CyberWire Daily - Cybersecurity is radically asymmetrically distributed.
Episode Date: August 5, 2024Rick Howard, N2K CyberWire’s Chief Analyst and Senior Fellow, discusses the idea that Cybersecurity is radically asymmetrically distributed. It means that cybersecurity risk is not the same for all... verticals and knowing that may impact the first principle strategies you choose to protect your enterprise. For a complete reading list and even more information, check out Rick’s more detailed essay on the topic. References: André Munro, 2024. Liberal democracy [Explainer]. Encyclopedia Britannica. David Weedmark, 2017. Why do some states require emissions testing? [Explainer]. Autoblog. Kara Rogers, 2020. What Is a Superspreader Event? [Explainer]. Encyclopedia Britannica. Lara Salahi, 2021. 1 Year Later: The ‘Superspreader’ Conference That Sparked Boston’s COVID Outbreak [News]. NBC10 Boston. Malcolm Gladwell, 2002. The Tipping Point: How Little Things Can Make a Big Difference [Book]. Goodreads. Malcolm Gladwell, 2005. Blink: The Power of Thinking Without Thinking [Book]. Goodreads. Malcolm Gladwell, 2008. Outliers: The Story of Success [Book]. Goodreads. Malcolm Gladwell, 2019. Talking to Strangers: What We Should Know About the People We Don’t Know [Book]. Goodreads. Malcolm Gladwell, 2021. The Bomber Mafia: A Dream, a Temptation, and the Longest Night of the Second World War [Book]. Goodreads. Malcom Gladwell, 2024. Medal of Honor: Stories of Courage [Podcast]. Pushkin Industries. Malcolm Gladwell. Revisionist History [Podcast]. Pushkin Industries. Michael Lewis, 2003. Moneyball: The Art of Winning an Unfair Game [Book]. Goodreads. Michael Lewis. Against the Rules [Podcast]. Pushkin Industries. Nassim Nicholas Taleb, 2007. The Black Swan: The Impact of the Highly Improbable [Book]. Goodreads. Rick Howard, 2023. Cybersecurity First Principles: A Reboot of Strategy and Tactics [Book]. Goodreads. Rick Howard, 2023. Cybersecurity First Principles Book Appendix [Diagram]. N2K CyberWire. Rick Howard, 2023. Cybersecurity moneyball: First principles applied to the workforce gap. [Podcast]. The CyberWire. Rick Howard, Simone Petrella , 2024. The Moneyball Approach to Buying Down Risk, Not Superstars [Presentation]. RSA 2024 Conference. Robert Soucy, 2024. Fascism [Explainer]. Encyclopedia Britannica. Staff, 2022. Information Risk Insights Study: A Clearer Vision for Assessing the Risk of Cyber Incidents [Report]. Cyentia Institute. Staff. Congressional Medal of Honor Recipients [Website]. Congressional Medal of Honor Society. Staff. North American Industry Classification System (NAICS) [Website]. U.S. Census Bureau. Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
DeleteMe's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for DeleteMe.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash N2K and use promo code N2K at checkout. The only way to get 20% off is to go to joindeleteme.com slash N2K and enter code
N2K at checkout. That's joindeleteme.com slash N2K, code N2K.
Hey, everybody, Rick here.
Let's start with this.
Cybersecurity is radically asymmetrically distributed.
I first heard of this idea from an unusual source, Malcolm Gladwell,
the famous author and podcast host. He gave one of the keynotes at the 2023 Google Mandiant
MWISE conference in Washington, D.C. And you may be rightfully asking yourself,
what does a world-renowned author and podcast host, whose expertise is in the ballpark of
the social sciences,
know about the world of cybersecurity, and why was he presenting the keynote at one of the InfoSec profession's flagship conferences? I'm glad you asked. I think mostly it was because
Google paid him to do it. That said, he brought an original idea that I had never considered,
or at least he crystallized an idea that had been bouncing around in my head since we started writing our first principles book back in 2022.
