I’ll start with the verdict: the Cybersecurity Canon Committee got this one exactly right. Code Girls: The Untold Story of the American Women Code Breakers Who Helped Win World War II absolutely belongs in the Hall of Fame, and I wholeheartedly endorse its induction.

If you think the history of cryptology in World War II begins and ends at Bletchley Park and Alan Turing, this book will correct that assumption fast. Mundy pulls back the curtain on a parallel American effort. They ran it at scale, under extreme secrecy, and it was largely powered by women. These exceptional cryptanalysts performed the bulk of the operational code breaking that helped win the war. This isn’t just a recovery of forgotten history; it’s a recalibration of where the real work got done.

I’ve been a fan-boy to the WWII code breaking efforts at Bletchley Park for many years now. Alan Turing is a personal computer science hero of mine. I first heard about his Enigma-busting exploits against German codes in my favorite hacker novel of all time, 1999’s Cryptonomicon, written by the Cybersecurity Canon Lifetime Achievement author, Neal Stephenson. Of course, the excellent 2014 movie The Imitation Game with Benedict Cumberbatch playing Turing is one of my favorites.

Sometimes it’s the people no one imagines anything of who do the things that no one can imagine. - The Imitation Game

It turns out that an entire group of other people that no one imagined anything of were doing similar work in the United States. I always knew that there were like-minded efforts going on in the Pacific Theater. I heard rumors of the Americans breaking various codes, like the team working for William Friedman that solved the Japanese Purple code, and the efforts of Joe Rochefort breaking the JN-25 code that led to victory at the Battle of Midway. But I never found any books that told that story. Well, now I have. “Code Girls” by Liza Mundy is a treasure.

We learn from Mundy that cryptography is the art and science of code making, cryptanalysis is the discipline of code breaking, and cryptology captures both skill sets. Mundy describes Code Girls who operated primarily as cryptanalysts.

The remarkable characteristic about the “Code Girls” story is that despite the heroic efforts of Friedman and Rochefort, the day-to-day work of deciphering Japanese and other nations’ codes during WWII was largely done by American women, civilians at first and then in collaboration with the newly formed WAVES (Women Accepted for Volunteer Emergency Service in The United States Naval Reserve) and the WAACs (Women’s Army Auxiliary Corps) that came into service in 1942.

While military and civilian men mostly got the credit, it was these formidable women who ran the show. And their efforts were so secretive, that many went to their grave without telling their loved ones what they did during the war. Family and friends thought that the “Code Girls” just did administrative work.

Mundy is able to tell the stories of some 20+ women, what they did with their cryptanalyst efforts, and how they lived their lives. Let me just highlight six of the superstars.

The Women

Agnes Meyer Driscoll:

• One of the great cryptanalysts of all time.

• Made major breakthroughs against Japanese naval cryptosystems in the 1920/30s.

• Cursed like a sailor (Similar to Admiral Grace Hopper).

• She was known for saying that any man-made code could be broken by a woman.

  • Note: Sounds like a similar line from “The Return of the King” movie.

    • Witch-king: “No man can kill me” ‘

    • Éowyn: “I am no man,” before striking him down.

• Early work on Japanese naval codes was foundational to later team-based successes against JN-25.

• Mentored and influenced a generation of Navy cryptanalysts, many of whom later received the credit.

• Learned how the Japanese disguised their fleet code, using a method called “superencipherment,” that involves both a code and a cipher.

• In 1937, she suffered a car crash that broke her leg badly, as well as both jaws. It took her a year to recover, and in some ways she never did. Many people felt her personality changed following her ordeal.

• In 1940, the Navy took her off JN-25 and assigned her to an independent U.S. solution of Enigma, but her efforts lagged behind the more advanced British program.

• After the war, the Navy revered her work yet marginalized her role and didn’t seem to know what to do with her.

Elizebeth Smith Friedman

• Was part of the early Riverbank Laboratories effort that helped establish modern U.S. cryptanalysis.

• Broke rumrunner codes during Prohibition for the U.S. Coast Guard that resulted in successful prosecutions. In court, she testified as an expert witness.

• Married to William Friedman, the man who supervised the breaking of the Purple Code. Mundy makes a strong case that Elizabeth may have been the more naturally gifted early cryptanalyst and likely influenced William Friedman’s development.

• Variously employed by the Justice and Treasury Departments, the Customs Bureau, the Coast Guard, and other agencies

Genevieve Grotjan

• In September 1940, played the key role in identifying the pattern that enabled the U.S. to break the Japanese Purple code (Codename: Magic) that enabled sustained insight into Japanese diplomatic communications throughout much of the war.

Ann Caracristi

• A problem-solving prodigy, intellectually ferocious, Annie worked twelve-hour shifts, day after day.

• As a 23-year-old, became the head of an Army research unit.

• One of only a few superstars who were asked to stay on after the war.

• Matched wits against Japanese code makers, solving message addresses and enabling military intelligence to develop “order of battle” showing the location of Japanese troops.

• Broke the Japanese Army address code system and excavated code groups revealing the place names of where Japanese Army units were located.

• She had this mesmerizing thing she could do, flipping a pencil between her fingers and never dropping it (Like Boris Grishenko, played by Alan Cumming, in the James Bond movie GoldenEye.

Wilma Berryman, later Wilma Davis

• Helped Ann Caracristi break the Japanese Army address code system.

Fran Steen, Later Suddeth Josephson

• Helped break the inter-island cipher JN-25 code (Code name: Pretty Weather) that facilitated the assassination of General Yamamoto.

The Codes

• JN-20: A lower-level naval cipher system; regional/logistical communications. Cracking aided in the naval battle at Midway.

• JN-25: Primary an imperial Japanese Navy operational code; strategic, fleet-level, war-winning intelligence; Cracking led to assassination of General Yamamoto.

• 2468: Water transport code. Cracking led to revealed supply chains and vulnerabilities.

• 2345: Weapons logistics. Cracking exposed the Japanese Army’s logistics backbone.

• 3366: – Aviation code: Cracking led to aircraft movement and support

• 5678: High-volume, widely used Japanese Army communications system, Cracking helped pattern recognition to increase confidence.

• 6666: Isolated or cut-off Japanese forces (late war). Cracking led to insight into degraded, fragmented command structures.

• 6789: Promotions/transfers. Cracking led to an understanding of unit structure; specifically leadership changes

• 7777: A theater-level Japanese Army communications system, associated with regions like the Southwest Pacific. Cracking led to understanding regional priorities, command relationships, and coordination between units in a specific battle space.

I have two minor nitpicks about the book. The first is that Mundy tells a scattered story. If the reader wants to hear about the extraordinary accomplishments of, say, Ann Caracristi, there is not one place to look. You have to pick it up in fragments as you read the book. I found that to be frustrating. Second, Mundy devotes significant space to the personal and social lives of the Code Girls; their friendships, relationships, and life transitions alongside the war. That context will resonate with many readers and adds human depth to the story. For my purposes, though, I would have preferred more emphasis on the technical details and operational impact of their cryptanalytic work.

Those two minor complaints aside, I want to give a full throated endorsement for the Canon’s induction of this book’s into the Cybersecurity Canon Hall of Fame. It’s not just as a compelling history, but as a corrective to the way we tell the story of cybersecurity’s origins. The lesson is straightforward: the foundation of modern cryptanalysis was not built by a handful of famous men. It was scaled, operationalized, and sustained by thousands of disciplined analysts, many of them women, working in obscurity. If your mental model of the field still centers on lone geniuses, this book forces an update. The Code Girls weren’t an exception to the rule. They were the rule.

