Cybersecurity is radically asymmetrically distributed.

Aug 5, 2024

CSO Perspectives is a weekly column and podcast where Rick Howard discusses the ideas, strategies and technologies that senior cybersecurity executives wrestle with on a daily basis.

Cybersecurity is radically asymmetrically distributed.

Listen to the audio version of this story.

Cybersecurity is Radically Asymmetrically Distributed. I first heard of this idea from an unusual source, Malcolm Gladwell, the famous author and podcast host. He gave one of the keynotes at the 2023 Google/Mandiant mWise conference in Washington DC. You may be rightfully asking yourself, what does a world-renowned author and podcast host, whose expertise is in the ballpark of the social sciences, know about the world of cybersecurity and why was he presenting the keynote at one of the infosec profession’s flagship conferences? I'm glad you asked.

I think mostly it was because Google paid him to come. That said, he brought an original idea that I had never considered, or at least, he crystallized an idea that had been bouncing around in my head since we started writing our First Principles book back in 2022. His idea was that most of us believe that the problems we all are trying to solve in our daily lives are normally distributed to everyone; that things like climate change, nuclear accidents, and the most effective way to water our lawns, impact everybody equally when, he suspects, that some are asymmetrically distributed. In many cases, they are radically asymmetrically distributed.

He said that he appreciated the hubris of a non-cybersecurity expert like him coming into a room filled with cybersecurity experts like us and suggesting not only a new idea, but perhaps a revolutionary way to approach the problem of cybersecurity. With that big caveat, he said that he thought cybersecurity was a radically asymmetrically distributed problem.

Well now, that seems interesting. Since the entire purpose of our First Principles book was to talk about cybersecurity strategies and tactics, does understanding and believing that cybersecurity is a radically asymmetrically distributed problem change the strategies that we might choose? Gladwell seems to think so.

Background on Gladwell.

For those that don’t know, I'm a huge fanboy of Malcome Gladwell. He’s the best selling author of books like

The Tipping Point
Blink
Outliers
Talking to Strangers
The Bomber Mafia

The Bomber Mafia is my all time favorite. It’s about the US Army Air Corps’ glorious quest to make warfare less murderous in the transition between WWI and WWII. The men behind the effort spectacularly failed but boy, did they give it a try.

Gladwell is also the co-founder of Pushkin, an audio production company similar to N2K Cyberwire in that Pushkin hosts a network of podcasts. Out of the 44 that Pushkin hosts, my favorites are

“Against the Rules” hosted by Michael Lewis (of Moneyball fame)
“Medal of Honor: Stories of Courage” hosted by Gladwell.
“Revisionist History” also hosted by Gladwell

I'm a little bit envious that Gladwell thought of the Medal of Honor podcast before we did. Those kinds of stories are like catnip to me. There have been over 3500 recipients since President Lincoln signed the medal into existence in 1861 and there are 61 living recipients as of this summer (2024). All of their stories are in the public domain and each one is inspiring and jaw-dropping heroic. They are perfect for a podcast.

But, I’ve been listening to Revisionist History for years. Whenever a new episode drops, that’s the first thing that I'm listening to that day. He takes a subject that everybody thinks they know, revisits it, and completely blows your mind with another version of the story. His rant about how taxpayers fund private golf courses on city land that the public can’t use will make you think twice about the late great comedian Bob Hope. His screed about college rankings and how elite schools with large endowments have no interest in public education and diversity will make you weep for the country. His six part series on gun control will make you realize that all the efforts to restrict automatic weapons and magazine sizes (that have thus far failed to get through Congress) would probably have little effect on reducing the damage caused anyway. And his current series on the runup of the United States participation in the 1936 Olympics in Nazi Germany may provide some insight into America’s modern day flirtation with its own version of fascism, former President Trump’s version of how to run the government.

See what I did there? I slyly threw in my opinion about the upcoming United States presidential election hoping you wouldn’t notice. I guess you know where I stand now. I'm not supposed to talk about politics in this cybersecurity essay but allow me this one digression. For the US listeners specifically, and maybe international listeners with a passing interest in the state of democracy in the world, I’m writing this on the morning after President Biden dropped out of the 2024 US Presidential election. Regardless of who replaces him as the Democratic nominee, this election is unique. Normally, presidential elections are about which politician you hate or love or about this policy or that. But in this election, those things pale to what it’s really about. In this election, citizens will decide if the United States will continue to be a liberal democracy or transition to a fascist state. When you strip everything else away, that’s the choice. For the American listener, choose wisely grasshopper. Whichever way it goes, the result will impact generations of Americans.

