Kip Boyle: Welcome to the Cyber Risk Management Podcast. Our mission is to help executives become better cyber risk managers. We are your hosts, I'm Kip Boyle, CEO of Cyber Risk Opportunities.

Jake Bernstein: And I'm Jake Bernstein, Cyber Security Council at the law firm of Newman Du Wors.

Kip Boyle: And this is the show where we help you become a better cyber risk manager.

Jake Bernstein: The show is sponsored by Cyber Risk Opportunities and Newman Du Wors LLP. If you have questions about your cyber security related legal responsibilities.

Kip Boyle: And if you want to manage your cyber risks, just as thoughtfully as you manage risks in other areas of your business, such as sales, accounts receivable, and order fulfillment, then you should become a member of our Cyber Risk Managed Program, which you can do for a fraction of the cost of hiring a single cybersecurity expert. You can find out more by visiting us at cyberriskopportunities.com and newmanlaw.com.

Jake Bernstein: So Kip, what are we talking about today?

Kip Boyle: Jake, today, we're going to talk about how germs can teach us a lot about how to deal with cyber attacks.

Jake Bernstein: Okay. That's a stretch. I'm looking forward to how we dig ourselves out of this particular topic call. So let's get going.

Kip Boyle: Well, it shouldn't be too hard. We did do show prep. So everybody in the audience, there you go, Jake is my accomplice here. Okay. So it's 1847, and we're in the childbirth clinic at the General Hospital of Vienna.

Jake Bernstein: And there are no computers anywhere?

Kip Boyle: No. I don't know what technology they have at that point, but I don't know that given all the technology that I have now that I would really want to live in that time.

Jake Bernstein: Oh my gosh.

Kip Boyle: I don't think they have penicillin yet, or it's not widespread.

Jake Bernstein: No. Penicillin is like World War II era. So quite ways, almost a 100 years, actually.

Kip Boyle: All right. So we're in Vienna, and the mortality rates for mothers as a result of what then was called childbed fever are shockingly high. About 18% of all the women who go to the hospital to give birth die. And nobody knows why, it's this mysterious malady called childbed fever. And Dr. Semmelweis who works at the hospital doesn't understand what's going on. And he's curious.

And so the questions that he's asking himself are things like why is it that the childbirth clinic that the medical students work in, why does it have a mortality rate over five times higher than the clinic that the trainee midwives work at and in the same hospital building?

Jake Bernstein: And I bet too that, I mean, childbirth mortality rates in mothers were not 18% for home births during the same time period.

Kip Boyle: They probably were not.

Jake Bernstein: Not anywhere close. And so that I'm not sure that they worried about that, but that's a shockingly high statistic. So how did he deal with this?

Kip Boyle: So Dr. Semmelweis is looking around and he's trying to figure out what's going on. And he came up with this theory. He theorized that there were these cadaverous particles on the hands of the doctors, but not the midwives. And a cadaverous particle is what you might think. I mean, these are like pieces of dead people, to be very clear. And he theorized that it was these particles that were causing childbed fever.

And so why did he think this? Well, it really wasn't that big of a stretch for him to figure this out, because most doctors, as he knew and observed, were routinely performing postmortem examinations. And then when they were needed in the childbirth clinic, they would just walk over because it wasn't that far away. But critically, they would not wash their hands.

So they would do some kind of a dissection or postmortem exam, and then they would be notified and then they'd rush over to their childbirth clinic, and they would deliver a baby. Now, interestingly, the midwives, because they were not doctors in training, they were not involved in the postmortem examination. So Semmelweis is thinking, "Okay, doctors are doing one thing, midwives are doing another. How can I put some scientific method on this?"

Jake Bernstein: I mean, this definitely, 1847, is clearly headed toward the industrial age, more modern world. But anyone who you knows the history of medicine and biology is probably thinking all of that is still relatively new.

Kip Boyle: It is.

Jake Bernstein: Like we said, we're decades from the discovery of antibiotics.

Kip Boyle: Yep, and other things too. Other things that we absolutely take for granted today. So Dr. Semmelweis said, "Okay, I'm just going to try an experiment. I'm going to ask all the doctors and all the midwives to wash their hands immediately prior to assisting with childbirth." Any guesses what the impact was of that?

