a public health official. It's just that the empathy journey and going down the rabbit hole. When I went into CISA, I thought I was going to be helping prevent hospitals from getting ransomed or helping them recover more quickly. One of the most important things I published had almost nothing to do with cybersecurity. We were studying the effects of ransomware on states hit hardest to see if there was a quantifiable loss of life.

And the metric I was using to do so is called excess deaths. The CDC tracks it all the time; they track expected deaths versus actual deaths by state, by month, by condition, and by sociodemographic. So if this state normally has a hundred deaths from this condition and now you have 110 against the running average, then that was 10 excess deaths.

 

Uncovering Critical Infrastructure's Hidden Toll

Joshua: In the process of doing data science to keep Americans alive, and specifically looking at the erosion of critical infrastructure workforce, we saw at the one-year mark of the pandemic when the US had lost 500,000 Americans to COVID, mostly 85 years old or older with four or more other conditions, we had also lost 150,000 excess deaths from non-COVID. And when I looked at who was dying and from what, my gut feeling was that it was heart and brain and pulmonary issues, and indeed, it was heart and brain and pulmonary.

But to my shock, it wasn't 85-year-olds; the fastest-growing demographic was 25 to 44-year-olds. It was younger critical infrastructure people. So here I'm trying to work on cyber resilience, and what I'm noticing is a lot of these supply chain issues in the port of LA or manufacturing or nitro gloves, these are happening because we're having disruptions due to sickness, death, and burnout in the critical infrastructure workforce. And as I studied that, I said, "We can't just admire the problem. These deaths are going to have an outsized impact on the functioning of the country. Is there any leading indicator?"

Within a couple of days, we said, "Yeah, we did a bunch of simple data science and found a public health stat that's published all the time called ICU strain, adult ICU bed utilization, which is the percentage of your ICU beds in use." It is a trailing indicator for the hospital, maybe not even a meaningful one, but for us, it had a strong positive correlation to excess deaths two, four, and six weeks later. So 75% was usually a target before COVID, and sometimes they'd like to run hot at 85% or so. 

 

Eye-Opening Revelation

Joshua: Some of these hospitals were 100% full, 110% full. What we found is that this is a leading indicator with a strong positive correlation. We adjusted for co-factors in models and regression and different state-level factors, and this was a very viable metric. What does it tell you? It says, if you're in a hospital, try to manage your elective strain on your ICU because once you go over 75%, you're going to see deaths. To quantify this for you, I think I said it in the congressional testimony, but if the nation hit 75%, we would see 18,000 dead Americans in two weeks. 

Not a small number, 18,000, but if you hit a hundred percent, it was 80,000 Americans. And we hit those thresholds three times during the first observation period. So here I am trying to prove, and I think we did prove loss of life in the state hit pretty hard by using that instrument of measurement. We could see hospitals in that state that were ransomed, the regions where ransomed, achieved those excess death stress levels sooner and stayed there longer than their peers in the state. So we can quantify minimum, maximum, and most likely. 

So I know, but won't say out loud how many people we believe died and could be corroborated by state-level evidence later. But it's like this number, it's double-digit, right? Whereas how did I prove it? By the time we published that data science successfully, we had lost another 90,000 Americans. So we were over the 200,000 Americans lost from excess deaths, from delayed degraded care from ICU strain. You start to wonder, am I even a cyber guy anymore?

 

[21:54] Redefining Cybersecurity as a Pillar of National Security and Public Safety

Joshua: And maybe that's what I'm really wrestling with here We have some really talented passionate people that want to make these hospitals safer, these factories safer, these oil and gas pipelines safer from data breaches or ransoms or shareholder impact. But what we haven't paid attention to is this isn't about shareholder impact. This is about access to water food and shelter, national security interests, about public safety interests. This is: does your family get reliable access to food? Can they afford it? Can they go to the hospital when they need to? 

The second recognition that's humbling is not only is this much more than local goods for our employer, but to fix these, we can't just use cyber skills. We're going to have to find ways to be systems thinkers and work with others to show this new cyber thing brings weird hazards with it. We shouldn't just try to point out flaws anywhere because many of those flaws will never hurt or kill anybody, but some of them will be in the intersection of public safety and resilience and national critical functions. And our talent pool does not overlap enough. 