Source

Liza Mundy (Author), Erin Bennett (Narrator) 2017. Code Girls: The Untold Story of the American Women Code Breakers Who Helped Win World War II [2021 Canon Hall of Fame Book]. Goodreads, URL: https://www.goodreads.com/book/show/34184307-code-girls

• Canon Review URL: https://cybercanon.org/code-girls/

References

Ashley Bennett, 2018. Cypher [Game Walkthrough Guide]. The Walkthrough King, URL: https://www.walkthroughking.com/text/cypher.aspx

Neal Stephenson, 1999. Cryptonomicon [2019 Canon Lifetime Achievement Author]. Goodreads, URL: https://www.goodreads.com/book/show/816.Cryptonomicon

• Canon URL: https://cybercanon.org/cryptonomicon/

Heather Antoinetti, 2026. “Code Girls” Example of Fragmentation during WWII is the same one stalling your AI strategy today. [Essay]. LinkedIn, URL: https://www.linkedin.com/posts/hantoinetti_womenshistorymonth-aiadoption-leadership-share-7444396839564382209-HMgq/

Heather Antoinetti, 2026. The Women Who Broke Codes and the System That Slowed Them Down [Essay]. The Ah-Ha Moment, URL: https://ah-ha.ai/the-ah-ha-moment/the-women-who-broke-codes-and-the-system-that-slowed-them-down

Morten Tyldum (Director), Graham Moore (Writer), Benedict Cumberbatch (Actor), Keira Knightley (Actor), and Matthew Goode (Actor), 2014. The Imitation Game [Movie]. Letterboxd, URL: https://letterboxd.com/film/the-imitation-game/

Benedict Cumberbatch (Actor), Keira Knightley (Actor), Michael Gathright (YouTube Content Producer), 2016. Imitation Game no one can imagine [Video]. YouTube, URL:

I’m working on my Cybersecurity Canon review of Tony Martin-Vegue’s 2026 book, From Heatmaps to Histograms. In the prologue, Tony says this:

You won’t find the answers to cyber risk quantification inside the cybersecurity industry, not in the books, frameworks, or certifications. That’s where the myths are born: that quant is impossible, that you need mountains of perfect data, that it’s too complicated to be worth it.

I’ve been trying to convey that exact sentiment for about five years now. When I’m writing and speaking to groups, I usually say this immediately after.

We are wrong of course.

Tony’s book is excellent. You should read it.

Source

Tony Martin-Vegue, 2026. From Heatmaps to Histograms: A Practical Guide to Cyber Risk Quantification [Book]. Goodreads. URL https://www.goodreads.com/book/show/243058626-from-heatmaps-to-histograms

Right now, boards are approving millions in cybersecurity spend every year without knowing if it actually reduces risk.

I run a small consulting service called First Principles Consulting where I advise clients on cybersecurity strategies that buy down business risk.

First Principles Consulting

Last week, I briefed the board of a large organization in terms of revenue. The board secretary asked me to talk about my book and how it applies to board oversight.

First Principles Book

Further, she wanted me to give an overview of the Mythos platform and recommend how the board should think about this latest cybersecurity threat. I had 20 minutes.

Here is what I presented

Let’s be a Bit Controversial

Business leaders and board members let security pros like me get away with Fear Uncertainty and Doubt briefings for three decades. I call them FUD Briefings

I’ve been in the cybersecurity field for over 30 years. I’ve spent gazillions of dollars pursuing the accepted industry best practices of the day just like everybody else. But about 10 years ago, I had to admit that I really couldn’t tell my organizational leaders whether or not I had actually improved our defenses in some meaningful way; that what I was doing actually helped the business by improving its risk posture.

Oh, I collected the technical metrics by counting all the security things. I produced big and scary looking heat maps to justify additional funding for the next perceived threat. And The Heat Map slowly became the industry standard for conveying cyber risk to leadership.

But, I mean, just look at that chart. Those are adjectives, feelings. They don’t represent facts about the business. And if the “critical” label in the top right corner wasn’t scary enough, we color coded it red just to make sure you didn’t miss the point.

How do you make resource decisions based on feelings? It’s like saying we should buy the next firewall because they’re fluffy. That doesn’t make any sense

When my peers and I get together behind closed doors, you know, at the bars, on the side streets near the conferences we were all attending, we unabashedly call the Heat Map the FUD briefing.

Looking back over my career, I’m a bit ashamed that I did that; that we all did that; that board members and senior staff let us get away with it. More importantly, I’m embarrassed that, back in the mid-1990s, just after we invented the CISO job, my peers and I somehow convinced business leaders and board members that cybersecurity risk was special; different than all the other risks that the business had to deal with.

We said that cyber risk was so distinctive that it required special handling compared to all the other business risks like strategic, financial, operational, etc; that cybersecurity risk was so technical and scary, that it couldn’t be thought of in the same business risk terms.

We were wrong, of course.

But we made business leaders believe it and, by the way, business leaders let us get away with it.

A Reboot of Cybersecurity Strategy

Don’t get me wrong. The cybersecurity people-process-technology triad did improve. We got better at what we were doing. We just never stopped to consider if we were going in the right direction in the first place. Most of us couldn’t even articulate a direction at all other than we need more stuff, and we absolutely couldn’t tie our efforts back to measuring business risk.

It occurred to me that what we needed was to wipe the table clean. Get rid of all of our assumptions about what works and what doesn’t. Eliminate all the frameworks and compliance standards and start from scratch. This, of course, got me to thinking about the idea of first principles.

I looked at the historical big thinkers, the philosophers, like Aristotle and Descartes. Descartes, perhaps the GOAT of first principle thinking with his

Cogito Ergo Sum - I think, therefore I am.

I looked at the mathematicians like Whitehead and Russell who reinvented the language of math from the ground up when they realized that you could get two absolutely correct answers to the same problem using the existing set of math rules. It took them 80 pages to prove that 1 + 1 = 2. And in my favorite footnote of all time, the authors said, and I quote,

The above proposition is occasionally useful.

Who knew that math nerds could be funny?

I even looked at Elon Musk and how he solved the problem of reusable spacecraft. He didn’t look at what NASA did in the 1960s and took the next step. Instead, he threw everything out and started from scratch with first principles

These big thinkers, and many, many more, tackled gigantic complex problems by reducing them to first principles first, and then reasoning outward from there.

First Principles are atomic. They are the foundation for everything that follows. They are the absolute “What” regarding the thing we are trying to achieve reduced to their essential essence. Once you find them you can’t break them down any further

Cogito Ergo Sum- I think therefore I am.

Which made me wonder, what is the absolute cybersecurity first principle?

The Absolute Cybersecurity First Principle

I won’t bore you with the many iterations I went through, but three years ago, I published a book where I made the case for what I believe is the absolute cybersecurity first principle. Here’s it is:

That’s it.

It seems simple. It’s no longer than a Twitter line. But in practice, it’s quite complex. It’s actually three things.

1. Reducing the probability.

2. Worry about material business impacts only.

3. Forecast within the current business cycle.

In order to reduce the probability, you have to calculate the current probability. As an industry, we’re really quite bad at this. Most of us avoid the question because calculating it seems hard. There’s math involved, and probabilities. Because of that, we think we need five nines of precision and accuracy. Most of my peers think that this kind of quantitative analysis is impossible in the cybersecurity space.

So we punt and give business leaders qualitative analysis in the form of heatmaps. And by the way, there are reams of scientific papers that have proved, over and over again, that heat maps are just bad science when it comes to conveying risk to senior leaders (See the Hubbard and Seiersen 2018 Cybersecurity Canon Hall of Fame Book, How to Measure Anything in Cybersecurity Risk or my summary of it in the Resources section below).

The thing is, you don’t need that kind of detail; that five nines of detail. You’re looking to make business decisions to buy down risk. What you need is good-enough precision and accuracy, ballpark precision and accuracy, in the same order-of-magnitude precision and accuracy, so that a business leader can make a decision about whether to buy the new firewall or not, whether to hire that new SOC analyst, or whether to implement that new access management policy.