The reason I'm a big Gladwell fan is that he excels at blending storytelling with scientific research in an effort to make complex ideas accessible to a wide audience. He tells the executive summary so that we, mere mortals, can get a glimpse, however shallow, of the underlying issues of the topic. His critics say that he oversimplifies and lacks scientific rigor. I find that quite amusing. When, for example, he summarizes a 15 page peer reviewed research paper on the “Threshold Models of Diffusion and Collective Behavior” from the Journal of Mathematical Sociology, of course he’s going to shave off some of the details and round off the corners of the math. That’s what happens when you summarize. I think his critics are mostly bitter that Gladwell’s books regularly land on best seller lists while their deeply researched academic books and papers do not.

Automobile emissions represent a radically asymmetrically distributed problem.

In his keynote, Gladwell described two problems that most people think are normally distributed when, in fact, they are radically asymmetrically distributed: US automobile pollution and Covid 19 infection causes. Let’s start with car pollution.

In 1966, in an effort to improve air quality, California passed the first statewide law to mandate frequent automobile emissions tests. By 2024, at least 30 states have similar laws on the books mandating that their citizens get their cars checked at least annually to ensure that they aren’t spewing dangerous toxic chemicals at unacceptable levels into the environment. According to Gladwell, these laws assume that every citizen’s car is likely to do that; that every car is moments away from being a heavy polluter. But, he points out that in 2024, almost 60 years after the California law went into effect, car emissions technology has improved. Back in the 1960s, manufacturers didn’t even worry about pollution. The 1963 Porsche 911 for example only had a simple "blowby device" to return unburned gasses from the crankcase to the combustion chambers. Catalytic converters weren’t a universal thing yet. But in 2024, they are. Modern cars produce significantly fewer emissions due to advanced technology and stricter regulations. The chances that a modern car is spewing exhaust at unacceptable toxic levels is much smaller than the cars made in the 1960s. The problem is no longer universally distributed. According to Gladwell, that means the strategy that worked back in the 1960s (annual exhaust checks for all cars) is probably not the most effective. He suggested that you could probably have the same effect by deploying exhaust detectors in conjunction with traffic light cameras in key locations designed to identify malfunctioning technology. The strategy transforms from making everybody do something to discovering the outliers and making them do something. The outliers in this case are the asymmetric distribution. Gladwell made a similar observation about Covid 19 transmissions.

Covid 19 superspreaders represent a radically asymmetrically distributed problem.

I know that nobody really wants to relive the over three years of Covid 19 pandemic lockdown that we all did from March of 2020 to May of 2024. But Gladwell was interested in the first days when everybody was confused about what Covid 19 was and whether or not it was dangerous. I remember back in February 2020, I had just joined the Cyberwire and my first official act was to represent the company at the annual RSA Security Conference in San Francisco. The World Health Organization (WHO) declared COVID-19 a Public Health Emergency of International Concern (PHEIC) just before we all arrived. All of my friends and colleagues were walking around San Francisco asking ourselves if we should really be there mingling with the 35,000 attendees who would immediately get on planes afterward traveling back to the four corners of the world and spreading whatever diseases they came into contact with. Gladwell’s example came a month later, the Boston Massachusetts superspreader event.

Local Boston news reported that 100 people from around the world convened at the Boston Marriott Long Wharf hotel for a leadership conference led by the Cambridge-based company called Biogen. When they got home, those 100 people infected more than 330,000 people worldwide with Covid 19. In his keynote, Gladwell cited a preliminary MIT study that theorized many of the 100 attendees to the Biogen conference were superspreaders, individuals who infect many more people then the average person would. The study further theorized that the one quality that made them superspreaders was the size of the water droplets coming out of their mouths when they breathed. Compared to an average human, their water droplets were exponentially larger. Larger water droplets can hold more virus. The bigger the virus load in the water droplet, the greater the chance that the already infected would infect more people.

Gladwell was quick to point out that these were just theories and that more study was required. But, if you assume that it’s true for a second, how does that impact your pandemic survival strategy? What we did do is assume that all people were equal opportunity infectors. We assumed that the problem was universally distributed. That meant that we adopted tactics that everybody needed to do: stay at home, wear masks if you absolutely needed to go out, and keep a safe distance from your friends and colleagues even if you were wearing a mask.

But if you assume that infecting other humans is radially asymmetrically distributed to mostly superspreaders with overly large water droplets, your strategy might be completely different. It might be to locate those superspreaders and lock them down, not everybody on the planet. I'm not saying this would have been easy but it might have been far easier then what we did do. At the very least, we could identify those superspreaders and ask them nicely not to attend the RSA Security Conference that year. That would have been something.

Cybersecurity represents a radically asymmetrically distributed problem.