We do a lot of great work that never goes anywhere and there are a lot of areas that could benefit from us that we never focus on. And I want to try to merge those Venn diagrams better so we know what are the weak links in the national security or public safety arena that need our attention and would benefit from our attention. And how do we align for that common cause, common purpose so that we can prevent more preventable losses? 

 

Bridging Cross-Sector Risks for Essential Human Needs in a Cyber-Attacked World

Joshua: So hospitals are one thing, but to run a hospital, you need drinkable water, electricity, chemicals, transportation, and more. Most of these cross-sector risks, water, electrical, and emergency care, they're entangled, and most of them suffer from this target-rich, cyber-poor problem. So increasingly my focus is on those basic human needs that are overdependent on dependable things. 

They're not getting help from the privatized volunteer, or other private partnerships, and they're increasingly attacked. So we know some things we can do, but it's not just going to be a cyber solution; it's going to be an economic solution, a systems-thinking solution, and rational dependence mapping. And we're not wired that way, but we need to get wired that way fast. These are cross-functional teams that need to learn from each other. Anyhow, I may be making no sense.

Rachael: No, it makes a lot of sense. Not to, I guess, come at it again from a cyber lens, but it's true. I mean, when we talk about cyber, the criticality of cross-functional partnership and just in a corporate environment, you've got to have HR, you've got to have legal, you've got to have all these people talking to each other because, again, the people impact. And when you put that through the healthcare lens, I mean, it's truly terrifying. Particularly when there are significant needs out there for this cross-functional partnership. And how do you bring all those parties together, to your point, to work together for something that is obviously critically needed?

 

Prioritizing Immediate Threats Over Cybersecurity Trends

Joshua: And, of course, and I hope I don't sound dismissive when I say this, Of course, some very smart people need to be looking at the role of generative AI and large language model processing. And, of course, some smart people need to be looking at post-quantum crypto. But when you look at a hospital from an attacker's eye view, you've got unsupported end-of-life operating systems naked on the internet on ShowDan sometimes with no password. Forget multifactor authentication; there's no authentication. Hardcoded passwords you don't need. 

I think where we focus our time at conferences and in our collaborations in the industry are on the sexy things, the new things that will be important and some of us need to do. So, my mantra lately has been our attention on those that should be proportional to the manifest harms and active exposures that we are facing now. And it's kind of hard to look at post-quantum crypto attacks when we're not doing any crypto in a lot of these OTICS environments like we are flammable.

One of the things I used to say is we are always prone, we are always prey. We just lack predator interest. That's over. They're here. And the number of attacks we have, if you talk to really good threat analysts or people on the ransomware task force or a lot of these hand-to-hand firefighters, they believe that the number of attacks is throttled only by predator appetite. It's really not about who could get hit. It's how much bandwidth they have to spring the trap to wake up, drink their coffee, and figure out who's going to turn the ransomware on from their achieved access. 

 

[25:04] Call to Action

Joshua: So we are throttled only by predator appetite at the moment, and that's not a good state to be in. So we got a lot of work to do. The question is how quickly can we stop fighting each other, and admit we have a problem. You can't solve a problem, you don't admit you have. So the first step is admission, and instead of trying to do the old strategy for the old IT, we had an old strategy for the old IT. Everything's changed from a technology and business perspective. So we need to be brave enough to step back and re-architect how we do this. We're not yet.

Rachael: Well, I think half the battle is just starting to have these kinds of conversations, right? 

Joshua: Knowing is Half of the battle.

Rachael: Well, exactly right.

Audra: At least the first 20%.

Rachael: Yeah, because I think a lot of people, and that's the thing about healthcare, I keep thinking about it. I feel like it's not talked about enough, or at least I'm not seeing it enough. I read a lot of things, and I think as people start to better understand all the nuances as well, these are significant. And that's why I love having these conversations so that we can educate a broader community of people and ignite some of those people who could help take action and hopefully join the cause if you will. It's got to start somewhere. 

Joshua: And if you're more of a builder or an architect, some of my newest thoughts are maybe instead of starting with the terrible patchwork historical Frankenstein monster of a hospital we have now. 