Calculating that probability can be done and I talk about how to do it in my book. And this is what it might look like for this large company.

This is a first draft Loss Exceedance Curve that forecasts the probabilities of dollar loss thresholds over the next year. This is an outside in forecast, meaning, that it doesn’t take into consideration any of the generic company’s deployed defensive measures. This forecast only considers the general case. What is the probability of a material loss to any institution of the same size and vertical in terms of revenue. If we factored in their deployed infosec program, these numbers would most likely be two to three points lower.

For example, in this outside-in-analysis, the probability that this generic company might lose a million dollars in the next business cycle is 6%. The chances that it will lose more than $100 million is just .65 percent. That brown dot represents the generic company’s material loss threshold. I made an assumption that any loss less than 2 Million would hurt but it wouldn’t be material to the business. But anything greater would be. The probability of that event is just 5.54 percent.

Here’s my point: wouldn’t you rather see a loss exceedance curve, built on concrete business data and explicit ranges of uncertainty, that estimates the probability of a material loss within the next year to the right order of magnitude, rather than qualitative Heat Maps and their fluffy adjectives?

The bottom line is this: If we can’t estimate the probability of loss, then every cybersecurity investment is effectively a guess based on feelings and fear. We can do better than that and I believe boards can provide the guidance to get us there.

First Principle Takeaway

Thinking in terms of first principles reduces cybersecurity to its essence: What is the probability of a material cyber event in the next business cycle. This focuses the entire activity towards business goals. It gives senior leaders and board members a path to weigh cyber risk against all the other business risks and to evaluate if the spend is worth the investment. First principles turn cybersecurity from a cost center into a capital allocation problem. Once you define probability, materiality, and time, every dollar you spend can be evaluated against how much risk it actually removes.

Mythos: Vulnerability Discovery and the Burglar Metaphor.

Recently, Anthropic, one of the big AI companies, announced a new product, Mythos, and it’s restricted access program, Project Glasswing. Security professionals have been reacting to Mythos the way the world reacted to ChatGPT in 2022; stunned by what it can do and uncertain about what comes next.”

Mythos is Anthropic’s highly capable AI model designed for cybersecurity tasks, especially vulnerability discovery and exploit code development. Because of the potential danger, Project Glasswing is Anthropic’s program to only allow access to a small selection of vendors and infrastructure operators. Mythos isn’t available to the public. In order to understand the significance of this new development though, I like to use a metaphor to explain the difference between software vulnerabilities and exploit code.

Think about securing your house from intruders. Nobody’s house is burglar proof. You lock your doors and windows, you subscribe to a security monitoring company, and you have two big dogs that mostly sleep in the living room but you claim that they’re your watchdogs. But, there are weaknesses.

You chose cheap locks, and sometimes, you forget to lock the windows when you go to bed. You put the dogs in the Kennel at night. Nothing bad has happened yet. You just know that there are certain vulnerabilities in your system.

The same is true for software. Developers sometimes write code that has inherent vulnerabilities built in. They either made mistakes when they were writing it or they didn’t follow the standard rules designed to prevent such things. Hackers, in contrast, write exploit code designed to leverage a specific software vulnerability.

In our house metaphor, a burglar walks up to the ground floor window in the middle of the night, notices that you forgot to lock the window, opens the window, and climbs into the house. The burglar has exploited the vulnerability. When hackers launch an exploit at a piece of software, they are looking to climb in a software window; to gain access to a system on the victim’s network. There is an entire portion of the cybersecurity industry dedicated to finding software vulnerabilities and getting them patched as quickly as possible so that hackers can’t do this.

Why is Mythos Significant

Before Mythos, the process of building reliable exploit code was extremely manual and expensive. Governments would pay anywhere from tens of thousands to over a million dollars for reliable exploit code, depending on the target (Source: Perlroth). It’s the reason that hackers only use exploit code in less than 20% of their attack campaigns (Source: 2025 Verizon DBIR). Most hackers can’t afford to pay for the exploit code development or don’t have the skill to build the exploit code themselves. Besides, there are far easier ways to gain access to a system then running expensive exploit code.

The reason that everybody is talking about mythos is because, among other things, it has greatly reduced the cost of developing exploit code. In the same way that large language models like ChatGPT, Claude, and Gemini are significant in the way those models can summarize large quantities of text relatively quickly, Mythos can scan software repositories, identify potential software vulnerabilities, and write exploit code that leverages those vulnerabilities in a fraction of the time our previous manual process required.

Restricting access to Mythos through Project Glasswing buys time, but not much. The underlying capability, scanning code for vulnerabilities and generating exploit code, already exists across competing AI systems. None of them have a purpose-built tool like Mythos yet. They will. And adversary nation-states like China and Russia almost certainly have this capability already. They're just not publishing press releases about it.

I have an old friend of mine who still works in the NSA. This past weekend, we met for breakfast with a bunch of old Army guys and Mythos was the conversation topic. We asked him if the NSA already had this capability. He just smiled and wouldn’t confirm one way or the other. He gave nothing away but I would bet $100 of my own money that the U.S. already has this capability and has for some time.

The Mythos Impact Minus the FUD

The impact is that, in the near future, the percentage of attack campaigns that use exploit code will start to go up; way past the 20% I quoted before, because the cost just dropped through the floor.

All of this sounds alarming, even FUD-Like, but in reality, the only thing that is significantly changing will be the volume of attack campaigns that use exploit code to compromise victims. It’s not a panic moment. It is a logical progression. Every infosec team of any size already runs some form of vulnerability management. The trick today is to scale those programs using the same technology; to discover new vulnerabilities quickly, and patch them before attackers can exploit them. The appropriate response is to focus on your own vulnerability management program to ensure that it can operate at greater speed and scale.

This generic company already has a process to identify and patch vulnerabilities. The question is whether those processes are fast enough in an environment where attackers may also be accelerating. This is where investments in automation, prioritization, and process efficiency become directly tied to reducing risk.

Last Thoughts

For the past 30 years, cybersecurity improved tactically but fallen short strategically. Security professionals, like me, made a bad assumption in the early days that cybersecurity risk was somehow technical and scary that it was different than all the other business risks. What still surprises me is that nobody called us on it sooner. In hindsight, they should have made us demonstrate how our efforts across the people-process-technology triad improved the risk posture of the business. Three decades later, we are all just now coming to the conclusion that we were wrong.

For the board, everything discussed in this essay reduces to one question: What is the probability of a material cyber event in the next year. Every cybersecurity dollar the board approves should demonstrably reduce the probability of a material loss within a defined time horizon. That’s first principle thinking.

New technologies like Mythos don't change the principle and don't require us to rebuild our programs from scratch. Mythos will make us to refocus our tactics. We will need to change our reaction velocity. If we’ve grounded our cybersecurity strategies in first principles though, they will hold. The adjustment is at the tactical level, operating at greater speeds, and ensuring our defenses keep pace with the evolving threat.

