CSO Perspectives (Pro) 1.23.23
Ep 96 | 1.23.23

Students of the game.


 Rick Howard: Hey, everybody. 


Vincent Martella: (As Phineas Flynn, singing) We're back... 

Unidentified Actors: (As characters, singing) We're back. 

Vincent Martella: (As Phineas Flynn, singing) ...In our own backyard. 

Rick Howard: We are back. Welcome to 2023. I trust that your holidays were calm, that Santa brought you and yours all the toys that you desired, and you are filled with vigor to start the new year. While you were relaxing with your family and your crazy Uncle Kevin during the holidays, we had the interns down in the bowels of the sanctum sanctorum working on the next "CSO Perspectives" season. We've got some doozies prepared for you. We're going to talk about chaos engineering, the current state of cyberthreat intelligence, practical implementations of zero trust, the emergence of SSE - that's security service edge - to replace SASE - secure access service edge - the CIO-CISO relationship, the emerging, new job for security vendors called the field CSO and the history of cybersecurity first principles. 


Steve Winterfeld: Really? More history, Rick? 


Rick Howard: That was Steve Winterfeld, the Akamai advisory CISO and the Al Borland to my Rick the Toolman. He'll be returning again this season, as well as the regular Hash Table subject-matter experts, but regular listeners will know that Steve hates it every time I roll a history lesson into one of these shows. So basically, I just do it to annoy him. You're welcome, Steve. 


Tim Allen: (As Tim Taylor) Oh, yeah (laughter). 

Rick Howard: But for this show, we're going to review the books, podcasts and other content that we all found valuable in 2022 and will likely use in 2023. So hold on to your butts. 


Samuel L Jackson: (As Ray Arnold) Hold on to your butts. 

Rick Howard: This is going to be fun. 

Rick Howard: My name is Rick Howard, and I'm broadcasting from the CyberWire's secret sanctum sanctorum studios, located underwater somewhere along the Patapsco River near Baltimore Harbor, Md., in the good old U.S. of A. And you're listening to "CSO Perspectives," my podcast about the ideas, strategies and technologies that senior security executives wrestle with on a daily basis. 


Rick Howard: You're listening to the Raiders theme created by Sam Spence in 1966 and used by NFL Films for their football highlights TV show called, amazingly, "NFL Films Presents," which is appropriate because I got the idea for this Students of the Game episode after watching the ESPN documentary "Man In The Arena" about the greatest American football quarterback of all time, Tom Brady. Now, I'm not a sports guy at all, but even people like me who have trouble walking and chewing gum at the same time can appreciate the dedication and endurance of this guy. At the time of this writing, Brady is a 45-year-old NFL quarterback playing in a league where most quarterbacks retire before they are 35. He has won seven Super Bowl rings playing for two different teams, the New England Patriots and the Tampa Bay Buccaneers. That's extraordinary. 

Rick Howard: One of the keys to his success - and there are many - is that he studies the game. He doesn't just attend practice during the week and then roll out to the stadium each Sunday to play. He analyzes what the other teams and players are doing constantly. Brady says he watches opponent game film 4 to 5 hours a day. That's dedication and a good example for the rest of us regarding how to stay on top of our own particular games. Like Brady, we need to be students of the cybersecurity game. 

Rick Howard: I've said for years that the reason I love cybersecurity so much is because it's never boring. It's constantly changing. I love the implications of that, the persistent element of always having to learn something new. It keeps the job exciting. No offense to tollbooth operators - a great job for a decent wage - but doing the exact same thing 8 hours a day every day would drive me bonkers. I'm just not wired that way. On the flip side, I have also said that the thing I hate about cybersecurity is that it's never boring. It's constantly changing. It's almost impossible to stay current on all the latest developments, new ideas and the retirement of old ideas. Because of that, most security professionals are constantly seeking and consuming some kind of cybersecurity content to help them be better at their jobs, like Tom Brady. Where I diverge from Mr. Brady is his myopic focus on only football. And I hear what you're saying. Rick, didn't you just say that one of the reasons that Tom Brady is the GOAT of all NFL quarterbacks is his singular focus on the study of the game? Well, you got me there. 


Tim Allen: (As Tim Taylor) Oh, no. 

Rick Howard: But I'm not trying to be the GOAT of cybersecurity. I'm trying to be good enough at a lot of things. Looking back over my career, I've found that anybody in this business who only consumes information about cybersecurity lives in a small world. There are other topics to consider that will widen your aperture on different points of view and, in turn, will make you a better security professional. To quote Robin Williams in the old Apple commercial and the movie "Dead Poets Society..." 


Robin Williams: (As John Keating) Medicine, law, business, engineering - these are noble pursuits and necessary to sustain life. But poetry, beauty, romance, love - these are what we stay alive for. 