Jake Bernstein: Well, I'm going to guess that was a pretty substantial impact. Probably enormously so.

Kip Boyle: So of course, and our listeners probably, this is not that hard to conceive, but the impact was enormous. The mortality rate dropped from 18% to 2%.

Jake Bernstein: That's almost, that's the next best thing to an order of magnitude.

Kip Boyle: Yeah. And all because they're washing their hands, not because of some phenomenal medical miracle, a new drug or whatever, simple hygiene. Just wash your hands, please. I mean, they weren't even wearing gloves, just so you know. This was all done with bare hands.

Jake Bernstein: Technology to make gloves, there's a lot of things we take for granted right now. And I think we'll get back to why that is so useful to think about when it comes to... We're obviously going towards cyber hygiene in this discussion.

Kip Boyle: Right. Yeah.

Jake Bernstein: But... Yeah.

Kip Boyle: So Dr. Semmelweis makes this massive breakthrough, "Hey, if we just wash our hands, less mothers will die." I was like, "Wow, this is so wonderful." I mean, who could object to this. But strangely enough, this whole idea of hand washing was not taken up very quickly by the medical establishment. In fact, it took 42 years from the time that Dr. Semmelweis figured this out before surgeons, and not even all surgeons but just the smallest clusters of surgeons, routinely wore gloves while they were performing surgery 42 years after Dr. Semmelweis established this very clear link between dirty hands and dead people.

Jake Bernstein: Yep. Well, when you think about, another thing we take for granted right now the result like that would be worldwide news within a day.

Kip Boyle: Yeah. So modern medium, right? Modern communications.

Jake Bernstein: There really wasn't even an infrastructure for scientific publishing at that point.

Kip Boyle: No, there wasn't. But it was more than that. I mean, based on my study of this situation, it wasn't just a lack of communication, although that is a factor. But it's just really attributable, I think, mostly to the fact that people just don't like change.

Jake Bernstein: I'm sure people thought they weren't going to give him... I'm sure some didn't want to give him credit. There's all kinds of reasons why that would be crosstalk.

Kip Boyle: Yep. Or they just didn't understand, they weren't sure that was it, they were skeptical. And it would require them to change their daily habits. I would have to start washing my hands now. And that's a real irritant, that's a real bother to me, it slows me down. I get home later at night. There's probably all kinds of things that people were thinking, but they just did not understand just how true and just how impactful this was.

And just to give you another perspective on this. The first national hand washing guidelines in the United States, what year do you think they were published, knowing that Dr. Semmelweis figured this out in 1847, what year do you suppose that the US finally embraced this?

Jake Bernstein: I would probably guess after World War II in the '50s or '60s.

Kip Boyle: Well, it was after World War II, 1981.

Jake Bernstein: Well, that's surprising. That's...

Kip Boyle: 134 years-

Jake Bernstein: Yeah. And that's surprising.

Kip Boyle: ... after Dr. Semmelweis. News travels slow, but that's really slow. And so why do I tell this story? Well, because I think, based on my experience working in the cybersecurity profession now for many years, I think that this experience with germs can teach us a lot about how we can deal with cyber attacks. And really what I'm trying to focus on here is a couple of very key ideas, which I want to explore now. But are you starting to see the connection?

Jake Bernstein: Oh, very much so.

Kip Boyle: Biological germs, I've never seen a germ with my naked eye and I've only seen photographs and artists representations of what germs look like. And yet, I am a drop dead believer in the idea that germs make people sick. I don't need to perform a scientific experiment in order to buy into that. And it turns out that I've experienced something similar that I really think about digital germs as something that these are things that float around on USB thumb drives, and work through our networks, and make our computers sick.

And they're invisible too. You don't know that you're going to get hit by one of these things until it hits you. You don't know that when you grab the door knob that a bunch of germs just jumped on your fingers. You've got to wait and see attitude on whether these cooties are going to make you sick, or maybe you've put some cooties on that door knob and somebody else is going to pick them up and they're going to get sick.

But I think the digital equivalent here is, there was a huge botnet called Mirai a couple of years ago that was the result of home routers and other internet of things devices having a vulnerability. And they all got recruited into this enormous botnet, and was weaponized and it ended up taking down CNN, New York Times, and a bunch of other very high profile websites and huge swaths of the internet. But the people's routers who were hijacked really they didn't know. I mean, there was nothing about having their home router attack somebody else that sent up a flag that said, "Hey, something's wrong with my router." And so immediately I think of Typhoid Mary.