 

Reimagining Healthcare and Technology Synergy

Joshua: We could look at building reference architectures where if you wanted to make this connected and safe, what would that look like? Whether it's theoretical or an actual proof of concept. And I do think there are models, I had a few ideas of how you could have a minimum viable point of presence in these areas that isn't a traditional hospital but can ensure that you have what you need, where you need it, and when you need it. Fully leveraging telemedicine, fully leveraging the technology advances we've made, but safely. And there's middle-ground stuff too. 

Like if you're constantly struggling to maintain your on-premise Microsoft Exchange server, that's unsupported end of life. And it's a lot of work to do hand-in-hand combat with the world's best adversaries. Maybe you shouldn't do this anymore. Maybe you should do Office 365 or G Suite or something where someone's doing some of that for you. So there's a lot of complexity in elective risk that we used to think we could afford. And now, in the full light of cost-benefit, we should acknowledge we cannot afford. I don't mean by money, I mean the overall package deal of rolling your own versus outsourcing. 

And if you are a solution provider and you mostly look at, well, what's the total addressable market of the average sales price? It tends to orphan the target side report. There's not enough money in it. Well, innovation could expand your total addressable market, if you could find ways to use technology to make offerings for these smaller ones, and ask what would they need. 

 

Pioneer of Change in Hospital Cyber Safety

Joshua: My experience is when you try to solve for some of these less staffed, less funded organizations. The innovations you make for them also make you more profitable for the bigger players that you're serving. So we just tend to say it's a capitalistic market. What are the big ones? This is true for private industry, but anybody touching critical infrastructure that affects everybody. So my trailing questions tend to be how bad does it have to get before we stop fighting each other on what to do? And then how long do we have before we regret waiting this long?

Audra: We only know when we get there. When we get there. That's the problem.

Joshua: And that's why I'm so grateful for the crazy volunteers on this 10-year journey that decided to do it before harm that decided to invest before people would listen that did the scaffolding and the prototyping and built the trust. Yes, it's been an emotional journey. Lots of milestones and touchpoints. I'm still trying to pick which ones I include in my keynote in Vegas in a week or so. 

The one that comes to mind right now in that room, if you watch the video, I said to them flat out guys, people will have to die first before they're going to listen to us. Just want to set your expectations. And somebody said, well, why would we do it then? I said, well, because when that moment comes, we want to have a head start. We want to build trust, we want on scaffolding, we want 'em to turn to us instead of lesser people, lesser motives, lesser ideas. 

 

Navigating the Uncharted Waters of Medical Device Cybersecurity

Joshua: And pretty early on after building trust with Suzanne again from F D A, she didn't understand, a lot of her team didn't understand why someone like a Billy Rios or a J Rcl would hack a metal medical device. What's wrong with 'em? What's wrong with them? These are life-saving devices. Why would you scare people? What's your problem? And that wasn't her attitude, but that was the attitude of a lot of her colleagues. And because she led to understand and because we didn't understand, we built some trust, we had some summits with hackers and I was on my way to Comic-Con right before Vegas, a year or two. 

We were talking through some things and asking some questions and I'm in the line at Comic-Con to get Stanley to sign my or my Spider-Man pinball machine. And I can't remember exactly the day, but she calls me a couple of days later or after DEFCON or before Decon, I dunno if it's all a blur to me, but around that timeframe. And she said, "Are you willing to talk to Reuters today?" I said, "Sure, why? What am I talking to him about?" 

And she's like, "Well, we're going to do it." I'm like, "Do what?" She said, "We're going to issue the first safety communication for cyber where there's going to be a recall." I said, "Did somebody get hurt?" Because prior to that, what we learned from them is to do a recall, you have to have proof of harm. I'm like, "What's proof of harm?" Well, people have to have adverse outcomes and there has to be direct evidence and it has to probably be more than one. 

 

[31:58] Pioneering Ethics and Action in Medical Device Cybersecurity

Joshua: And I had spent time and the hackers had spent time trying to argue that in cybersecurity, maybe an unmitigated pathway to harm should be enough to trigger corrective action. These won't fail like a hip replacement on an Asian bell curve. They'll go from no attack to lots of attacks fast. And whatever we said must've worked. Because when I get on the call, I realize, "Oh yeah, this is great. This is great." So it was a bedside infusion pump that Billy Rios found he could empty a three-hour dose in 30 seconds without authentication. 