His idea was that most of us believe that the problems we all are trying to solve in our daily lives are normally distributed to everyone. That things like climate change,
nuclear accidents, and the most effective ways to water our lawns impact everybody equally.
When he suspects that some problems are asymmetrically distributed, in many cases they are radically
asymmetrically distributed. He said that he appreciated the hubris of a non-cyber security
expert like him coming into a room filled with cybersecurity experts like us and suggesting not only a new idea, but perhaps a revolutionary way to approach the problem of cybersecurity.
With that big caveat, he said that he thought cybersecurity was a radically asymmetrically distributed problem.
was a radically asymmetrically distributed problem.
Well now, that seems interesting,
since the entire purpose of our first principles book was to talk about cybersecurity strategies and tactics,
does understanding and believing
that cybersecurity is a radically asymmetrically distributed problem
change the strategies that we might choose?
Gladwell seems to think so.
Let's find out.
So, hold on to your butts. Hold on to your butts. This is going to think so. Let's find out. So, hold on to your butts.
Hold on to your butts.
This is going to be fun.
My name is Rick Howard, and I'm broadcasting from the N2K CyberWire's secret Sanctum Sanctorum studios,
located underwater somewhere along the Patapsco River near Baltimore Harbor, Maryland, in the good old U.S. of A. And you're listening to CSO Perspectives, my podcast about the ideas, strategies, and technologies that senior security
executives wrestle with on a daily basis.
For those that don't know, I'm a huge fanboy of Malcolm Gladwell.
He's the best-selling author of books like The Tipping Point, Blink, Outliers, Talking
to Strangers,
and The Bomber Mafia, which is my all-time favorite.
It's about the U.S. Army Air Corps' glorious quest to make warfare less murderous
in the transition between World War I and World War II.
The men behind the effort spectacularly failed, but boy, did they give it a try.
Gladwell is also the co-founder of Pushkin,
an audio production company similar to N2K CyberWire, in that Pushkin hosts a network of
podcasts. Out of the 44 that Pushkin publishes, my favorites are Against the Rules, hosted by
Michael Lewis of Moneyball fame, Medal of Honor Stories of Courage, hosted by Gladwell, and
Medal of Honor Stories of Courage, hosted by Gladwell, and Revisionist History, also hosted by Gladwell.
And I'm a little bit envious that Gladwell thought of the Medal of Honor podcast before we did.
Those kinds of stories are like catnip to me.
Oh, yeah.
There have been over 3,500 recipients since President Lincoln signed the medal into existence in 1861, and there are 61
living recipients as of this summer, 2024. All of their stories are in the public domain, and each
one is inspiring and jaw-dropping heroic. They are perfect for a podcast. But I've been listening to
Revisionist History for years. Whenever a new episode drops, that's the first thing that I'm listening
to that day. He takes a subject that everybody thinks they know, revisits it, and completely
blows your mind with another version of the story. His rant about how taxpayers fund private golf
courses on city land that the public can't use will make you think twice about the late great
comedian Bob Hope. His screed about college rankings and how elite schools with large endowments
have no interest in public education and diversity will make you weep for the country.
His six-part series on gun control will make you realize that all the efforts
to restrict automatic weapons and magazine sizes
that have thus far failed to get through in the U.S. Congress
would probably have little effect on in the U.S. Congress would probably have
little effect on reducing the damage caused anyway. And his current series on the run-up of the United
States' participation in the 1936 Olympics in Nazi Germany may provide some insight into America's
modern-day flirtation with its own version of fascism, former President Trump's version of how he wants to run the government.
See what I did there?
I slyly threw in my opinion
about the upcoming United States presidential election,
hoping you wouldn't notice.
I guess you know where I stand now.
I'm not supposed to talk about politics in this podcast,
but allow me this one tiny digression.
