Cybersecurity is radically asymmetrically distributed.

Rick Howard: Hey, everybody, Rick here. Let's start with this, cybersecurity is radically asymmetrically distributed. I first heard of this idea from an unusual source, Malcolm Gladwell, the famous author and podcast host. He gave one of the keynotes at the 2023 Google Mandiant mWISE Conference in Washington, DC. And you may be rightfully asking yourself, what does a world-renowned author and podcast host, whose expertise is in the ballpark of the social sciences, know about the world of cybersecurity, and why was he presenting the keynote at one of the infosec profession's flagship conferences? I'm glad you asked. I think mostly it was because Google paid him to do it.

Rick Howard: That said, he brought an original idea that I had never considered, or at least he crystallized an idea that had been bouncing around in my head since we started writing our First Principles book back in 2022. His idea was that most of us believe that the problems we all are trying to solve in our daily lives are normally distributed to everyone. That things like climate change, nuclear accidents, and the most effective ways to water our lawns impact everybody equally. When he suspects that some problems are asymmetrically distributed. In many cases, they are radically asymmetrically distributed. He said that he appreciated the humors of a non-cybersecurity expert like him coming into a room filled with cybersecurity experts like us and suggesting not only a new idea but perhaps a revolutionary way to approach the problem of cybersecurity. With that big caveat, he said that he thought cybersecurity was a radically asymmetrically distributed problem. Well, now, that seems interesting, since the entire purpose of our First Principles book was to talk about cybersecurity strategies and tactics. Does understanding and believing that cybersecurity is a radically asymmetrically distributed problem change the strategies that we might choose? Gladwell seems to think so. Let's find out. So hold on to your butts. >> Hold on to your butts, butts, butts. This is going to be fun. [ Music ]

Rick Howard: My name is Rick Howard, and I'm broadcasting from the N2K CyberWire's Secret Sanctum Sanctorum Studios located underwater somewhere along the Patapsco River near Baltimore Harbor, Maryland, in the good old US of A. And you're listening to CSO Perspectives, my podcast about the ideas, strategies, and technologies that senior security executives wrestle with on a daily basis. For those that don't know, I am a huge fan boy of Malcolm Gladwell. He's the best-selling author of books like the Tipping Point, Blink, Outliers, Talking to Strangers, and the Bomber Mafia, which is my all-time favorite. It's about the US Army Air Corps' glorious quest to make warfare less murderous in the transition between the World War I and World War II. The men behind the effort spectacularly failed, but boy did they give it a try. Gladwell is also the cofounder of Pushkin, an audio production company similar to N2K CyberWire in that Pushkin host a network of podcasts. Out of the 44 that Pushkin publishes, my favorites are Against the Rules, hosted by Michael Lewis of Moneyball, Medal of Honor, Stories of Courage, hosted by Gladwell, and Revisionist History, also hosted by Gladwell. And I'm a little bit envious that Gladwell thought of the Medal of Honor podcast before we did. Those kinds of stories are like catnip to me.

Rick Howard: There have been over 3,500 recipients since President Lincoln signed the medal into existence in 1861, and there are 61 living recipients as of this summer, 2024. All of their stories are in the public domain, and each one is inspiring and jaw-dropping heroic. They are perfect for a podcast. But I've been listening to Revisionist History for years. Whenever a new episode drops, that's the first thing that I'm listening to that day. He takes a subject that everybody thinks they know, revisits it, and completely blows your mind with another version of the story. His rant about how taxpayers fund private golf courses on city land that the public can't use will make you think twice about the late great comedian Bob Hope. His screed about college rankings and how elite schools with large endowments have no interest in public education and diversity will make you weep for the country. His six-part series on gun control will make you realize that all the efforts to restrict automatic weapons and magazine sizes that have thus far failed to get through in the US Congress would probably have little effect on reducing the damage caused anyway. And his current series on the run-up of the United States participation in the 1936 Olympics in Nazi Germany may provide some insight into America's modern-day flirtation with its own version of fascism, former President Trump's version of how he wants to run the government. See what I did there?

Rick Howard: I slyly threw in my opinion about the upcoming United States presidential election, hoping you wouldn't notice. I guess you know where I stand now. I'm not supposed to talk about politics in this podcast, but allow me this one tiny digression. As Craig Ferguson, the former late-night talk show host used to say. >> I look forward to your angry letters.