And it wasn't a patch coming. So the CE communication and they told all the medical device makers, "Oh wow, we thought we had years before we get regulated on this stuff. We better stand up straight. I guess we have to get our house in order." And I felt really good and I felt really my adrenaline was high. And you just kind of ride the wave. And I have the interviews and I tell some of my colleagues like, "This is great, this is great." 

My daughters came home from school and I worked at my house and they said, "Daddy, why are you so happy?" It's already evidence that maybe I'm not happy all the time. And I'm like, "How do I explain this to an 11-year-old kid?" And as I'm explaining it, I start to weep. I'm like, "Oh my God, nobody died." It just hit me really hard. And that was year two of this journey. And it almost feels like an unimportant thing, but the idea was something's missing in the world. 

 

Igniting Hope and Resilience in the Battle for Cybersecurity Progress

Joshua: Maybe we can try to put it there and maybe they're not ready to hear us yet, but we still have to do the work because these are long-view problems. Took us a long time to get here. It's going to take a long time to get out. So full circle, I'm just really grateful for a very large group of volunteers who did this on top of their day job for parts of or all of a decade. And we're now in a place where the world is very dangerous, very flammable, and increasingly lit on fire.

But how great is it that we have part of the cure for mandatory building codes for cybersecurity for the devices on a go-forward basis? I can be both really proud and encouraged and heartened by some of these victories like passing a federal law for that and really overwhelmed that it's not nearly enough and that things have gotten much worse, much faster. The only cure to this is you have a choice. You can either be defeated by this and nihilistic, or you can look at the existence proof of some successes and say, "How do we have more of those successes faster in parallel?" 

A lot of people are burned out in this field, in this profession. And I'd encourage them, you can find if you feel meaningless or purposeless or that no one's listening, you can do meaningful things. You can do purposeful things. You can make the world safer. It's up to you what you do with your job, what you do with your free time. It's up to you where you channel your talents. 

 

Empowering Change and Unity in Cybersecurity

Joshua: And if you don't feel fulfilled and you don't feel positive, the best way to predict the future is to cause it. And I don't know how to take what we've done for a decade to the scale and scope that we need to, but I know we've got to figure that out. 

Audra: More hands make lighter work. So expand it. You've got the passion to inspire people and a good cause for people to want to be involved. 

Joshua: Well, even if you're selfish. You're going to need care and food. You're going to need electricity. Those that are in your care or your loved ones are going to need it. And one of the ways I used to end a lot of talks is I said, "The world is increasingly dependent on digital infrastructure. They're increasingly dependent on you." We don't look at ourselves that way, but we're that thin cyber line between getting this right and getting it wrong. 

We can't do it alone, but they can't do it without us. Yes, I don't know. I could talk to you for hours, but I probably will get in trouble if I do. So can I try to squeeze in the origin? Sure, yes. I'm going to try. I only have at most five more minutes left. Four more minutes left. So I had researched the rise of anonymous activism and I was successfully and consistently predicting what they were going to do or false flag operations done in their name.

 

Forging Collaboration Amidst Cybersecurity Challenges

Joshua: And the intelligence community started getting to wonder why. And I was doing really important work, but I was really burned out and I got invited into their places a lot say, how are you figuring this out? How are you doing it? And a lot of that trust I built got me permission to bring five of the world's best cyber minds into Fort Mead for two days, which is General Alexander and Newberger and five of their people. And we had to answer challenge questions. 

It was breathtaking. These people had never worked together before. So it was like individual superheroes forming the Avengers, sort of speaking truth to power, saying things they hadn't heard, they hadn't considered. At the end of those two days, they said, we can't do this one, can't do that one. There's no political will for that one. People have to die first with that one.

And basically, we were demoralized when we went back to the airport bar and drank and no one spoke. And I said, hey guys, the cavalry isn't coming. I just kind of left it there. That was half of it. What I didn't tell them was the day prior, what I thought was just my mom's stroke when I got back to the car, because you can't bring your cell phones in. I had 18 messages saying, I'm so sorry Josh, I'm so sorry. When I got to number 12 or so it was one of my sisters. I'm like, what the hell are these people talking about? And it's like, mom's not just a stroke, she's dying. It's nothing we can do. 