As Craig Ferguson,
the former late night talk show host, used to say,
I look forward to your angry letters. For the U.S. listeners specifically, and maybe international
listeners with a passing interest in the state of democracy in the world, I'm recording this on the
morning after President Biden dropped out of the 2024 U.S. presidential election. Regardless of
who replaces him as the Democratic nominee, this election is unique.S. presidential election. Regardless of who replaces him as the Democratic nominee,
this election is unique. Normally, presidential elections are about which politician you hate or
love or about this policy or that, but in this election, those things pale to what it's really
about. In this election, citizens will decide if the United States will continue to be a liberal
democracy or transition to a fascist state.
When you strip away everything else, that's the choice.
For the American listener, then, choose wisely, grasshopper.
Whichever way it goes, the result will impact generations of Americans.
The reason I'm a big Gladwell fan is that he excels at blending storytelling with scientific research
in an effort to make complex ideas
accessible to a wide audience. He tells the executive summary so that we mere mortals can
get a glimpse, however shallow, of the underlying issues of the topic. His critics say that he
oversimplifies and lacks scientific rigor. Oh no! I find that puzzling and quite amusing when, for example, he summarizes a 15-page peer-reviewed
research paper on the threshold models of diffusion and collective behavior from the
Journal of Mathematical Sociology. Of course, he's going to shave off some of the details
and round off the corners of some of the math. That's what happens when you summarize.
I think his critics are mostly bitter
that Gladwell's books regularly land on bestseller lists, while their deeply researched academic
books and papers do not. In his keynote, Gladwell described two problems that most people think are
normally distributed, when in fact, they are radically asymmetrically distributed.
U.S. automobile pollution and COVID-19 infection causes.
Let's start with car pollution.
In 1966, in an effort to improve air quality, California passed the first statewide law
to mandate frequent automobile emissions tests. By 2024, at least 30 states have similar laws
on the books mandating that their citizens get their cars checked at least 30 states have similar laws on the books mandating that their citizens get their cars checked
at least annually to ensure that they aren't spewing
dangerous toxic chemicals at unacceptable levels
into the environment.
According to Gladwell, these laws assume
that every citizen's car is likely to do that,
that every car is moments away from being a heavy polluter.
But he points out that in 2024,
almost 60 years after the California law went into effect,
car emissions technology has improved.
Back in the 1960s, manufacturers didn't even worry about pollution.
The 1963 Porsche 911, for example, only had a simple blow-by device to return unburned gases from the crankcase back to the combustion chamber.
Catalytic converters weren't a universal thing yet. But in 2024, they are. Modern cars produce
significantly fewer emissions due to advanced technology and stricter regulations. The chances
that a modern car is spewing exhaust at unacceptable toxic levels is much smaller
than the cars made in the 1960s.
The problem is no longer universally distributed.
According to Gladwell, that means the strategy
that worked back in the 1960s,
annual exhaust checks for all cars,
is probably not the most effective.
He suggested that you could have the same effect
by deploying exhaust detectors in conjunction
with traffic light cameras deployed at key intersections, designed to identify malfunctioning technology.
The strategy transforms from making everybody do something
to discovering the outliers and making them do something.
The outliers in this case are the asymmetric distribution.
Gladwell made a similar observation about COVID-19 transmissions.
I know that nobody really wants to relive the over three years of COVID-19 pandemic lockdown that we all did from March of 2020 to May of 2024.
But Gladwell was interested in the first days,
when everybody was confused about what COVID-19 was and whether or not it was dangerous. I remember
back in February of 2020, I had just joined the Cyber Wire, and my first official act was to
represent the company at the annual RSA Security Conference in San Francisco. The World Health
Organization had just declared COVID-19 as a
public health emergency of international concern just before we all arrived. All of my friends and
colleagues were walking around San Francisco asking ourselves if we should really be there,
mingling with the 35,000 attendees who would immediately get on planes afterward, traveling
back to the four corners of the world and spreading whatever diseases they came into contact with.
Gladwell's example came a month later,
the Boston, Massachusetts super spreader event.