Rick Howard: Which begs the question, what content are we all consuming to make us better security professionals, make us better humans and at the same time will bring a little joy to our lives? For me, I typically use books and podcasts. I generally listen to the material first. And then if I thought it was particularly interesting, I will go back and actually read the book in my Kindle app or read the podcast transcript to study it. I use the Kindle app for books because it allows me to highlight passages and export them when I'm taking notes. And for those interested, I use a program called Evernote for my note taker. There are lots of note-taker apps out there, but I started using Evernote over a decade ago. Everything that I think is important to remember is in there. It acts as the Howard brain hard drive for business and for my personal life. 

Rick Howard: As a student of the cybersecurity game, for me, it really helps if I take a moment and write a sentence or two about the podcast or book that I just consumed. That act helps me remember the important parts, unlike my better half, who reads way more books than I do each year but doesn't retain much of the information within. Sometimes, she's reading a book, gets halfway through and says, hey, I think I've read this before. But she's doing it for entertainment only. When you're a student of the game, the point is to remember the important parts. 

Rick Howard: My daughter is another ravenous book reader. She and I have a rating system for books that we read together. Five stars means that we know we will likely read the book again sometime in the future. Four stars - we will recommend the book to everybody. Three stars is we like it and will likely recommend the book to some people. Two stars is we didn't like it, and one star - we closed the book before we finished reading it. Hey, life is too short to read bad books. For all of the material I'm covering here, I have rated each four stars or better. 

Rick Howard: Let's start with the best cybersecurity books that I read last year. The first one on my list is "Tracers in the Dark: The Global Hunt for the Crime Lords of Cryptocurrency" by Andy Greenberg. This is the best cybercrime book I've read in the past 10 years. I interviewed Andy about his book in the last season. Here's what he had to say about the book. 


Andy Greenberg: The story of this book is about how, over the last decades, it slowly became apparent that bitcoin is incredibly traceable, that it is actually far more traceable, once you know kind of, like, how to crack the code of the blockchain bitcoin addresses, than even the traditional financial system. And a small group of detectives, who are really the main characters of this book, figured this out first in the sort of research world, then the tech industry, then law enforcement. And this group kind of went on a - just a spree of one massive cybercriminal takedown after another, each one bigger than the last, that, you know, kind of still is persisting to this day. 

Rick Howard: The next cybersecurity book I want to recommend is "This Is How They Tell Me the World Ends: The Cyberweapons Arms Race" by Nicole Perlroth. Perlroth's book is everything that you ever wanted to know about the software exploitation market but were afraid to ask. Admittedly, I may be a bit biased about this one. I used to buy software exploits when I worked for the government, and I sold exploits to the government when I ran a commercial cyber intelligence shop back in the day. After a 30-year career, in hindsight, I don't think I would do that again, and Perlroth explains why. There is also an account of the Chinese government's infiltration of the Google networks back in 2010 - to my knowledge, the only detailed account of the incident in public besides the Google version - and the catalyst to Google for redesigning their security architecture to fully incorporate the zero-trust philosophy. There is also a detailed account of the NSA's Project GUNMAN, the 1984 classified, six-month operation to remove every single piece of electrical equipment from the U.S. embassy in Moscow, bring it back to Fort Meade for examination and replace it with equipment the agency can guarantee wasn't bugged. 


Nicole Perlroth: A zero-day is just a vulnerability in some code. So let's just use the example of your iPhone. If I, a hacker, find an error in your iPhone's iOS software and I know how to exploit it - that is, I know how to write the code that could be used to read your text messages or turn on the audio on your iPhone or record your camera without you knowing - that kind of thing - or track your location, I have a choice. I can call Apple and say, hi, I'm a hacker. I just found a major zero-day in your iOS software. And Apple can patch that and roll it out in your software updates. Or, these days, I can sell it to a government agency, a spy agency or one of their brokers. And the going rate for that capability, the ability to access your iPhone remotely, is $2.5 million in the U.S. and $3 million if I want to sell it to the United Arab Emirates or Saudi Arabia. This is good money that I can get from selling it to government players whose interest is not in telling Apple, hey, fix this zero-day. It's, I'm going to use this for espionage. 

Rick Howard: The next cybersecurity book from 2022 I want to recommend is "Superforecasting: The Art and Science of Prediction" by Philip Tetlock and Dan Gardner. I reread this book preparing for the risk-forecasting series I did in Season 10. It's even better than I remembered. The first time I read it, around 2017, Tetlock and Gardner convinced me it was possible to forecast highly complex questions like, what is the probability of material impact to my organization due to a cyber event? But I couldn't figure out how to make it work in any practical sense. On this reading, five years later, I finally got it. Combining superforecasting techniques with Fermi estimates and Bayes' rule is the way to go. If you're just dipping your toes into the risk forecasting arena, Tetlock and Gardner's book is a good place to start. If you're a veteran of the risk forecasting discipline and you haven't read this yet, you have a hole in your education. It's a candidate book for the Cybersecurity Canon project already, and I fully expect it to be inducted into the Hall of Fame at some point. Here's Dan Gardner speaking to a group from the Office of the Director of National Intelligence, ODNI, talking about what makes a forecaster super. 