Jake Bernstein: Yeah, carrier.

Kip Boyle: Yeah. Like, "I'm not sick. Why are all these other people getting sick around me?" And speaking of Typhoid Mary, I was curious because I've heard that term a lot but I never really dug into it. But apparently, she was so difficult to deal with that the health authorities actually quarantined her for 29 years.

Jake Bernstein: Wow.

Kip Boyle: She was effectively in prison because she wouldn't voluntarily stop performing work as a cook. And so she was getting people sick all the time. For whatever reason, she was immune to it but she just would not do the right thing.

Jake Bernstein: So this discussion is really interesting to me, because if you recall, before I went to law school, I had a lot of experience in molecular biology. I have a degree in that from UDub and I worked in a lab for a long time. And it's no accident that we named computer viruses after biological viruses. And the way that a biological virus works is that there's a debate over whether or not they're even really alive, or if they're just kind of self-replicating particles. But they invade your cell and then they co-opt the cellular machinery to reproduce themselves.

And if you think about a computer virus, particularly a worm that spreads, what is it doing other than invading the central processing unit and forcing it to do calculations that create new copies of it and spreading itself. So the metaphor is extremely accurate. And if you think about the way that antivirus software works and the way that your immune system works, it's another really, really close metaphor. In order to be immune to something you have to be exposed to it. And there's two ways you can become immune to something. You can either get it, suffer through it, and then you won't tend to get again. Or you can get a weakened version of it, which we call an immunization, that your body will learn. Well, that's pretty much on a molecular level is literally a signature-based system, which is exactly how antivirus software works.

Kip Boyle: Traditionally, that's how it's worked. Absolutely. And I want to give you another example. You mentioned a network, a digital worm going through a network. Well, if you think about like getting a cold because you touched a door handle that somebody else touched and then you rub your eye or somehow that germ jumped into your body, and that's sort of person-to-person transmission. But I also think that digital germs can also be like a biological weapon.

Jake Bernstein: Totally. Red-like disease.

Kip Boyle: Right. A virulent particle that floats in the air that's aerosolized, or is deliberately released into the atmosphere because it has been weaponized and delivered in a bomb. And we saw this very recently in 2017 with NotPetya. It was released in the Ukraine, and it was so virulent and so good at going from computer to computer that it caused, White House estimates about $10 billion in damage worldwide.

And there were some very high profile companies that got seriously hurt by this thing, Merck; FedEx TNT; Maersk, the shipping giant. I mean, it was out of control. And there you go. So whether it's person-to-person transmission or more like a biological weapon, I mean, I think that this metaphor is apt. So we both agree on that.

And so here's how I think, though, it can inform us on cyber risks, dealing with cyber attacks. And here's one parallel that I think is hurting us. Dr. Semmelweis worked in the hospital. He was trained, he was a highly specialized medical professional. And he had to use his access to a hospital and so forth and his training to figure out, "There's a link here. If people wash their hands, disease does not spread as easily and we don't have to put up with the consequences of that."

And today, because we've learned so well, everybody washes their hands without medical supervision. And people wash their hands simply because their parents say it's a good idea and they don't demand evidence. So this change has been extremely efficient at spreading, and being taken up by regular people to the point where we wear gloves when we make food for other people, we cover our mouth when we cough or when we sneeze. We do all kinds of other things too, like we get an annual flu shot, we see the dentist twice a year.

Jake Bernstein: Caveat, in the United States.

Kip Boyle: Of course, in the United States. I mean, I'm an unabashed American for all the good and all the bad that that implies.

Jake Bernstein: Well, I would say all the modern Western countries.

Kip Boyle: Absolutely. But this whole idea of being healthy and voluntarily submitting to procedures that, quite frankly, are not very comfortable. Going to the dentist is not a very comfortable thing, but I willingly do it because I know that it's going to help me.

Jake Bernstein: It's a lot of minor to somewhat significant inconveniences that we willingly undergo on a regular basis because it has become part of the gestalt of our society. And it's crosstalk.

Kip Boyle: It works.