Local Boston News reported that 100 people from around the world
convened at the Boston Marriott Long Wharf Hotel
for a leadership conference led by the Cambridge-based company called Biogen.
hotel for a leadership conference led by the Cambridge-based company called Biogen. When they got home, those 100 people infected more than 330,000 people worldwide with COVID-19. In his
keynote, Gladwell cited a preliminary MIT study that theorized many of the 100 attendees to the
Biogen conference were super spreaders, individuals who infect many more people
than the average person would. The study further theorized that one quality that made them super
spreaders was the size of the water droplets coming out of their mouths when they breathed.
Compared to an average human, their water droplets were exponentially larger. Larger water droplets
could hold more virus. The bigger the virus load then in the water droplet,
the greater the chance that the already infected would infect more people.
Gladwell was quick to point out that these were just theories and that more study was required.
But if you assume that it's true for a second,
how does that impact your pandemic survival strategy?
What we did do is assume that all people were equal opportunity infectors.
We assumed that the
problem was universally distributed. That meant that we adopted tactics that everybody needed to
do. Stay at home, wear masks if you absolutely needed to go out, and keep a safe distance from
your friends and colleagues, even if you were wearing a mask. But if you assume that infecting
other humans is radically asymmetrically distributed to mostly
super spreaders with overly large water droplets for breath, your strategy might be completely
different. It might be to locate those super spreaders and lock them down, not everybody on
the planet. I'm not saying this would have been easy, but it might have been far easier than what
we did do. At the very least, we could identify those super spreaders and ask them nicely not to attend
the RSA Security Conference that year.
That would have been something.
At this point, you're asking yourself,
how does this apply to cybersecurity?
In our first principles book, I outlined how in 2021, the FBI said that approximately 5,000 U.S. organizations had self-reported that they had been compromised by some kind of hacker.
Assume that there exists some five times that number who didn't self-report.
Call it 25,000 then.
But there are roughly 6 million organizations within the United States,
like federal, state, city, county governments, academic institutions, K through college,
nonprofits, and public companies.
25,000 divided by 6 million is a really small number.
The chances that any U.S. organization will be materially impacted by a cyber attack is tiny.
I've been working in cybersecurity for 30 years.
Since the beginning, my peers and I have been treating cybersecurity
as if the danger was imminent,
that at any moment we would all be overrun by the hacker hordes.
That's just not true.
And that's our show.
Well, part of it.
There's actually a whole lot more, and if I say so myself, it's all pretty great.
So here's the deal.
We need your help so we can keep producing the insights that make you smarter and keep you a step ahead in the rapidly changing world of cybersecurity.
If you want the full show, head on over to thecyberwire.com
slash pro and sign up for an account. That's thecyberwire, all one word, dot com slash pro.
For less than a dollar a day, you can help us keep the lights and the mics on and the insights
flowing. Plus, you get a whole bunch of other great stuff like ad-free podcasts, my favorite,
exclusive content, newsletters, and
personal level of resources like practice tests. With N2K Pro, you get to help me and our team
put food on the table for our families, and you also get to be smarter and more informed
than any of your friends. I'd say that's a win-win. So head on over to thecyberwire.com slash pro and sign up today for
less than a dollar a day. Now, if that's more than you can muster, that is totally fine. Shoot an
email to pro at n2k.com and we'll figure something out. I would love to see you over here at N2K Pro.
One last thing. Here at N2K, we have a wonderful team of talented people doing insanely great things to make me and the show sound good.
I think it's only appropriate you know who they are.
I'm Liz Stokes. I'm N2K's CyberWire's Associate Producer.
I'm Trey Hester, Audio Editor and Sound Engineer.
I'm Elliot Peltzman, Executive Director of Sound and Vision.
I'm Jennifer Iben, Executive Producer.
I'm Brandon Karf, Executive Editor.
I'm Simone Petrella, the President of N2K.
I'm Peter Kilfey, the CEO and Publisher at N2K.
And I'm Rick Howard. Thanks for your support, everybody.
And thanks for listening. Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows,
helping you gain insights, receive alerts, and act with ease through guided
apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.