Dan Gardner: You might think it's because they're super specialized, right? These are people who just - they're the world's leading experts on whatever the ODNI happen to be asking about. Nope, not true. Not true. And we know that in part because the ODNI ask questions about all sorts of different subjects, some in economics, some in politics, and questions from all over the world. These people were consistently good in all those different domains. These people, in fact, are pretty much ordinary folks. One of the superforecasters I profile in the book, Bill Flack - he lives in a small town in Nebraska. He's semi-retired. He used to work for the Department of Agriculture. His job mainly consisted of putting drainage ditches in the ground. And he's one of the world's greatest geopolitical forecasters. 

Rick Howard: The next cybersecurity book I want to recommend from 2022 is "Spies, Lies, and Algorithms: The History and Future of American Intelligence" by Amy Zegart. Full disclosure, Dr. Zegart is a friend of mine. When I heard that she had published this book, I couldn't wait to get my hands on it. Her thesis is that most Americans have no clue about how the U.S. intelligence community - or the IC, as the cool kids call it - conducts business or even whether or not the IC is succeeding. IC leaders are so worried about protecting sources and methods that there is no room for a discussion of strategic objectives in the public sphere. For Dr. Zegart, that means there is no way for outside organizations, like academia, to help. I would be more blunt. I would say that there is no way for the public to hold them responsible for their actions. She says that one of the reasons she wrote the book is that she discovered that her students were so ill-informed that they got most of their ideas about how the IC works from TV shows and movies. Her course and this book covers the history of American intelligence, starting all the way back to General Washington and the Revolutionary War, up to the modern day. 


Steve Winterfeld: Really? More history, Rick? 


Rick Howard: But until the conclusion of World War II, the U.S. didn't have a permanent intelligence capability. That changed when President Truman signed into law the creation of the CIA, the Central Intelligence Agency. Dr. Zegart isn't shy, either, about covering the mistakes the CIA has made over the years, like the failure to predict 9/11 and the incorrect prediction that Iraq had WMD, weapons of mass destruction. Her criticism comes from a stern but gloved hand, though, compared to the bare-knuckled takedown by Tim Weiner in his book, "Legacy of Ashes: The History of the CIA." According to Weiner, the CIA was a clown car for its 40 years by overthrowing third-world governments and conducting sanctioned executions authorized by Presidents Eisenhower, Kennedy, Nixon, and Ford, with little to no oversight about what they were doing and why they were doing it. In Dr. Zegart's book, though, she explains counterintelligence, covert action, congressional oversight, using open-source intelligence to assess the nuclear threat and cyber. And I was pleased to see that she recommends Tetlock and Gardner's superforecasting techniques as a way to improve the IC's batting average for predicting the next thing. It's well worth the read. 


Amy Zegart: The book actually started in a classroom. I was teaching a class at the time at UCLA where I was on the faculty. And I was polling my students about where they got information about intelligence, what they knew about intelligence. And I found that most of them didn't know anything about intelligence. And what they learned they learned from the movies. And I found statistically significant correlations between those people who viewed a lot of spy-themed entertainment and their attitudes towards intelligence issues of the day, like waterboarding or NSA warrantless surveillance. And so what I really wanted to do was write an intelligence 101, a book that could reveal the facts of the intelligence business for not only students but their parents and policymakers and the general public. And I ended up also writing a book that I hope will convey intelligence 2.0. And what I mean by that is how emerging technologies are fundamentally challenging every aspect of the intelligence enterprise. 

Rick Howard: The next cybersecurity book from 2022 I liked is "The Cybersecurity Path: Insider Advice to Navigate a Successful Career in Security from Beginning to End," by Helen Patton. Helen is another friend of mine, a regular visitor to the CyberWire Hash Table, and she has just recently stepped down as the Cybersecurity Canon's committee chair. Since most of the things that I read on cybersecurity tend toward the high-level technical issues of the day, I was pleased to find this book of wisdom that would actually help the people in the trenches who work, struggle and thrive in the InfoSec community today. I'm so glad that she wrote this book. I have had hundreds of conversations over the years with newbies trying to break into the field, mid-career professionals seeking advice and senior leaders comparing notes about navigating the rough waters of the InfoSec community. At the end of all those sessions, I always said to myself, I should write some of this stuff down. Well, that's no longer an issue. Helen has done it for us. She explains, in articulate detail, the habits, traits and best practices that we should all follow to be the best security professionals we can be. 