Rick Howard: For the US listeners specifically and maybe international listeners with a passing interest in the state of democracy in the world, I'm recording this on the morning after President Biden dropped out of the 2024 US presidential election. Regardless of who replaces him as the Democratic nominee, this election is unique. Normally presidential elections are about which politician you hate or love or about this policy or that. But in this election, those things pale to what it's really about. In this election, citizens will decide if the United States will continue to be a liberal democracy or transition to a fascist state. When you strip away everything else, that's the choice. For the American listener then, choose wisely, grasshopper. Whichever way it goes, the result will impact generations of Americans. The reason I'm a big Gladwell fan is that he excels at blending storytelling with scientific research in an effort to make complex ideas accessible to a wide audience.

Rick Howard: He tells the executive summary so that we mere mortals can get a glimpse, however shallow, of the underlying issues of the topic. His critics say that he oversimplifies and lacks scientific rigor. >> Oh no! I find that puzzling and quite amusing. When, for example, he summarizes a 15-page peer-reviewed research paper on the threshold models of diffusion and collective behavior from the Journal of Mathematical Sociology, of course he's going to shave off some of the details and round off the corners of some of the math. That's what happens when you summarize. I think his critics are mostly bitter that Gladwell's books regularly land on bestseller lists while their deeply researched academic books and papers do not. In his keynote, Gladwell described two problems that most people think are normally distributed when in fact they are radically asymmetrically distributed, US automobile pollution and COVID-19 infection causes. Let's start with car pollution.

Rick Howard: In 1966, in an effort to improve air quality, California passed the first statewide law to mandate frequent automobile emissions tests. By 2024, at least 30 states have similar laws on the books mandating that their citizens get their cars checked at least annually to ensure that they aren't spewing dangerous toxic chemicals at unacceptable levels into the environment. According to Gladwell, these laws assume that every citizen's car is likely to do that, that every car is moments away from being a heavy polluter. But he points out that in 2024, almost 60 years after the California law went into effect, car emissions technology has improved. Back in the 1960s, manufacturers didn't even worry about pollution. The 1963 Porshe 9-11, for example, only had a simple blow-by device to return unburned gases from the crank case back to the combustion chamber. Catalytic converters weren't a universal thing yet. But in 2024, they are. Modern cars produce significantly fewer emissions due to advanced technology and stricter regulations. The chances that a modern car is spewing exhaust at unacceptable toxic levels is much smaller than the cars made in the 1960s. The problem is no longer universally distributed. According to Gladwell, that means the strategy that worked back in the 1960s, annual exhaust checks for all cars, is probably not the most effective. He suggested that you could have the same effect by deploying exhaust detectors in conjunction with traffic light cameras deployed at key intersections, designed to identify malfunctioning technology.

Rick Howard: The strategy transforms from making everybody do something to discovering the outliers and making them do something. The outliers in this case are the asymmetric distribution. Gladwell made a similar observation about COVID-19 transmissions. I know that nobody really wants to relive the over three years of COVID-19 pandemic lockdown that we all did from March of 2020 to May of 2024. But Gladwell was interested in the first days, when everybody was confused about what COVID-19 was and whether or not it was dangerous. I remember back in February of 2020, I had just joined the CyberWire and my first official act was to represent the company at the annual RSA Security Conference in San Francisco. The World Health Organization had just declared COVID-19 as a public health emergency of international concern just before we all arrived. All of my friends and colleagues were walking around San Franciso asking ourselves if we should really be there mingling with the 35,000 attendees who would immediately get on planes afterward traveling back to the four corners of the world and spreading whatever diseases they came into contact with. Gladwell's example came a month later. The Boston, Massachusetts super spreader event. Local Boston news reported that 100 people from around the world convened at the Boston Marriott Long Wharf hotel for a leadership conference led by the Cambridge-based company called Biogen. When they got home, those 100 people infected more than 330,000 people worldwide with COVID-19. In his keynote, Gladwell cited a preliminary MIT study that theorized many of the 100 attendees to the Biogen conference were super spreaders -- individuals who infect many more people than the average person would. The study further theorized that one quality that made them super spreaders was the size of the water droplets coming out of their mouths when they breathe.