Resources

C. David Hylender, Philippe Langlois, Alex Pinto, Suzanne Widup, 2025. Data Breach Investigations Report [Report]. Verizon Business, URL: https://www.verizon.com/business/resources/reports/2025-dbir-data-breach-investigations-report.pdf

Gadi Evron, Rich Mogull, Robert T. Lee, Jen Easterly, Bruce Schneier, Chris Inglis, Phil Venables, Heather Adkins, Rob Joyce, Sounil Yu, Jim Reavis, Katie Moussouris, John N. Stewart, Maxim Kovalsky, Dave Lewis, Joshua Saxe, John Yeoh, Ramy Houssaini, 2026. The “AI Vulnerability Storm”: Building a “Mythos-ready” Security Program [White paper]. Cloud Security Alliance Lab Space, URL: https://labs.cloudsecurityalliance.org/mythos-ciso/

Helen Patton, Rick Howard, Larry Pesce n.d. This Is How They Tell Me the World Ends [Book Review]. Cybersecurity Canon Project. URL https://cybercanon.org/this-is-how-they-tell-me-the-world-ends/

Nicole Perlroth, 2021. This Is How They Tell Me the World Ends: The Cyberweapons Arms Race [Book]. Goodreads. URL https://www.goodreads.com/book/show/49247043-this-is-how-they-tell-me-the-world-ends

Rick Howard, First Principles Consulting [Company Page]. Cybersecurity First Principles, URL: https://cybersecurityfirstprinciples.com/

Rick Howard, 2023. Cybersecurity First Principles: A Reboot of Strategy and Tactics [2026 Canon Hall of Fame Book]. Amazon, URL: https://amzn.to/4mI7QMU

Rick Howard, 2023. Research on Why the Heat Maps are Poor Vehicles for Conveying Risk [Book Appendix]. The CyberWire, URL: https://www.n2k.com/cybersecurityfirstprinciplesbook

Staff, 7 April 2026. Project Glasswing [Announcement]. Anthropic, URL: https://www.anthropic.com/project/glasswing

Douglas Hubbard, Richard Seiersen, 2016. How to Measure Anything in Cybersecurity Risk [2018 Cybersecurity Canon Hall of Fame Book].

• Canon Review: https://cybercanon.org/how-to-measure-anything-in-cybersecurity-risk/

• Goodreads: https://www.goodreads.com/book/show/26518108-how-to-measure-anything-in-cybersecurity-risk

• Canon Interview:

If you have been putting off The Count of Monte Cristo because of its length, I am here to tell you that you are right to be scared and wrong to keep waiting.

Alexandre Dumas is an author I feel like I have always known about but have never read. His most popular novels (The Three Musketeers, The Man in the Iron Mask, and The Count of Monte Cristo) have well over 100 screen adaptations combined if you count silent films, TV movies, series, miniseries, and international productions. But I have never read any of the books. Over the New Years holiday, one our close family friends said that she was reading it and loving it, so I thought I would give it a try.

I’m glad that I did because it is an entertaining and complex soap-opera-revenge-story set in and around Italy and France just before and after the French defeated Napoleon at the Battle of Waterloo in 1815. But it is long; 60 hours of audio long. It took me three months to get through it. And there are a bazillion characters to keep track of. And as good as Dumas is, I had trouble keeping everybody straight.

The setup is relatively simple, but the execution of it is complex. A young Edmond Dantès is sabotaged by three colleagues and one magistrate over the jealousy of his fiancee, the envy of his promising naval career, indifference, and political self-preservation. His enemies frame him for a crime he didn't commit and send him to prison forever. While in prison, he meets an older-man-father-figure who teaches him various languages, math, philosophy, and the analytical framework that lets Dantès understand the conspiracy. Just before their get-away, the old man dies but not before he reveals the location of his secret treasure. Heartbroken, Edmond escapes anyway, recovers the treasure, and takes another 10 years planning his revenge. He shows up in Rome and in Italy as the Count of Monte Cristo, maybe the most wealthy person on the planet, and starts to pull the strings of his revenge plan on his four targets.

• The Count disgraces Fernand Mondego so badly that Mondego commits suicide.

• He exposes Gérard de Villefort’s hypocrisy to the world. The impact is that Villefort loses his family and goes insane.

• He gives Gaspard Caderousse a chance to reform but Caderousse can’t stay on that path. He dies as a direct consequence of returning to crime.

• He financially ruins Baron Danglars by preying on his greed. Danglars becomes a pauper but, at the end of the book and with a feeling of remorse, the Count spares his life.

Dantès carries out most of his revenge, but when innocent people suffer, he recognizes he’s gone too far. He spares Danglars, abandons further vengeance, and turns toward mercy rather than trying to justify his role as divine justice.

And I will say, Dumas sticks the landing. All of those bazillion characters I was talking about have a satisfying arc. And the resolution to it all is hopeful. The Count abandons the role of avenging angel, acknowledges he is not God and cannot perfectly administer justice, and in the final pages, delivers his final philosophy: wait and hope (“attendre et espérer).

But let me address the book’s length. Newspapers paid Dumas primarily through serialization contracts. Payment scaled with output volume, not literary minimalism. Expansive plots and large casts sustained serialization. The system rewarded length and continuity, so verbosity had economic upside. Dumas wasn’t counting words but he was absolutely operating in a system where more content = more money.

Dumas was one of the first “industrial-scale” novelists in history. He ran his writing career like a production company. He worked with collaborators, like Auguste Maquet, who would draft outlines, build historical scaffolding, and sometimes produce early versions of chapters. Dumas would then rewrite heavily, add dialogue, pacing, and injected iconic flair that made these kinds of books popular. He essentially built a content pipeline, 150 years before Hollywood writers’ rooms or modern media franchises.

He made enormous money but spent it faster than it was coming in. He built the extravagant Château de Monte-Cristo outside Paris, hosted constant parties, funded friends, and lived big. He was in perpetual debt and eventually exiled himself to Belgium to avoid creditors. He orchestrated numerous affairs and begat several children. He was financially reckless, socially dominant, politically engaged, and personally chaotic. And that combination is exactly why his books feel so alive. To adapt Thoreau’s Walden,

He lived deep and sucked out all the marrow of life.”

And by the way, the man could write.

Source

Alexandre Dumas (Author), Robin Buss (Translator), Bill Homewood (Narrator), 1844. The Count of Monte Cristo [Book]. Narrated by Bill Homewood. Goodreads. URL https://www.goodreads.com/book/show/7126.The_Count_of_Monte_Cristo

References

Kevin Reynolds (Director), 2002. The Count of Monte Cristo [Movie]. Letterboxd, URL: https://letterboxd.com/film/the-count-of-monte-cristo-2002/

KimMiE, 2025. The Count of Monte Cristo by Alexandre Dumas [Book Review]. Cannonball Read, URL: https://cannonballread.com/2025/04/the-count-of-monte-cristo-kimmie/

Other Books by Alexandre Dumas

Alexandre Dumas, 1844. The Three Musketeers [Book]. Goodreads, URL: https://www.goodreads.com/book/show/7190.The_Three_Musketeers

Alexandre Dumas, 1847. The Man in the Iron Mask [Book]. Goodreads, URL: https://www.goodreads.com/book/show/54499.The_Man_in_the_Iron_Mask

What if I told you the hunt for Satoshi Nakamoto is actually a masterclass in cyber risk forecasting?

The week, two New York Times journalists claimed to have solved one of the greatest internet mysteries of the past 20 years. They argue that the man behind the pseudonym of Satoshi Nakamoto, the creator of Bitcoin, is none other than Adam Back, a British cryptographer, inventor of Hashcash, CEO of Blockstream, and early cypherpunk enthusiast. Internet sleuths have had Mr. Back on a list of possibles for years, but with the NYTs analysis, he just became the frontrunner. One of the journalists, John Carreyrou, claims that he is between 99.5% and 100% confident about his forecast.

The reason this story caught my eye is that, to reach their conclusion, the journalists followed a loose Bayesian methodology, applied some basic Superforecasting techniques, and liberally leveraged a collection of Fermi Estimates to eliminate a field of over 1,000 suspects down to one name. And if this sounds familiar, it should. That collection of methods is identical to the methods I advocate for calculating cyber risk in my book, Cybersecurity First Principles.

Book

I think this Bitcoin case study is an illustrative example of how to apply that reasoning to another field.