Rick Howard: The next cybersecurity book that I read and liked in 2022 is "Project Zero Trust: A Strategy for Aligning Security and the Business" by George Finney. I know this sounds like a broken record, and at the risk of being accused of nepotism, George is also a friend of mine. Hey, don't blame me. I have a bunch of smart friends. And a lot of them like to write books. As you all know, zero trust is one of my first principal strategies. When I heard that George published a book on the topic and then he got John Kindervag, the father of zero trust, to write the foreword, I knew it was going to be good. And I immediately dove in. 

Rick Howard: But I had a bit of trepidation. George is one of the smartest cybersecurity practitioners on the planet. I was worried that he and I might not characterize zero trust in the same way. And that wouldn't be good. That would likely mean that I was barking up the wrong tree, and I would have to start over. Thankfully, George and I are almost completely aligned. And what makes his book unique is he followed the model of previous technical writers who wanted to reach a wider audience by creating a novel as a vehicle to express the tactical issues he wanted to cover. This puts him in the same category as Gene Kim and his book "The Phoenix Project: A Novel about IT, DevOps and Helping Your Business Win," and Eliyahu Goldratt and his book, "The Goal: A Process of Ongoing Improvement." 


George Finney: Zero trust, at its heart, is a strategy. It's a strategy for preventing or containing breaches by removing the trust relationships we have with digital systems. But what is the strategy for? The strategy is for the human beings in the organization to figure out how to work together well enough to achieve that strategy. 

Rick Howard: If you're still struggling with the concept of zero trust, this book is for you. The next cybersecurity book that I read and liked in 2022 is "The Theory That Would Not Die: How Bayes' Rule Cracked the Enigma Code, Hunted Down Russian Submarines and Emerged Triumphant from Two Centuries of Controversy" by Sharon McGrayne. Finally, here's a book not written by one of my friends. And it's another one that I read to prepare for the risk forecasting series I did in Season 10. McGrayne did a Google talk in 2014 if you want the Reader's Digest version. Bayes' rule is the mathematical foundation that allows us to use superforecasting techniques and Fermi estimates to calculate the probability of material impact to our organizations due to a cyber event with enough precision to make resource decisions. 

Rick Howard: The basic concept is that a forecaster makes an estimate of the initial probability. We call that the prior. Then we collect new evidence in the form of outside-in analysis, statistics on the general purpose question - like, what is the probability that any company will be materially impacted by a cyber event? - and adjust the initial estimate up or down with this new information. Then we do an inside-out analysis of our own organization around how well we implement our first-principle strategies and adjust the assessment up or down again. As we gain new evidence, we repeat the process. That's how Bayes' rule works. McGrayne's book is a delightful history of the theory's evolution from creation to modern day, its successes and failures and blood feuds between mathematicians over the years. I highly recommend it if this subject intrigues you. And it should. Risk forecasting is something that we should all be comfortable with. 


Sharon McGrayne: Today, I want to talk to you about how you all are real revolutionaries. You're participants in a remarkable, almost overnight revolution about a very fundamental scientific issue - how you deal with evidence, how you deal with data, how you evaluate the evidence and measure the uncertainties involved, update it as new knowledge rises and then, hopefully, change minds in light of the new data. 

Rick Howard: The next and the last cybersecurity book on my list from 2022 is the novel "The Rose Code" by Kate Quinn. It's a historical fiction story set during World War II at Bletchley Park, the British codebreaking facility where Alan Turing and other brilliant minds worked to crack the German Enigma code. Turing even makes a cameo appearance. I love that. Through fiction, Quinn tells the story of the 10,000 real women - about three-quarters of the total workforce in real life - who worked at Bletchley Park during the war. There's romance, intrigue and, of course, Alan Turing. It feels like Quinn wrote the story specifically for me. 

Rick Howard: I've been working at the CyberWire now for almost three years. I guess that makes me a professional podcaster. I would be remiss if I didn't include my favorite cybersecurity podcast for this episode. Besides this podcast, "CSO Perspectives," the best podcast of all time... 


Tim Allen: (As Tim Taylor) Oh, yeah. 

Rick Howard: ...Here are my list of favorite cybersecurity podcasts of 2022. The first is another podcast that I work on. It's called "Word Notes." It's just a little weekly, five-minute show that attempts to explain the word salad that is inherent in the cybersecurity industry. And because I'm a nerd, I try to link the word to some kind of pop culture. I have to tell you, we went over 100 episodes last year. And I have learned more technical details about how cybersecurity stuff works working on this show than I did in my entire 30-year career. If you want a quick hit on words and phrases like secure service edge, identity and access management and DMARC, just to name three, this is your show. 


Rick Howard: The word is AES - spelled A for advanced, E for encryption, and S or standard. 