Jake Bernstein: The study of public health is we should be looking toward public health when we're looking towards cyber risk management. I think the metaphor is clearly there, it's clearly apt. And so I think what we should talk about now is how does this inform our ability to deal with cyber attacks and cyber risk? And from my perspective, particularly as a non-technologist by trade, at least, it's amazing to me how these cyber risks approach invisibly and strike without warning much like germs do.

So if we go back to your Dr. Semmelweis, we've got at this point 180, 190 year old anti-germ theory and some playbooks, if I want to tell my clients to wash their digital hands, which we call if anyone turn our podcast well knows, practicing good cyber hygiene, what should we do? What's the digital equivalent of washing their hands, and seeing the dentist, and getting a checkup, and getting immunized?

Kip Boyle: And not relying on specialists to deal with this, because I think that's our history, is saying, "Well, the IT people will take care of this for me and I don't need to do it." And I think that's one of the corners that we need to turn as a society, is we need to take these ideas of good cyber hygiene, like, "I shouldn't use my computer's administrator account for daily tasks like reading email and browsing the internet." That's actually like operating or doing a postmortem exam and then going over to the childbirth clinic without washing your hands or wearing loves. I mean, you're engaging incredibly risky behavior, and you're probably thinking, "The IT people will keep me safe." No. I mean, increasingly that is not true.

And so we have to take it on ourselves to figure out what are these hand washing techniques like not using my administrator account. Or using a password manager to generate unique passwords for every site that I visit and to keep them all in a safe place, and even to ask it to automate my daily work. I mean, productivity can go up and security can go up at the same time by using a high quality password manager. And as individuals, we have to say, "That's the right thing to do. I'm going to inconvenient myself a little bit as I learn how to do this."

Jake Bernstein: As you and I well know, it actually turns out to be a benefit, once you do it.

Kip Boyle: It a big benefit.

Jake Bernstein: But making that switch is hard. And I'm going to interrupt your list of practices here because something else that we've talked about in the past is how everyone is a foot soldier in the cyber war, right?

Kip Boyle: Yep.

Jake Bernstein: And that's a good metaphor, good concept. But there's a problem with it. The problem with it is that for all foot soldiers, soldiers are commanded by specialists, by leaders.

Kip Boyle: Generals.

Jake Bernstein: Generals. And so we might be waiting around, "Okay, I'm a foot soldier or whatever. I'm going to wait around for my generals to tell me what to do." Whereas the helpful thing about the cyber hygiene and digital, biological warfare concept is that biological warfare is targeted at civilians. It's not a military weapon, it's targeted at civilians. And it doesn't matter if you are in the army or not, it's indiscriminate.

Kip Boyle: I think that's really the issue, is even if I fire it at military members, it can cost a lot of collateral.

Jake Bernstein: It'll spread. And so how do you protect yourself against that? Well, you can't wait for the general to tell you to wash your hand. So though, for certain teaching elements of cyber hygiene and cybersecurity that we're all foot soldiers meme is a good one, but I think this one, in this podcast, is even more valuable because it really shows that "Look, this starts and ends with the individual." No one's going to tell you to wash your hands every time you come out of the restroom or touch a door knob, you just need to know to do that.

Kip Boyle: So you have to be trained. Somebody needs to tell you that this is the right thing to do, parents. And in the modern world, we need executive management to teach the workforce, like, "This is expected. This is just like breathing air, this is something that you need to do. And I'm going to provide you with the tools you need and I'm going to train you to use them, but it's really up to you to use them." So a soldier gets indoctrinated, gets trained, is issued equipment, learns how to take care and use that equipment. And when the shots start getting fired, it's up to each individual soldier to actually point their rifle and shoot because the general is not there to do it.

Jake Bernstein: You were talking about that, and I thought to myself, "Gosh, it'd be unreasonable not to." And then a light bulb went off and I just realized that another theme that we always talk about is reasonable versus unreasonable cybersecurity programs and what it means to be reasonable. And as you were talking, I was thinking nobody would ever say that it's reasonable for a country to not train its army and just say, "Go out, do your army thing." That's crazy, no one does that.

And I think it would be pretty bad, it would not be effective parenting to never teach your kids to wash their hands. I mean, I'm not trying to make any judgements here, but the idea is that it's reasonable to do so. And even though figuring out what reasonable cyber hygiene and cybersecurity program are, and that's a hard thing to do, talking about it in this way makes it seem a lot more obvious.