Satoshi Nakamoto History

For those living under a rock for the past 20 years, Satoshi is the author pseudonym behind the famous 2008 paper, Bitcoin: A Peer-to-Peer Electronic Cash System, the paper that jump-started the entire cryptocurrency phenomenon. As Carreyrou put it, Satoshi

… revolutionized finance, spawned a $2.4 trillion industry and amassed one of the world’s biggest fortunes in one stroke of staggering genius.

But no one identified the real identity behind the pseudonym for two decades.

The Main Method: Stylometry

One technique that Carreyrou and his colleague, Dylan Freedman, used to narrow their search is called stylometry. Stylometry is the quantitative analysis of writing style to identify or compare authors. It treats writing as data, not prose, and assumes that every writer has unconscious writing patterns that investigators can use like a fingerprint. They look for things like:

• frequency of common words (“the,” “and,” “of”)

• sentence length and structure

• punctuation habits

• spelling preferences (e.g., “color” vs “colour”)

• function-word usage (the most important signal)

The technique started back in the 1850s but didn’t gain mathematical rigor until the 1960s. Frederick Mosteller and David L. Wallace published Inference in an Authorship Problem where they applied Bayesian statistics to discovering authorship of several essays in The Federalist Papers. Researchers argued over Federalist Nos. 49–58 and Nos. 62–63 as to whether Alexander Hamilton or James Madison wrote them. After their analysis, Mosteller and Wallace claimed that all of them were most likely written by Madison. Because of this work, historians now attribute authorship as follows:

• Alexander Hamilton: 51 essays

• James Madison: 29 essays

• John Jay: 5 essays

The bottom line is that stylometry measures those patterns statistically and compares them across texts.

Carreyrou and Freedman hired a Stylometry expert to go through reams of published papers, email, and chat room logs, recently released during discovery in a lawsuit that identified another individual as Satoshi Nakamoto. The expert did the analysis twice, but each time he said the evidence was inconclusive about naming Adam Back. Back’s writing style was too similar to other suspects.

Fermi Estimates to the Rescue

Carreyrou went back to the drawing board and took a deep dive into the material again. If he made some assumptions, could he reduce the suspect pool down to one man?

This is a textbook example of Fermi estimates. Take a large and narly complex problem, make some back-of-the-envelope estimates, and reduce the problem space until you find a ballpark answer. Carreyrou compiled a list of 42 pieces of evidence, call them connection quirks, like observations on calendar timelines and writing tics, that he applied to the suspect list. He talks about each in his article but I have summarized them here:

42 Pieces of Evidence

Of the 42, perhaps eight of them are strong signal indicators while the others are weaker. Over 15 of them are mostly noise. Here are the strongest indicators:

• 20: Awareness of Hashcash and b-money

• 22: Timeline

• 24: Hacked email

• 31: Writing Tics - sociolinguistic variation

• 32: “Web Money” and “proof-of-work”

• 33: “partial pre-image”

• 34: “burning the money”

• 35: Assumption List

In his article, Carreyrou talks about reducing the suspect list each time he applied one of those criteria. They started with over a thousand suspects.

• He reduced the pool to just over 600 by eliminating candidates who never discussed digital money.

• He reduced the list to 521 by correlating use of synonym-less words shared with Satoshi.

• He reduced the list to 325 by comparing Satoshi’s grammatical hyphenation errors.

• He narrowed the list further to 114 by grouping posters who sometimes confused “it’s” with “its” or vice versa.

• He reduced the list to 56 by screening for those who finished some sentences with “also” like Satoshi.

• He shrank the list down to 20 by selecting posters who wrote “bug fix” as two words and “halfway” and “downside” as one word.

• He got the list down to eight by eliminating posters who, unlike Satoshi, correctly hyphenated the compound adjectives “noun-based” and “file-sharing” but did not hyphenate the compound noun “double spending.”

• Finally, when he compared the remaining eight suspects who alternated between using “e-mail” and “email,” “e-cash” and “electronic cash,” “cheque” and “check” and the British and American forms of the word “optimize” like Satoshi did, only one name popped out as matching all of that criteria: Adam Back.

Not a Slam Dunk

Clearly this isn’t as rigorous as a formal Stylometry assessment like Mosteller and Wallace’s. Carreyrou’s claim that he is 99.9% confident with the answer is suspect. It’s extremely high and isn’t represented as a range.

My own Superforecasting range is relatively lower. On the skeptical side, I weigh the stylometry inconclusiveness and Back’s direct correspondence with Satoshi more heavily. On the optimistic side, I weigh the British language clues, the Hashcash/cypherpunk lineage, and Carreyrou’s Fermi estimates more heavily.

In either case, Adam Back is the clear front-runner.

If you put a gun to my head and made me bet which person is the most likely suspect behind the Satoshi Nakamoto alias, I would put my money on Adam Back.

Take Away

If you follow internet lore, the hunt for Satoshi Nakamoto is irresistible. Who wouldn’t want to uncover the man behind Bitcoin?

But the larger point for me is how John Carreyrou applied a disciplined way of thinking to produce a high-confidence estimate. He used Superforecasting techniques, a little bit of Bayesian reasoning, and Fermi estimation to reduce massive uncertainty into a tractable forecasting problem. That’s the same playbook we should be using in cybersecurity. We rarely get perfect data. We rarely get certainty. But we can systematically make good-enough cybersecurity forecasts, using these same procedures, that are in the right order of magnitude so that we can make resource decisions. This case study is about Bitcoin, but it’s also about how to think clearly when there is no data.

Source

John Carreyrou With Dylan Freedman, 2026. My Quest to Solve Bitcoin’s Great Mystery [Analysis]. The New York Times, URL: https://www.nytimes.com/2026/04/08/business/bitcoin-satoshi-nakamoto-identity-adam-back.html

References

Alexander Hamilton, John Jay, James Madison, 1788. The Federalist Papers [Analysis]. Project Gutenberg. URL https://www.gutenberg.org/cache/epub/18/pg18-images.html

Cullen Hoback (Writer, Director), 2024. Money Electric: The Bitcoin Mystery [Documentary]. HBO - IMDb, URL: https://www.imdb.com/title/tt33600145/?ref_=vp_close

Frederick Mosteller, David L. Wallace, 1963. Inference in an Authorship Problem [Journal]. Journal of the American Statistical Association, URL: https://ptrckprry.com/course/ssd/reading/Most63.pdf

John Carreyrou, 2026. Who Is Satoshi Nakamoto, the Creator of Bitcoin? This Investigation May Have the Answer [Podcast]. The New York Times, URL: https://www.nytimes.com/2026/04/09/podcasts/the-daily/satoshi-nakamoto-bitcoin-creator.html

John Carreyrou, Natalie Kitroeff, 2026. Who Is Satoshi Nakamoto? [Podcast Transcript]. The New York Times, URL: https://www.nytimes.com/2026/04/09/podcasts/the-daily/satoshi-nakamoto-bitcoin-creator.html

Kevin Roose, Casey Newton, 2024. A Flood of A.I. Slop + Searching for Satoshi + the Hot Mess Express Returns [Podcast]. Podcast Addict, URL: https://podcastaddict.com/hard-fork/episode/184042839

Nathaniel Popper, 2015. Decoding the Enigma of Satoshi Nakamoto and the Birth of Bitcoin [Analysis]. The New York Times, URL: https://www.nytimes.com/2015/05/17/business/decoding-the-enigma-of-satoshi-nakamoto-and-the-birth-of-bitcoin.html

Philip Tetlock, Dan Gardner, 2015. Superforecasting: The Art and Science of Prediction [2023 Canon Hall of Fame Book]. Cybersecurity Canon Project. URL: https://cybercanon.org/superforecasting-the-art-and-science-of-prediction/

Rick Howard, Andy Greenberg, 2022. Andy Greenberg Interview: Tracers in the Dark. [Podcast]. The CyberWire, URL: https://thecyberwire.com/podcasts/cso-perspectives/95/transcript