Rick Howard: The next one is called "CyberWire-X." Dave Bittner and I co-host it. A sponsor throws a current topic on the CyberWire Hash Table, and Dave and I bring in subject matter experts to discuss. It's a freewheeling conversation and a lot of fun to listen to. 


Rick Howard: Hey, everyone. Welcome to "CyberWire-X," a series of specials where we highlight important security topics affecting security professionals worldwide. I'm Rick Howard. 

Rick Howard: The next one is called "Hacking Humans Goes to the Movies". Dave and I started doing this for fun back in 2021. We take a movie or a TV show that has some sort of con man scheme going on, play the clip, and then discuss the social engineering aspect of what they did. So far, we have covered "The Simpsons," "The Sting," "Key and Peele" and "Sneakers," just to name four. It's a lot of fun - I can't believe they pay me money to do that show - and you might learn a thing or two in the process. Also, we are always on the lookout for new clips to play. If you have any suggestions, send them to CSOP@thecyberwire.com, and we will try to get them on the show. 


Amanda Fennell: Rick, I don't know what your first takeaway is, but my first one is that it's always about the emotion and the acting that takes place, that - in order to pull on those heartstrings. 

Rick Howard: Well, the - what got me was Emma Stone, who - can I say this on a public podcast? She's looking fine, OK? 

Amanda Fennell: I know. 

Dave Bittner: (Laughter). 

Rick Howard: Right? 

Amanda Fennell: She's - I girl crush on her. 

Dave Bittner: She's easy on the eyes, yeah. 

Amanda Fennell: Yeah, yeah. 


Rick Howard: And she's on her hands and knees... 

Amanda Fennell: I know. 

Rick Howard: ...As the gas station attendant walks out. OK, that's an easy mark in my mind. OK? 

Dave Bittner: (Laughter). 

Amanda Fennell: Wearing a pair of Christian Louboutin shoes, by the way. I saw the red-bottomed soles. 

Rick Howard: My next favorite cybersecurity podcast of 2022 is the "CyberWire Daily." With Dave Bittner as the host, this is the CyberWire's flagship podcast. It's short and provides an update on the major cybersecurity news items of the day. I started listening to this podcast years before I started working here as my sole source of news. It's still the first thing I listen to every morning. 

Rick Howard: Outside of the CyberWire, I want to mention two more podcasts that I thought were particularly good. The first is "Risky Business" with host Patrick Gray and Adam Barlow. This is another news program that I've been listening to for years. This one is weekly. The two hosts go into a lot more detail than Dave does on "The Daily," and that contributes to the one criticism I have for the show. It tends to run a bit long. That said, the content is always top-notch. The second outside podcast is "The Lazarus Heist," a limited run podcast - 11 episodes - almost like a short book but with music and interviews about the lead up and execution of the North Korean hacker campaign in 2016 to steal $81 million from the Bangladesh Central Bank. The North Korean government gives its hacking crews permission to dabble in cybercrime to fund their own operations and to bring revenue into the country. The Bangladesh Central Bank job is one of their most famous. 

Rick Howard: After the break, I'll take a look at some of the other books and podcasts that I thoroughly enjoyed and have nothing to do with cybersecurity, like the JFK assassination, the U.S. pandemic response in the early days and a couple of sci-fi novels. Come right back. 

Rick Howard: My first non-cybersecurity book from 2022 that I'm recommending is "Case Closed: Lee Harvey Oswald and the Assassination of JFK" by Gerald Posner. I am a fan of conspiracy theories - not that I believe in them - just the entire stew of crazy that is inherent in all of them. I think they are fascinating storytelling devices, and I have been a fan of the JFK assassination conspiracy since I was a wee lad. In early books, I pored over still frames of the original 1963 8mm Zapruder film looking for clues before the film was first broadcast to a national audience on ABC in 1975. Zapruder just happened to be filming on the grassy knoll when the entire thing went down. And I love Oliver Stone's 1991 movie, "JFK". Fantastic storytelling - it still holds up 30 years later, not as proof of conspiracy but just a damn fine movie. Donald Sutherland's Mr. X is pitch perfect. 


Kevin Costner: (As Jim Garrison) Never realized Kennedy was so dangerous to the establishment. Was that why? 

Donald Sutherland: (As Mr. X) Well, that's the real question, isn't it? Why? The how and the who is just scenery for the public - Oswald, Ruby, Cuba, the Mafia - keeps them guessing like some kind of parlor game, prevents them from asking the most important question - why? Why was Kennedy killed? Who benefited? Who has the power to cover it up? 