 

[37:40] Finding Purpose Amidst Loss and Life's Unanswered Questions

Joshua: So we hospiced her, We had to take her through brain cancer for a while and it was slow, exhausting, and painful. She was a superintendent of the school district and very active in her church. Right before we took her away from her home to stay with my sister until she died, she wanted to say goodbye to her friends her students, and her church. And it just so happened to be the Sandy Hook shooting. So the day she wanted to say goodbye to her friends, nobody was able to be present. 

No one knew she was dying. She didn't get to say goodbye. So I'm looking at my mom dying. I'm looking at my daughters crying, we're afraid to go to school. I hear her preacher for an hour, for two hours, for three hours. Just say, why is there evil in the world? And I'm getting angry at 'em. I don't know why I'm angry, but I just feel angry. I didn't like that church, didn't want to be there, didn't like the situation. Go home. Hospice her through January, dies. And then when I had to go back to that church, I actually couldn't go in the building for a while.

I'm like, I don't want to go in there. I'm angry. Why am I angry? Can't be angry at Mom's funeral I’m the eldest. So I had to get the eulogy and I just tried to mentalize it and I walk in, I'm like, last time I was here, Sandy Hook was shooting. We kept asking, why is there evil in the world? Why is there evil in the world? It didn't sit right with me and I couldn't figure out why. 

 

Filling Absences with Empowerment and Purpose in a Challenging World

Joshua: I remember being angry about it. So I think I just figured it out. My mom got to be my school teacher in seventh grade. Somebody got hurt, and sixth, she had to fill in. She was my science teacher and she was phenomenal. And of the many things I learned, one was that darkness isn't a thing, it's an absence of light. And cold is not a thing, it's an absence of heat. So maybe it's not just the presence of evil, but maybe it's the absence of good.

Maybe if something's missing in the world, we have to put it there. So what's the absence of Marie? My mom's name. I didn't even have an answer to my own question, but I said I looked at it, her parents, her siblings, her kids, her grandkids, her students. And I said we don't get to find out. It now falls to us to do what she was doing. As soon as I said that, I kind of chose this path right there. I said, if the cavalry isn't coming, I have no idea what to do, but somebody's got to do it. 

So I think it's both a sad story but also an empowering one because a bunch of people who have no right or no business to fill these vacuums chose to. And we have absolutely made the world safer. And you can do the same thing. Not only can you do the same thing we need you to. So quite 10 years, and everything that came before and after, but there's a lot more work to do. So thank you for having me on, and letting me be a little personal.

 

Igniting Change and Inspiring Action for a Safer World

Rachael: Absolutely. Well, and I do want to close, Josh. I mean, I love your passion and I think when we're able to have these conversations and share these stories, you're going to inspire people, more people to want to get involved. I think people are looking for somewhere to put that passion and energy because a lot of people are frustrated and looking for outlets. And to see you take the mantle, right? I mean the power of one person and then the power of a collective is incredible. 

And it just takes a couple of people to get the ball rolling and then it can make such an impact. And so I want to thank you for sharing this with our listeners. I am so excited and inspired and I'm so thankful that people like you are out in the world because we need more of you. And I think after this conversation, we know it's within all of us to do this and take this first step. So thank you. I really enjoyed our conversation. 

Audra: And you're absolutely inspirational. And just to say, reiterate what Rachel said, individuals can make a difference. And I just think you need to get more, more people makes lighter work.

Rachael: Absolutely.

Audra: It takes time, but eventually you'll have enough of a mass that it'll seem less like hard work.

Rachael: Excited for what the next 10 years can bring Josh.

Joshua: Well if you want to help shape it, peace side Las Vegas, August 8th and 9th Cavalry track, that's some big decisions to make.

Rachael: Absolutely. Alright, well thank you again, Josh. I know you need to run. And thanks to our listeners for joining us. Until next time, be safe.

 

About Our Guest

 

Joshua Corman is the ounder of I Am the Cavalry, a grassroots organization focused on the intersection of digital security, public safety, and human life. He was formerly chief strategist of CISA’s COVID Task Force, where he advised on the pandemic response, provided cybersecurity expertise on healthcare infrastructure, and supported control systems and life safety initiatives. Prior to CISA, Josh was SVP and chief security officer at PTC, where he accelerated cyber safety maturity across industries. Previously, he served as director of the Atlantic Council’s Cyber Statecraft Initiative, on the Congressional Task Force for Healthcare Industry Cybersecurity, and in leadership roles at Sonatype, Akamai, IBM, and the 451 Group.