Dawn breaks over Marblehead

Over six and half decades ago I went to preschool in Marblehead, MA and I still have relatives there. So I’m partial to the New England idiom/play-on-words "Dawn breaks over Marblehead" when I have an "Aha!" moment. 

Well, dawn did indeed break over Marblehead today.

I’m back visiting my alma mater, Rensselaer, which meant I used Zoom to attend Josh Corman’s “No water, no hospitals” talk at “Critical Effect DC 2025”.

Hearing Josh from a place that is rich in memory for me triggered a phrase I heard more than once during my college days here in Troy.

“Fundamentals of Physics” by Halliday & Resnick was/is the worldwide standard physics textbook. Resnick was a professor at RPI while I was there. The textbook frequently uses the phrase "It is intuitively obvious to the most casual observer". For example, a rock falls as you drop it from your hand, or a ball follows a parabolic arc when you throw it to someone. "It is intuitively obvious to the most casual observer" that gravity exists and accelerates objects downwards. I first heard that phrase over 50 years ago and have been using it ever since - along with QED (ie that conclusively proves the point).

I have taken for granted that the facts make cybersecurity “intuitively obvious to the most casual observer”. Similarly with my favorite topic of software bill of materials (SBOM). A recent run-in with another powerful phrase has me wondering.

I attended the Milchberg Lecture/Physics Colloquium at the University of Maryland where Dr. Kathleen Hall Jamieson, the cofounder of factcheck.org, lectured on “Communicating What Science Knows in a Polarized Time”. Without going as far as to say “Facts don’t matter,” she did refer to it and allow that it is somewhat true. She diagnosed additional “factors” that matter perhaps more than “facts”.

Today, the way facts are presented is as important, or more so, than the facts themselves. Factors like cognitive bias, emotional reasoning, peer group pressure, and resistance to change all affect a person’s acceptance of a fact as fact. Her conclusion (backed with lots of scientific evidence and real life examples) was a disconcerting thesis that communicating the facts is not enough. 

You must communicate starting ‘where they are’ not ‘where you are’ and deal with the additional factors inhibiting reaching agreement.

That brings us to the dawn currently breaking over my marble head. Listening to today’s speakers presented me with a conundrum. It was obvious to me that the threat to our water supply is real, and that the consequences of not mitigating the threats was obvious. Yet nothing was being done about it (or virtually “a drop in the bucket” to use yet another cliche, one that has to do with water no less).

Dr Jamieson is right. It should be intuitively obvious that the facts we cybersecurity professionals delight in wielding carry less currency than they once did. There is ‘a lot of food for thought,’ here, but the big take away is that the “medium is the message”,  and the way we present facts and shape them into narratives has become all important. As mentioned in this morning’s opening message at “Critical Effects”, the story telling is missing.

While I’m dealing out platitudes, I’ll add another from my days living on the coast. “Red skies at morning, sailors take warning.” The dawn that is breaking has a crimson hue. We do well to put a sense of urgency and making the delivery of our unfortunate facts more personal.

My mind automatically brings me back to SBOMs. The facts are obvious to me (SBOMS save money and reduce risk), yet SBOM adoption is spotty and faces much resistance. Starting ‘where they are’ brings me to another of my soapboxes – the $1T cybersecurity industry doesn’t really want its market to go away. It has no financial incentive to solve the root problems since the problems are the basis of their industry. In fact, I’ve found “the cobbler’s children go barefoot.” Many cybersecurity companies don’t have SBOMs themselves! 

Adding to my Aha! Moment (ie. In addition to “facts alone don’t matter”) was that I should find a new way to communicate. This post is appearing, incidentally, on a bog run by one of the few cybersecurity vendors that would benefit financially from a wider adoption of SBOMs. It’s no coincidence. “If you can’t beat ‘em, join ‘em”. So I’ll use Cybeats’ bully pulpit to get the word out. I happen to think Cybeats makes one of the best software bill of materials tools, but I’d be just as happy if you use any of the other popular software bill of materials platforms – just use one.

Let’s try something different a la Dr. Kathleen Hall Jamieson and use emotional reasoning and make it more personal.

Imagine your life without access to water. Imagine shuttered medical facilities in your town, since hospitals shutdown without water. Demand your water company have cybersecurity. Badger them to require SBOMs from all their suppliers, even if it means a 1% increase in your monthly water bill. Lobby your legislators and regulators to demand this as well. Ask your community to wonder about these same scenarios and request their help. While you’re having uncomfortable conversations, demand SBOMs from your cybersecurity vendors as well.