Kip Boyle: Well, I hope so. I mean, that's kind of the point of the episode today is to help create in the minds of our listeners this link between, "Oh, yeah. I do wash my hands every day, and I do go to the dentist. And I do these things to stay healthy in the real world against biological germs. Maybe I should start doing the same thing in my digital life." And you know what? It's not all that different, from something I already do anyway. And I think that's a really important thing that people need to grasp. Because as I said, they are probably thinking that the IT group is doing this for me. And perhaps that was true in the past but it's like, now we all need to do this.

And the impetus for this is just enormous. I mean, the attacks are getting more ferocious and more effective. Phishing is an incredibly effective attack because it's attacking our human emotions, not our technology. And so that makes it extremely personal. And when we work with executive management, this is what we're telling you, you've got to equip your workforce to survive in this really virulent digital environment. And so that's why we're recommending that you treat cyber risk as a public health problem, and that we borrow heavily from that playbook, by the way, a playbook that's worked really well for us in the last couple 100 years.

Jake Bernstein: It has. And I was looking at our list of cyber hygiene practices and drawing parallels between what the equivalent public health practice is. So you said avoid using our administrative account for routine work. That's basically an affirmative act, and what you said works very well. That is not going from patient to patient without washing your hands or changing your gloves. Using a high quality password manager daily is like remembering to put on a clean pair of gloves every time. That's simply installing security updates, getting your shots, getting your immunizations, checking your credit report at least twice a year for signs of ID theft is remembering to-

Kip Boyle: Go to your dentist.

Jake Bernstein: ... go to the dentist, exactly. And then conducting an annual cyber risk assessment. I mean, we literally have someone that everyone has to get called an annual physical exam. It is identical-

Kip Boyle: Mm-hmm (affirmative). Whether you feel sick or not.

Jake Bernstein: Whether you feel sick or not. And in fact, generally you go when you don't feel sick.

Kip Boyle: Yep. Because there can be lurking conditions, like undiagnosed diabetes or something like that.

Jake Bernstein: And the whole point of an annual physical exam is to check you out, to see how you're doing over the last year, and to make crosstalk what's going to happen bad in the next year.

Kip Boyle: Let's keep you healthy.

Jake Bernstein: Well, let's keep you healthy. And that is exactly what an annual cyber risk assessment is for. There's still a huge, I think, unfortunate attitude right now where, "Oh, well, we'll just get a cyber risk assessment done when someone else tells us we need to do it." Like, "I'm glad you did it." That's like, "I'm glad you went to the doctor." But if that's going to be effective, then you need to go every year. crosstalk.

Kip Boyle: Yeah, exactly. It needs to be a practice, a regular practice.

Jake Bernstein: Yeah, exactly.

Kip Boyle: Practicing good hygiene, cyber hygiene. Well, if you enjoyed our podcast episode today, you might want to pick up a copy of my new book called Fire Doesn't Innovate when it is published in January, 2019. But here's the thing, if you're willing to post an honest review on Amazon when it does get published, then I would love to share with you an advanced copy of the book. So if you would like an advanced copy, then just let us know, send an email to info, I-N-F-O, info@cyberriskopportunities.com. And if you put Fire Doesn't Innovate in the subject line, then we'll communicate with you back and we'll get you an advanced copy of the book. And we'd love to hear your feedback on it, and we'd love for you to take a look at it. And that wraps up this episode of the Cyber Risk Management Podcast. Today, we talked about how germs in the real world can teach us a lot about how to deal with cyber attacks. Thanks for being here. We'll see you next time.

Jake Bernstein: See you next time.

Kip Boyle: Thanks everybody for joining us today on the Cyber Risk Management Podcast.

Jake Bernstein: Remember that cyber risk management is a team sport and needs to incorporate management, your legal department, HR, and IT for full effectiveness.

Kip Boyle: And management's goal should be to create an environment where practicing good cyber hygiene is supported and encouraged by every employee. So if you want to manage your cyber risks and ensure that your company enjoys the benefits of good cyber hygiene, then please contact us and consider becoming a member of our Cyber Risk Managed Program.

Jake Bernstein: You can find out more by visiting us at cyberriskopportunities.com and newmanlaw.com. Thanks for tuning in. See you next time.