At this point, you’re asking yourself, how does this apply to cybersecurity? In our First Principles book, I outlined how, in 2021, the FBI said that ~5,000 US organizations had self-reported that they had been compromised by some kind of hacker. Assume that there exists some five times that number who didn't self-report, call it 25,000. But, there are roughly 6 million organizations within the United States (federal-state-city-county-governments, academic institutions K-College, non-profits, and public companies). 25K / 6 Million is a really small number. The chances that any US organization will be materially impacted by a cyber attack is tiny. I’ve been working in cybersecurity for 30 years. Since the beginning, my peers and I have been treating cybersecurity as if the danger was imminent; that at any moment we would all be overrun by the hacker hordes. That’s just not true. The news headlines that we read every day make us think that, but the numbers don’t support the assertion. That’s the first piece of evidence that Cybersecurity is a Radically Asymmetrically Distributed Problem. It’s hardly distributed at all.

The second piece of evidence comes from our risk forecasting friends at Cyentia. Out of the 20 business sectors tracked by the North American Industry Classification System (NAICS), the top three (Healthcare, Financial, and Professional) accounted for 41% of the publicly known incidents in 2022. The other 17 were all in the single digits. At the bottom of the list is agriculture, mining, and utilities. Those verticals have less than 1% chance of getting hit by a cyber attack. Clearly, the bottom three sectors have way less to worry about than the top three. If that isn’t the textbook example of Gladwell’s Radically Asymmetrically Distributed problem idea, I’ll eat my hat.

That’s only two data points but it’s enough to make me at least lean in to the idea that Cybersecurity is a Radically Asymmetrically Distributed Problem. If we do the thought experiment and assume it’s completely true, then does that fact change the strategies we might use to reduce the probability of material impact due to a cyber attack? When we thought cybersecurity was universally distributed and our chances of suffering a material cyber attack campaign were the same as everybody else's, preventative first principle strategies like zero trust, intrusion kill chain prevention, automation, and workforce development were on the table. Are those strategies still on the table in a world where your organization is not likely to get hit by a cyber attack at all.

I'm not saying that cyber attacks aren’t important and that you shouldn’t worry about them. The truth is that, for those 25K victims in the FBI study above, those cyber attack campaigns were devastating to them; some of them could have been company killers. They are Black Swan events, a phrase made popular by Nassim Nicholas Taleb in his 2007 book, “The Black Swan: The Impact of the Highly Improbable.” They are risks that are not likely to happen, but if they do, they are catastrophic.

My favorite Black Swan example is the risk scenario of a planet killer meteor hitting the earth. The chance of that happening is very small, but we don’t want to ignore the risk. If it ever does happen, it will likely end the human race. Options on the table for reducing the probability of a meteor ending the human race are preventative (like launching nuclear missiles at the meteor in an effort to deflect it away from the earth) or redundancy (installing a human colony on Mars so that if a meteor ever takes out the earth, the human race will continue to survive on Mars). If the chances of a planet killer hitting the earth were high, the human race might spend a lot of resources on preventative measures. But, since the probability is low, just to cover our bets, we might spend some resources on establishing a Mars colony.

And that’s the entire point of discussing this Radically Asymmetrically Distributed Problem idea and how it applies to cybersecurity. If you’re in the top three verticals from the Cyentia study, it makes sense to deploy one or more preventative strategies. The chances that you will be targeted by some adversary campaign is high and spending resources in terms of the people-process-technology triad will have a direct impact on reducing the probability of material impact. But, if you’re in the bottom three sectors, those preventative strategies will cause you to spend a lot of resources on something that is not likely to happen and will have no impact on reducing the probability of material impact. I mean, would it be worth it to spend all of those resources to reduce the probability from .2% to .1%. I can think of better ways to spend that money.

For those verticals where the outside-in risk forecast of a material cyber event is already extremely low, the best first principle strategy to pursue is Resilience. Outside-in risk forecasting is calculating risk for the general population. What are the chances that any organization will get hit with a material cyber event. That’s what the Cyentia numbers show. We don’t want to waste resources on preventing something that will likely not happen in the first place. But, we may want to spend some resources on surviving the event if it does happen. According to our First Principles book, those organizations should be looking at Resilience tactics like backups, encryption, crisis planning, incident response, business continuity, and chaos engineering.

Takeaway.

I was so thrilled to see one of my favorite authors and podcast hosts, Malcolm Gladwell, in person. But I was completely blown away that he came into the lion’s den of cybersecurity experts with a new idea that all of us had never thought about before. Although more evidence is probably needed to prove the point, I have a strong hunch that Gladwell’s hypothesis that cybersecurity is a radically asymmetrically distributed problem is true. If it is, then the strategies that we choose to protect our organizations from a material cyber event will depend on which end of the spectrum of outside in risk forecasting we fall. If the probability is high, then traditional first principle strategies like zero trust, intrusion kill chain prevention, automation, and workforce development are still on the table. If the probability is low, then the first principle resilience strategy will likely have the most impact.