Rick Howard: Compared to an average human, their water droplets were exponentially larger. Larger water droplets could hold more virus. The bigger the virus load then in the water droplet, the greater the chance that the already infected would infect more people. Gladwell was quick to point out that these were just theories and that more study was required. But if you assume that it's true for a second, how does that impact your pandemic survival strategy? What we did do was assume that all people were equal opportunity infectors. We assumed that the problem was universally distributed. That meant that we adopted tactics that everybody needed to do: stay at home, wear masks if you absolutely needed to go out, and keep a safe distance from your friends and colleagues even if you were wearing a mask. But if you assume that infecting other humans is radically asymmetrically distributed to mostly super spreaders with overly large water droplets for breath, your strategy might be completely different. It might be to locate those super spreaders and lock them down, not everybody on the planet. I'm not saying this would've been easy, but it might've been far easier than what we did do. At the very least, we could identify those super spreaders and ask them nicely not to attend the RSA Security Conference that year. That would've been something. [ Music ]

Rick Howard: At this point, you're asking yourself, how does this apply to cybersecurity? In our First Principles book, I outline how, in 2021, the FBI said that approximately 5,000 US organizations had self-reported that they had been compromised by some kind of hacker. Assume that there exists some five times that number who didn't self-report, call it 25,000 then, but there are roughly 6 million organizations within the United States like federal, state, city, county governments, academic institutions K through college, nonprofits, and public companies. 25,000 divided by 6 million is a really small number. The chances that any US organization will be materially impacted by a cyber-attack is tiny. I've been working in cybersecurity for 30 years. Since the beginning, my peers and I have been treating cybersecurity as if the danger was eminent, that at any moment we would all be over-run by the hacker hordes. That's just not true. The news headlines that we read every day make us think that, but the numbers don't support the assertion. That's the first piece of evidence that cybersecurity is a radically asymmetrically distributed problem. It's hardly distributed at all. The second piece of evidence comes from our risk forecasting friends at Cyentia and their 2022 Information Risk Insights Study called "A Clear Vision of Assessing the Risk of Cyber Incidents." In the report, they show that out of the 20 business sectors tracked by the Northern American Industry Classification System, the top three -- healthcare, financial, and professional -- accounted for 41% of the publicly known incidents in 2022. The other 17 were all in single digits. At the bottom of the list is agriculture, mining, and utilities. Those verticals had less than a 1% chance of getting hit by a cyber-attack. Clearly, the bottom three sectors have way less to worry about than the top three. If that isn't the textbook example of Gladwell's radically asymmetrically distributed problem idea, I'll eat my hat. >> Oh, yeah. Now, that's only two data points, but it's enough to make me at least lean into the idea that cybersecurity is a radically asymmetrically distributed problem.

Rick Howard: If we do the thought experiment and assume it's completely true, then does that fact change the strategies we might use to reduce the probability of material impact due to a cyber-attack? When we thought cybersecurity was universally distributed and our chances of suffering a material cyber-attack campaign were the same as everybody else's, preventative first principle strategies like zero-trust, intrusion kill chain prevention, automation, and workforce development, were on the table. The question then is, are those strategies still on the table in a world where your organization is not likely to get hit by a cyber-attack at all? Now, I'm not saying that the threat of a cyber-attack isn't real and that you shouldn't worry about them. The truth is that for those 25,000 victims from the FBI study I mentioned before, those cyber-attack campaigns were devastating to them. Some of them could've been company killers. They are "black swan" events -- a phrase made popular by Nassim Nicholas Taleb in his 2007 book, the Black Swan: The Impact of the Highly Improbable. They are risks that are not likely to happen, but if they do, they are catastrophic.

Rick Howard: My favorite black swan example is the risk scenario of a planet killer meteor hitting the Earth. The chance of that happening is pretty small, but we don't want to ignore the risk. If it ever does happen, it will likely end the human race. Options on the table for reducing the probability of a meteor ending the human race are preventative, like launching nuclear missiles at the meteor in an effort to deflect it away from the Earth, as depicted in the 1998 movie Deep Impact starring Robert DeVol and Elijah Wood. Which, by the way, failed to deflect the meteor and almost everybody on Earth died. Spoiler alert. Or redundancy, like installing human colony on Mars so that if a meteor ever does take out the Earth, the human race will continue to survive on another planet, as depicted in the 1990 movie Total Recall, starring Arnold Schwarzenegger, Sharon Stone, and the fabulous Michael Ironside. If the chances of a planet killer hitting the Earth were high, the human race might spend a lot of resources on preventative measures. But since the probability is low, just to cover our bets, we might spend some resources on establishing a Mars colony. And that's the entire point of discussing this radically asymmetrically distributed problem idea and how it applies to cybersecurity. If you're in the top three verticals from the Cyentia study, it makes sense to deploy one or more preventative strategies.