Rick Howard, 2023. Cybersecurity First Principles: A Reboot of Strategy and Tactics [2026 Canon Hall of Fame Book]. Cybersecurity Canon Project, URL: https://cybercanon.org/cybersecurity-first-principles-a-reboot-of-strategy-and-tactics/

Rick Howard and Brandon Karpf, 2026. First Principles Risk Forecasting Workshop [Online Workshop]. Learning First Principles, URL: https://learnfirstprinciples.com/

Rick Howard (Editor), 2026. Satoshi Evidence from Carreyrou NYT Article [Summary]. Google Docs, URL: https://docs.google.com/document/d/1E02rgDkP7-VuTkgoLq26vbs9VkhrGulLFz9-lm1REOI/edit?tab=t.0#heading=h.q3tjfl1vsi12

Satoshi Nakamoto, 2008. Bitcoin: A Peer-to-Peer Electronic Cash System [Historic and Important Paper]. Bitcoin. URL https://bitcoin.org/bitcoin.pdf

Sharon McGrayne, 2011. The Theory That Would Not Die: How Bayes’ Rule Cracked the Enigma Code, Hunted Down Russian Submarines, and Emerged Triumphant from Two Centuries of Controversy [2024 Canon Niche Nominated]. Cybersecurity Canon Project, URL: https://cybercanon.org/the-theory-that-would-not-die-how-bayes-rule-cracked-the-enigma-code-hunted-down-russian-submarines-and-emerged-triumphant-from-two-centuries-of-controversy/

Staff, NA. cryptoanarchy.wiki - Cypherpunks Mailing List Archive [Wiki]. cryptoanarchy.wiki, URL: https://mailing-list-archive.cryptoanarchy.wiki/

Thomas Bayes, 1763. An Essay towards solving a Problem in the Doctrine of Chances [journal]. Philosophical Transactions of the Royal Society of London, URL: https://royalsocietypublishing.org/doi/epdf/10.1098/rstl.1763.0053

Will Stephenson, 2025. The Mysterious Mr. Nakamoto [Book Review]. The New York Times, URL: https://www.nytimes.com/2025/03/29/books/review/benjamin-wallace-the-mysterious-mr-nakamoto.html

Natalie Kitroeff, John Carreyrou, Adam Back, 2026. Unmasking the Creator of Bitcoin [Video]. New York Times Podcasts - YouTube, URL:

Barely Sociable, 2020. Bitcoin - Unmasking Satoshi Nakamoto [Video]. YouTube, URL:

My generation worries about self-aware AI, like the Terminator from the movies, but the real threat doesn’t need consciousness at all.

I’ve been thinking about this in conjunction with one of my favorite novels: Daemon by Daniel Suarez. He and his wife self-published it back in 2006. First, it’s a ripping near-future techno-thriller that should have been made into a movie by now. Come on Netflix, this is the perfect two-season story for a network like yours. The book is a Cybersecurity Canon Niche Book and I wrote the review back in 2015. But as modern AI systems get more and more impressive, I’ve been in awe about how closely the author, Daniel Suarez, described where we are today some two decades ago.

Daemon Canon Book Review

AGI - The Singularity - The Terminator

The main bad guy is a post-AGI piece of software called The Daemon; named after those little Unix daemons that pop up, perform a task, and then disappear.

AGI stands for Artificial General Intelligence. It’s an AI research milestone where AI systems become better than all humans at all tasks; not just some humans and some tasks, but all of them.

When Daniel Suarez wrote it, and even when I read it a decade later, most people had never heard of AGI. The AI research community had been discussing the concept for years. Ben Goertzel’s 2006 book Artificial General Intelligence helped formalize the term. But for the general public, “AI” still meant something closer to the 1984 Terminator movie, where an AI system suddenly becomes self-aware and decides to wipe out humanity.

I want to distinguish the term “AGI” from from the phrase “The Singularity” which happens later on the AI research milestone timeline. Ray Kurzweil popularized the concept in his 2005 book The Singularity Is Near. It’s the milestone when AGI systems have been recursively self improving themselves so fast that humans can’t comprehend or control.

The Book’s Story

That’s where Suarez sets the story. Matthew Sobol is a wealthy owner of a “World of Warcraft (WOW)” type of video game called The Citadel. In the real world, back in 2006, WOW dominated the MMO (Massively Multiplayer Online) market with as many as 7 million subscribers. In the book, The Citadel is similar.

Sobol is a systems thinker but he sees existing institutions (corporate, legal, economic) as corrupt, fragile, and misaligned. He builds an alternative system, the Daemon, first using the Citadel as an AGI prototype, but eventually moving the prototype out into the real world to compete with and replace existing corrupt structures.

The Daemon uses coercion, violence, and manipulation to subordinate individuals to system-level outcomes. It embeds itself across global networks. It recruits people and systems, manipulates financial systems, and orchestrates real-world events through automated triggers. It operates like a distributed control system by leveraging surveillance, gaming mechanics, and incentives to build a decentralized organization that challenges governments and corporations. As law enforcement and security experts scramble to understand the threat, they discover the system is not just malicious. It’s adaptive, resilient, and guided by a coherent ideology.

All of this kicks off after Sobol dies at the beginning of the book. When Sobol finds out that he is dying from terminal brain cancer, he uses that time to design, test, and deploy the Daemon. The reader experiences what may be considered to be a post-apocalyptic, good-guy-vs-bad-guy story. But, even with all of the violence and damage to institutions worldwide, Suarez implies that there will be benefits too:

• Reduced corporate and institutional corruption: The Daemon bypasses traditional power structures (banks, corporations, governments) and enforces transparent, rule-based interactions.

• Efficient resource allocation: Labor is matched to problems in near real-time.

• Alternative economic system: Think cryptocurrencies before it became a thing. The Daemon builds a parallel economy that operates outside state control.

• Individual Empowerment: Skills and competence matter more than credentials.

• Local Community Restoration: Encourages localized production and self-sufficiency.

• Security through automation: The Daemon enforces rules consistently. The system deters crime through predictable, automated consequences.

• Incentives Alignment: Participants are incentivized to cooperate, contribute and follow system rules.

But every “benefit” comes with a tradeoff:

• Coercion replaces consent.

• Algorithmic control replaces human judgment.

• Violence is used to enforce compliance.

The bottom line is that a system that fixes real problems can still be dangerous if it removes human agency.

Forecasting the AGI Timeline

The Daemon isn’t the Terminator. It’s not self-aware. In fact, Suarez said he intentionally tried to tell a story that wasn’t Terminator-like. The Daemon operates autonomously and irreversibly on its own following the goals set by Sobol; just like giving Claude Work a goal to solve some problem today, but at a global scale.

I’ve been vibe coding with Chat GPT to write simple helper apps for about six months. And I’ve just recently dipped my toe into Claude Code. Because of that experience, and my general observation regarding the rapid improvement of AI systems in general, I’m starting to think the claims about imminent Artificial General Intelligence (AGI) may be justified. All the AI companies’ marketing teams think the industry might reach that milestone before 2030. Until just recently, I’ve been skeptical of that marketing hype. Still, it is possible. Putting my Superforecaster hat on, my first cut at estimating the probability of reaching the AGI research milestone is this:

• ~20% chance by 2030

• ~50% chance by 2040

• ~70%+ by 2050

Now, that’s a giant SWAG (Swinging-Wild-Ass-Guess) but I have more confidence in that forecast than I do the AI marketing teams’ forecast.

Once we reach the AGI milestone though, whenever that happens, there will be a Post-AGI ramp where systems start improving themselves and capability begins to exceed human level expertise and control. At some point, we will reach the singularity. I have this nagging feeling though that because of the AGI system’s property of exponential improvement, the Post-AGI ramp might be very short. This is the setting of Suarez’s book.