Rick Howard: But I was never sold on the crazy ideas concocted by conspiracy theorists over the years about massive secret plots to kill President Kennedy - the CIA, the KGB, the Mafia, President Johnson, Castro, etc. Occam's razor argues against any of those elaborate plots. Still, I had an open mind because I couldn't get past the explanation of two specific things. The first was I didn't buy the idea that Oswald, with his low marksmanship skills and crap bolt-action rifle, would actually hit the president twice - missing the first shot, but hitting two times after - in a short amount of time. That always sounded implausible to me. The second was how President Kennedy's head flies backward after being hit from behind. I could never rectify that either. Well, Posner convinced me I was wrong. He's a lawyer and a former prosecutor, and he writes like that. The language is clear and precise, and he lays out his evidence brick by brick. And he delivers his arguments like mortar, holding it all together. It's really quite impressive, and he utterly destroys every objection to all the conspiracy theories, including my two. If you're a JFK conspiracy fan, this is a great book for you. 

Rick Howard: My next non-cybersecurity book from 2022 is "The Premonition: A Pandemic Story" by Michael Lewis. Two of my favorite rewatchable movies in the last decade are "The Big Short" and "Moneyball." I vaguely knew that Lewis authored the original books, but then I discovered his "Against the Rules" podcast on the Pushkin Network, and it all clicked together. This book, "The Premonition," is about how the U.S. government - and state and local governments, too - responded to the pandemic in the early days. This is to say they didn't respond very well. Lewis is quick to point out that this wasn't entirely President Trump's fault. He says that the systems that manage these existential threats from government - not just the pandemic response - has been deteriorating for years, decades even, before President Trump took office. The Trump administration exacerbated the situation for sure, but Lewis says that his administration was a comorbidity, not the cause. 

Rick Howard: Here's the thing that I learned when reading this book. In terms of any kind of government pandemic response, because of the exponential nature of the spread of it, government leadership has to make decisions about what to do about it long before the seriousness of the situation becomes apparent to the general public. Those remedies - those inconveniences are hard to take, even in dire situations. Our experience with COVID-19 is that, even when we were averaging well above 1,000 deaths a day for almost three years, half the country didn't like government mandates like masks, school closings, vaccinations and spatial distancing. Trying to enforce those remedies before the situation gets dire - before the notion of a pandemic is obvious - is a tough political position to be in. Even if the prescribed remedies worked and prevented a pandemic, in the aftermath, most people would say that the government overreacted with all the mandates. It's a tough situation to be in. 

Rick Howard: Lewis published the book in May 2021. It was early days in the COVID-19 response, and I expect there will be many more books later critiquing how the United States and the rest of the world responded to COVID-19 in years to come - rightly so. Over a million Americans died as a result of the virus, and that number is still rising. In hindsight, most experts think the country could have done much better. This book was a first draft of the story. I recommend it to anybody puzzled about why the American response to COVID-19 was so ineffective. It will scare the crap out of you. 


Michael Lewis: My job is to find the right characters and is to find the people through whose eyes you want to see the world. And if I bungle that, the book's not going to be any good. And then my job is to kind of draw attention to them. I'm trying to kind of, like, say, these people are important, and you need to listen to them. When I get excited about a story is when there is a situation where there are people who aren't being heard who are important. So the story is about what they did and who they are. I thought of it all along as a portrait of a broken, dysfunctional system, and it - not just the public health system. It's like a portrait of the society. 

Rick Howard: My next non-cybersecurity recommended book from 2022 is "The Method: How the Twentieth Century Learned to Act" by Isaac Butler. It's a book about acting. I know. I know. This is such a nerdy thing to include on my list of best reads of the year. If you think about it, though, most of us spend way too much time watching movies and TV shows in our spare time, especially during the COVID years, with, you know, actors portraying characters. Even if you didn't notice it, the good ones are the ones where the actors are phenomenal. The Marvel universe wouldn't be nearly as good as it is if Chris Evans, the actor that played Captain America for almost a decade, couldn't deliver his inspirational speeches in a believable way. 


Chris Evans: (As Steve Rogers) I know I'm asking a lot. The price of freedom is high. It always has been. And it's a price I'm willing to pay. And if I'm the only one, then so be it. But I'm willing to bet I'm not. 

Rick Howard: "Silence of the Lambs" wouldn't be nearly as good without Jodie Foster and Anthony Hopkins playing the leads. 


Anthony Hopkins: (As Hannibal Lecter) A census taker once tried to test me. I ate his liver with some fava beans and a nice Chianti. 

Rick Howard: So I appreciate a well-acted scene. When William Shakespeare was writing and performing plays in the late 1500s, though, acting wasn't what it is today. It was big, overexaggerated and cartoony. The actors had to play to a big house, where the sound wasn't good and not every audience member could see the stage clearly. Enter Konstantin Stanislavski, a Russian actor, director and theorist born in 1863 who changed the game. His system, which came to be known as method acting, describes techniques designed to help actors access their emotions and inner thoughts in order to create a more authentic and effective performance - to create a sense of truth in reality on stage. Stanislavski brought his system to America in the early 1900s, and it caught on. In 1947, members of the famous Actors Studio, like Montgomery Clift and Marlon Brando, were taught those techniques. Later, other well-respected actors, like Dustin Hoffman, Al Pacino and Robert De Niro, used those techniques for their most famous roles. If you're a movie nerd and if you like a bit of Russian history, this is a great book for you. 