Rick Howard: The chances that you will be targeted by some hacker adversary campaign is high. And spending your resources in terms of the people, process, technology triad will have a direct impact on reducing the probability of material impact. But if you're in the bottom three sectors, those same preventative strategies will cause you to spend a lot of resources on something that's not likely to happen and will have little impact on reducing the probability of material impact. I mean, would it be worth it to spend all those resources to reduce the probability from.2% to.1%? I can think of better ways to spend that money. For those verticals, where the outside-in risk forecast of a material cyber event is already extremely low, the best first principle strategy to pursue is probably resilience. And remember, outside-in risk forecasting is calculating the risk for the general population. What are the chances that any organization will get hit with a material cyber event? That's what the Cyentia numbers show. We don't want to waste resources on preventing something that will not likely happen in the first place. But we may want to spend some resources on surviving the event if it does. According to our First Principles book, those organizations should be looking at resilience tactics like backups, encryption, crisis planning, incident response, business continuity, and chaos engineering. [ Music ]

Rick Howard: I was so thrilled to see one of my favorite authors and podcast host Malcolm Gladwell in person. But I was completely blown away that he came into the lion's den of cybersecurity experts with a new idea that all of us had never thought about before. Although more evidence is probably needed to prove the point, I have a strong hunch that Gladwell's hypothesis -- that cybersecurity is a radically asymmetrically distributed problem -- is true. If it is, then the strategies that we choose to protect our organizations from a material cyber event will depend on which end of the spectrum of outside-in risk forecasting we fall. If the probability is high, then traditional first principle strategies like zero-trust, intrusion kill chain prevention, automation, and workforce development, are still on the table. If the probability is low, then the first principle resilience strategy will likely have the most impact. [ Music ] And that's a wrap. I'd like to thank our media partner friends over at Mandiant and Google for inviting N2K CyberWire over to their mWISE Conference last year so that I could meet one of my favorite author/podcast heroes, Malcolm Gladwell. That was a dream come true for me.

Rick Howard: CSO Perspectives is brought to you by N2K CyberWire. You can find us on the web at thecyberwire.com. And for this episode, I've added some helpful links in the Show Notes to help you do more of a deep dive if that strikes your fancy. And don't forget to check out our book, Cybersecurity First Principles: A Reboot of Strategy and Tactics, that we published in 2023. Radically asymmetrically distributed problems, the topic for today's podcast, will likely have a direct impact on Chapter 6, Risk Forecasting. And by the way, we'd love to know what you think of our show. Your feedback ensures we deliver the insights that keep you a step ahead in the rapidly changing world of cybersecurity. If you liked the show, please share a rating and review in your podcast app. And if that's too hard, you can fill out the survey in the Show Notes or send an email to CSOP@N2K.com. We're privileged that N2K CyberWire is part of the daily routine of the most influential leaders and operators in the public and private sector, from the Fortune 500 to many of the world's preeminent intelligence and law enforcement agencies. N2K makes it easy for companies to optimize your biggest investment, your people. We make you smarter about your teams while making your teams smarter. Learn how at N2K.com. One last thing. Here at N2K, we have a wonderful team of talented people doing insanely great things to make me sound good. I think it's only appropriate that you know who they are.

Liz Stokes: I'm Liz Stokes. I'm N2K's CyberWire's associate producer.

Tré Hester: I'm Tre Hester, audio editor and sound engineer.

Elliott Peltzman: I'm Elliott Peltzman, executive director of sound and vision.

Jennifer Eiben: I'm Jennifer Eiben, executive producer.

Brandon Karpf: I'm Brandon Karpf, executive editor.

Simone Petrella: I'm Simone Petrella, the president of N2K.

Peter Kilpe: I'm Peter Kilpe, the CEO and publisher at N2K.

Rick Howard: And I'm Rick Howard. Thanks for your support, everybody. And thanks for listening.