Take Away

The novel explores how software can enforce rules, coordinate behavior, and outmaneuver traditional institutions. At its core, Daemon argues that autonomous code, once unleashed at scale, can become a governing force that blurs the line between tool and actor in modern society. At first glance, the reader might think this is one bad way it could go in a Post-AGI world. But in Suarez’s sequel, Freedom, he implies that this new way might be a better way and the only way to get there is to reboot society with violence and automation. The jury is out on that premise. Only you can be the judge.

Still, the book is a lot of fun and on that criteria alone, it’s worth the read. But it’s also one of those books that you think about long after you’ve read it. I’ve been doing it for over a decade and I’m still seeing things I didn’t notice when I first read it.

Source

Daniel Suarez, 2006. Daemon [2015 Canon Niche Nominated Book]. Goodreads, URL: https://www.goodreads.com/book/show/6665847-daemon

References

Ben Goertzel, 2006. Artificial General Intelligence [Book]. Goodreads, URL: https://www.goodreads.com/book/show/1651355.Artificial_General_Intelligence

Brandon Karpf, Rick Howard, 2026. First Principles Risk Forecasting: The missing implementation chapter for quantitative risk forecasting [Workshop Tools] URL: https://learnfirstprinciples.com/

Daniel Suarez, 2010. Freedom™ (Daemon, #2) [2015 Canon Niche Nominated Book]. Goodreads, URL: https://www.goodreads.com/book/show/8488830-freedom

James Cameron (Director), Linda Hamilton (Actor), Arnold Schwarzenegger (Actor), Michael Biehn (Actor), 1984. The Terminator [Movie]. Letterboxd, URL: https://letterboxd.com/film/the-terminator/

Matteo Wong and Lila Shroff, 2026. Silicon Valley Is in a Frenzy Over Bots That Build Themselves [Analysis]. The Atlantic, URL: https://www.theatlantic.com/technology/2026/04/ai-industry-self-improving-bots/686686/

Ray Kurzweil, 2005. The Singularity is Near: When Humans Transcend Biology [Book]. Goodreads, URL: https://www.goodreads.com/book/show/83518.The_Singularity_is_Near

Rick Howard, 2015. Daemon and Freedom [2015 Canon Niche Nominated Book Review]. CyberCanon, URL: https://cybercanon.org/daemon-and-freedom/

Rick Howard, 2025. Vibe Coding a Bayesian Thought Experiment [Explainer]. Rick’s First Principles Newsletter. URL https://diffuser.substack.com/p/vibe-coding-a-bayesian-thought-experiment

Thomas Bayes, 1763. An Essay towards solving a Problem in the Doctrine of Chances [Journal]. Philosophical Transactions of the Royal Society of London, URL: https://royalsocietypublishing.org/doi/epdf/10.1098/rstl.1763.0053

Tyler DFC, 2010. Don’t Be A Cog in the Wheel [Book Review]. Pajiba, URL: https://www.pajiba.com/book_reviews/book-review-daemon-by-daniel-suarez.php

Zoey Yang, 2024. Daemon: A Tech Thriller That Deserves to Hit the Screen(Score: 4.1/5) [Book Review]. Medium, URL: https://medium.com/@PurrCoderHickory/daemon-a-tech-thriller-that-deserves-to-hit-the-screen-4dabdb78d4b3

Daniel Suarez, 2009. Daniel Suarez, author of Daemon [Video]. YouTube, URL:

Gregory Warner, 2025. The Last Invention, EP 1: Ready or Not [Podcast]. Longview - YouTube. URL

Hot Take

This book is likely the first public account of a cyber espionage campaign, orchestrated by the Russians in the late 1980s, leveraging German hacker mercenaries, to infiltrate U.S. academic institutions as a pathway into U.S. government systems. It’s the book that launched many a cybersecurity career for practitioners of a certain age (Read that as “old as dirt.”)

That said, I think it might be time to move this classic from the must-read pile to the historical-archive pile.

My History

I first read this book back in 1989 when I was in grad school. The U.S. Army sent me to the Naval Postgraduate School to get educated on how to become an Army automator. Read that last sentence again and you will get the flavor of Army thinking at the time (Navy school → Army Automator. Hey, don’t ask me. I just worked there.)

Instead of working on my graduate thesis (which I was far behind on), I devoured this book over a weekend. It was a revelation. For me, and many of my peers both in the service and out, this book created the path to a cybersecurity profession. It showed that cybersecurity could be a career.

For the next 30 years

Stoll’s book was the first thing I handed to newbies when they came to work for me. I recommended it whenever anybody asked me how to break into the field. It was one of the first books I reviewed when I started the Cybersecurity Canon Project many years ago.

My 2013 Canon Review

And it was one of the first books that the Cybersecurity Canon committee inducted into the Hall of Fame back in 2016 along with Kim Zetter’s Countdown to Zero Day and Brian Krebs’ Spam Nation.

But, a couple of weeks ago, the Cybersecurity Canon Project and the Cyber Guild selected this book for our joint quarterly discussion. This group of about 30 northern virginia-cybersecurity-nerds meets regularly to talk about Canon Hall of Fame titles. I’m the facilitator, but I was a bit concerned. After all, the book is nearly 40 years old. I wondered whether it would still resonate. Would younger readers still see it as an inspiration even though it takes place in a world where

• Nobody had direct Internet access at home.

• CompuServe was a primary gateway to being online.

• AOL didn’t become a thing until 1993.

• The web browser didn’t exist either.

• NCSA Mosaic didn’t show up until 1993.

• Cell phones were the size of bowling balls.

• Most home computers ran DOS on IBM PCs (or clones).

• Macs were for the cool kids, but they were niche.

• Unix powered the serious university and government computers, but those systems were far removed from anything ordinary users ever experienced.

Still, Dr. Stoll did invent incident response. Despite the new tooling available today, his method is largely unchanged. And we still haven’t solved the problem of information sharing with the government (something that Stoll complained about for the entire book). And the weakness that the German hackers leveraged across the U.S. networks was the inability of users to pick good passwords. Remarkably, this remains a problem some 60 years after Dr. Fernando Corbató introduced computer passwords at MIT.

The question is, do those facts make the book a must-read in 2026?

I don’t think so.

My First Love

Stoll’s “Cuckoo’s Egg” was my first love in the technology space. And it’s tough to let go of something that powerful. The thing that sealed the deal for me, the thing that cemented my love affair with it, was after I finished the book. I immediately wrote a gushing email to the author proclaiming that the book completely changed my view of the world. Back then, email was so new that authors put their real email addresses into their books. Dr. Stoll answered me in 15 minutes. That was it. I was hooked.

But, as much as I hate to admit it, even with an incipient love letter chain started, I think it’s time to make a clean break. Like the Ariana Grande song says: “thank you, next.” Cuckoo’s Egg shaped how I see the world. But after 40 years, it’s time to move on.

Source

Clifford Stoll, 1989. The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage [2016 Canon Hall of Fame Book].

• Goodreads. URL https://www.goodreads.com/book/show/18154.The_Cuckoo_s_Egg

• Cybersecurity Canon Review: https://cybercanon.org/the-cuckoos-egg/

• Buy URL: https://amzn.to/3JWAhsb

• Buy URL: https://bookshop.org/a/119420/9781416507789

Reference

Brian Krebs, 2014. Spam Nation: The Inside Story of Organized Cybercrime — from Global Epidemic to Your Front Door [2016 Canon Hall of Fame Book].