Rick Howard: My next non-cybersecurity recommended book of 2022 is "Twilight of Democracy: The Seductive Lure of Authoritarianism" by Anne Applebaum. Looking through the lens of the glass is half full, the good news is that America is not the only country trying to reject liberal democracy in favor of authoritarianism. I mean, we're not by ourselves. We belong to a set of countries that seem to have lost our way. According to Applebaum, Poland, Hungary, Britain, Spain, England, the Philippines and Brazil are all walking down that path. Some are further along than others - that's true - but I personally think that America is one presidential election away from completely adopting authoritarianism as the future of the country. If that happens, it might take an entire generation to reverse the course, if ever. What Applebaum is writing about is this growing trend and tries to answer why. When I say liberal democracy, that's not the left's liberalism that Fox News bashes every day on its TV channel, it's the idea that originated during the Enlightenment during the 18th century. 

Rick Howard: According to William Galston, author of nine books and more than 100 articles in the field of political theory, liberal democracy is made up of four big ideas - one, that government works for the people - that's called Republicanism; No. 2, that all citizens are equal - that's called democracy; No. 3, that the basis for conducting day-to-day life is codified in laws - that's called constitutionalism; and lastly, No. 4, that all citizens expect independence and privacy - that's called liberalism. According to Leigh McGowan, the host of the "Political Girls" (ph) podcast, authoritarianism, on the other hand, is the idea of blind submission to authority, as opposed to individual freedom of thought and action, and can be either autocratic or oligarchic in nature. Government authoritarianism means a political system that concentrates power into the hands of a leader or a small elite that is not constitutionally responsible to the body of the people. 

Rick Howard: All my life, I have believed in liberal democracy as a fact - a first principle, if you will - that, no matter how much we disagreed as a nation across the political spectrum on the goals for the country and the projects that we took on, we were all working to improve our liberal democracy in the name of a more perfect union. But that simply isn't true. It might never have been, but it's absolutely not true now. Applebaum says that these are the contributing reasons we are seeing this movement rise today - personal gain, cultural despair, resentment, envy, nostalgia and, finally, the cantankerous nature of modern discourse itself. One thing she does highlight is the fact that all the people like me, who thought liberal democracy was a first principle and was as solid as granite, realize now that, after four years of President Trump, the institutions that held up that belief are fragile and easily toppled over. The unfortunate thing is that she has no easy answers and offers no strategy to reverse the trend. 


Anne Applebaum: I became aware of the rise of a new kind of disinformation and a more powerful form of far-right and extreme politics because of being in Poland. And I was aware of it both because I understood the changes there that I think really begin, as I explained in the book, a few years earlier - in about 2010. I then watched the experience of watching the Russian invasion of Ukraine, then trying to understand the Western reaction to it - understanding how Russian disinformation worked in trying to shape views of that reaction. And it was really with that background and with an understanding of what could happen and how that I started watching with really a lot of horror what was going on in the U.S. because so much of it was familiar, and so much of it seemed like patterns I knew from other places. 

Rick Howard: On the lighter side, four novels caught my fancy this year. The first was "Artemis" by Andy Weir. Weir is the author behind the runaway hit book and movie "The Martian." This book is a murder mystery set on a moon colony in the near future. I loved it. 

Rick Howard: The second novel was "Seveneves" by Neal Stephenson. Stephen is my all-time favorite modern-day sci-fi author. He's also a Cybersecurity Canon Hall of Fame lifetime achievement winner for his two novels, "Cryptonomicon" and "Snow Crash." His books are so full of ideas that one reviewer, Charles Yu, described him this way - (reading) a copy of "Cryptonomicon" has more information per unit volume than any other object in this universe. Any place that a copy of the book exists is, at that moment, the most information-rich region in spacetime in the universe. 

Rick Howard: "Seveneves" is no exception and is a tome in two parts. The first part is - how does the Earth respond when the moon is about to explode - you know, for reasons - and how do you put a colony of humans in space quickly before humanity dies? The second part is set many years in the future and covers the ramifications of those early decisions made during the crisis. 

Rick Howard: A third novel is "The Lesser Dead" by Christopher Buehlman. A rollicking good vampire story set in New York City during the 1970s. It's about a clan of vampires who run into a new clan of child vampires - meaning they were turned when they were kids - moving into the city, who don't know the rules, don't care about the rules and are ruthless to whomever gets in their way. 

Rick Howard: And the last novel I want to recommend is "Fairy Tale" by Stephen King. Mr. King's preference for the horror genre is not everybody's cup of tea. I get that. But man, can he write. He knows how to move a story along. Before he published his first big hit, "Carrie," in the 1970s, he was a high school English teacher. In 2000, he published "On Writing" about the craft of writing. And my practice is to hand that book and a copy of "The Elements of Style" by William Strunk and E.B. White to every new employee that walks in the door. My advice to them is to keep those books close while they are writing email messages and reports for me. "Fairy Tale" is Mr. King's latest book, and it's not a horror story at all. As the title suggests, it's a completely original fairy tale in the same vein as "The Lion, the Witch and the Wardrobe" by C.S. Lewis and the "Harry Potter" series. Even my daughter, who hates fantasy stories, couldn't put this one down. 

Rick Howard: For podcasts in 2022 that have nothing to do with cybersecurity, I'm recommending four. The first is "The Great Books" podcast with host John Miller. I love this little podcast. It's short, usually less than 25 minutes, and the host brings on literary scholars to discuss all those classic books that we should have read in high school and didn't. Many times, I would listen to the show, get inspired and go right out and read the book. Three of my favorites last year were "Antony and Cleopatra," "Something Wicked This Way Comes" and "The Lord of the Rings" trilogy. 


John Miller: Hello, and welcome to "The Great Books" podcast. Today, we'll talk about "Lost Horizon" by James Hilton. I'm your host, John J. Miller of National Review, and you're listening to a production of National Review. 

Rick Howard: My second recommended non-cybersecurity podcast is "Ultra" with host Rachel Maddow. If the impact of the 6 January riots on the U.S. Capitol have gotten you down, and you've read "Twilight of Democracy" and think that the current flirtation in America and the world with authoritarianism is the worst it could be, rest assured that this just isn't true either. In a limited-run series - eight episodes - Maddow covers eerily similar events that happened before and during World War II, where sitting members of Congress aided and abetted a plot to overthrow the government, and insurrectionists plotted to end American democracy for good. They didn't cover that story when I was tending through my high school history class. 


Rachel Maddow: This is an American story about politics going over the edge. It's a story about good old-fashioned American extremism getting supercharged - becoming something more than radical. 


Unidentified Reporter #1: Twenty-eight men and two women are indicted on charges of conspiring to overthrow the government. 

Rachel Maddow: Intent on dismantling American democracy, they joined forces with Americans in power - with Americans who are supposed to protect this country. You have probably not heard this story before. 


Unidentified Reporter #2: The members of Congress... 

Rick Howard: The third podcast I want to recommend is "All-In." This is probably my favorite new discovery this year. These four guys are successful Silicon Valley investors, board members, good friends, and their political views range across the entire spectrum - from liberal to conservative. Sometimes the conversations get quite heated. But the reason I like it so much is that their discussions illuminate how capitalist entrepreneurs think about running a business. For example, they were talking about the massive Silicon Valley layoffs long before they actually happened. If you're a techie and the business world mystifies you, you might try listening to a few episodes. It might add some perspective to your worldview that you're missing. I know it's done that for me. 

Rick Howard: And the last podcast from 2022 that I want to recommend is "Land of the Giants." This has been one of my favorite shows for the past couple of years. Each season is a limited-run series covering the history and philosophy of one of the famous Silicon Valley success stories, like Apple, Google and Netflix. In 2022, they covered Facebook. And this year, they're going after the dating app industry. If you're interested in how these giant Silicon Valley companies shape the world, this is a great podcast for you. 


Gina Keating: They've seen us through a huge revolution in how we think about content. It's just changed everything about the world of entertainment. 

Rani Molla: I'm Rani Molla. 

Peter Kafka: And I'm Peter Kafka. 

Rani Molla: And we're hosting the new season of "Land of the Giants: The Netflix Effect." We're exploring all things Netflix by talking to the people who started the company. 

Peter Kafka: Netflix changed how we watch and what we watch, so we want to find out where Netflix is heading and how they plan to win the streaming wars. 

Rick Howard: And there you have it - my second edition of being a student of the cybersecurity game for 2022 and heading into 2023. Do yourself a favor and emulate the NFL quarterback GOAT, Tom Brady. Spend some time besides the day-to-day grind of the job in handling the crisis of the moment to enrich your understanding of the profession, and then branch out to the other areas of interest that are not cybersecurity. Expand your world. It will make you a more rounded person, a better leader and will consequently make you a better cybersecurity practitioner. 

Rick Howard: The CyberWire's "CSO Perspectives" is edited by John Petrik and executive produced by Peter Kilpe. Our theme song is by Blue Dot Sessions, remixed by the insanely talented Elliott Peltzman, who also does the shows mixing, sound design and original score. And I'm Rick Howard. Thanks for listening.