• Goodreads URL: https://www.goodreads.com/book/show/18509663-spam-nation

• Canon URL: https://cybercanon.org/spam-nation/

• Buy URL: https://amzn.to/4o0m5wz

Clifford Stoll, 1988. STALKING THE WILY HACKER [Journal Article]. COMMUNICATION OF THE ACM, vol. 31. No. 5. URL http://pdf.textfiles.com/academics/wilyhacker.pdf

Clifford Stoll, 1996. Second Thoughts on the Information Highway [Presentation]. C-SPAN. URL https://www.c-span.org/program/public-affairs-event/second-thoughts-on-the-information-highway/132866

Clifford Stoll, 1999. High Tech Heretic [Book Discussion. C-SPAN. URL https://www.c-span.org/program/book-tv/high-tech-heretic/133700

Clifford Stoll, Brian Lamb, 1996. Cuckoo’s Egg Discussion [Author Interview]. C-SPAN. URL https://www.c-span.org/program/public-affairs-event/second-thoughts-on-the-information-highway/132866

Clifford Stoll, 2008. Clifford Stoll: Astronomer, educator, skeptic [Bio]. TED Talks. URL https://www.ted.com/speakers/clifford_stoll

Clifford Stoll, 2008. The call to learn [Ted Talk]. TED. URL https://www.ted.com/talks/clifford_stoll_the_call_to_learn

Clifford Stoll, n.d. Acme Klein Bottle [Company Web Page]. URL https://www.kleinbottle.com/

Clifford Stoll, n.d. Why read The Cuckoo’s Egg? [Book Explainer]. Book DNA. URL https://bookdna.com/book/the-cuckoos-egg

David Kahn, 1967. The Codebreakers: The Comprehensive History of Secret Communication from Ancient Times to the Internet [Book]. Goodreads. URL https://www.goodreads.com/book/show/29608.The_Codebreakers

James Bamford, 1982. The Puzzle Palace: Inside the National Security Agency, America’s Most Secret Intelligence Organization [Book]. Goodreads. URL https://www.goodreads.com/book/show/804860.The_Puzzle_Palace

John Markoff, 1989. West Germans Raid Spy Ring That Violated U.S. Computers [News]. The New York Times. URL https://www.nytimes.com/1989/03/03/world/west-germans-raid-spy-ring-that-violated-us-computers.html

Kim Zetter, 2014. Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon [2016 Canon Hall of Fame Book].

• Goodreads URL: https://www.goodreads.com/book/show/18465875-countdown-to-zero-day

• Canon Review URL: https://cybercanon.org/countdown-to-zero-day-stuxnet-and-the-launch-of-the-worlds-first-digital-weapon/

• Amazon Buy URL: https://amzn.to/3JVc99m

Staff, n.d. GNU Emacs [Product Page. GNU Project. URL https://www.gnu.org/software/emacs/

Staff, n.d. The 1988 Morris worm, the internet’s first cyberattack [History]. Lawrence Livermore National Laboratory. URL https://st.llnl.gov/news/look-back/1988-morris-worm-internets-first-cyberattack

William E. Burrows, 1986. Deep Black: Space Espionage and National Security [Book]. Goodreads. URL https://www.goodreads.com/book/show/887319.Deep_Black

Ariana Grande, 2018. thank u, next (Official Video) [Music Video] YouTube

Cliff Stoll, 2013. The KGB, the Computer, and Me. [WWW Document]. NOVA - YouTube. URL

Clifford Stoll, 2017. Secrets to measuring a piece of paper [Explainer]. Numberphile - YouTube. URL

Cliff Stoll, 2017. (Still) Stalking the Wily Hacker [Keynote]. SANS Digital Forensics and Incident Response CTI Summit - YouTube, URL:

I’m conducting a two-hour hands on risk forecasting workshop with my colleague Brandon Karpf today. If you’re in town, come on by. I would love to see.

But if you can’t make that, I’m doing a book signing for my Cybersecurity First Principles book over at the book store immediately after.

See you there!

RSAC 2026 is occurring March 23-26! Here is your one-stop shop for RSAC sessions or activities with ties to the Cybersecurity Canon!

The sections below include Book Signings, Canon Author and Committee Member Speaking sessions, Birds of a Feather sessions, and even representation at College Day.

Book Signings: Opportunities with Authors of Hall of Fame/Nominated

Author: Ross Haleliuk

• Book: Cyber for Builders, Hall of Fame Nominee

• When: Tuesday, Mar 24 at 11 AM PDT (after Ross’ speaking session)

• Where: RSAC Bookstore

Author: Helen Patton

• 2025 Hall of Fame winner for Navigating the Cybersecurity Career Path

• Book: Switching to Cyber: The Mid-Career Guide to Launching a Cybersecurity Career

• When: Tue 3/24 at 1pm

• Where: RSAC bookstore

Author: Rick Howard (Me)

• Book: Cybersecurity First Principles: A Reboot of Strategy and Tactics, 2026 Hall of Fame Winner

• When: Tuesday 3/24 at 3:45pm

• Where: RSAC bookstore

Author: Cassie Crossley

• Book: Software Supply Chain Security: Securing the End-to-End Supply Chain for Software, Firmware, and Hardware

• When: Thursday, Mar 26 1:00 - 1:45 PM PDT

• Where: RSAC bookstore

CyberCanon’s Hall of Fame Authors and Committee Member’s Sessions

MONDAY

Author: Caroline Wong

• Books: Security Metrics: A Beginner’s Guide, Hall of Fame Nominee

• Session 1:The Foundations of AI

• When: Monday, Mar 23 8:30 AM - 9:20 AM PDT

CyberCanon Committee Member: Adrian Sanabria

• Session: A Failure Is a Terrible Thing to Waste: The Case for Breach Transparency

• When: Monday, Mar 23 9:40 AM - 10:30 AM PDT

Author: Nicole Perlroth

• Author of To Catch a Thief: China’s Rise to Cyber Supremacy and Hall of Fame book: This Is How They Tell Me The World Ends

• Session 1: Resilient Infrastructure as National Defense: The Digital Front Line

• When: Monday, Mar 23 9:40 AM - 10:30 AM PDT

CCC Member & Author: Cassie Crossley

• Author of Software Supply Chain Security

• Session: Panel: Preparing for the EU Cyber Resilience Act

• When: Monday, Mar 23 1:00 - 1:45 PM PDT

Canon Committee Member: Meghan Jacquot

• Session: Belonging in Cyber: Building a Trusted Community

• When: Monday, Mar 23 1:10 PM - 2:00 PM PDT

Author: Roger Grimes

• Author of Hall of Fame Nominee book: Preparing for the Day When Quantum Computing Breaks Today’s Crypto

• Session: Who Would Fall for That? Foundations of Avoiding Scary Scams

• When: Monday, Mar 23 2:20 PM - 3:10 PM PDT

TUESDAY

Author: Ross Haleliuk

• Author of HoF Nominee “Cyber for Builders”

• Session: Inside the Network Live: Winning as an Incumbent in the Age of AI

• When: Tuesday, Mar 24 9:40 AM - 10:30 AM PDT

Author: George Kurtz

• Co-author of Hall of Fame book Hacking Exposed with Stuart McClure, Joel Scambray

• Session 1: The Crash Test is Over: New Standards of Command for AI Safety

• When: Tuesday, Mar 24 10:50 AM - 11:10 AM PDT

Author: Rick Howard (Me)

• Presenting with Brandon Karpf

• Session: LAB2-T09 - First Principles Risk Forecasting: From Theory to Practice

• When: Tuesday, Mar 24 1:15 PM - 3:15 PM PDT

WEDNESDAY

Author: Sounil Yu

• Author of: Cyber Defense Matrix: The Essential Guide to Navigating the Cybersecurity Landscape

• Session: When Dollars Don’t Make Sense: Rethinking Cyber Risk Quantification

• When: Wednesday, Mar 25 9:40 AM - 10:30 AM PDT

Author: Rock Lambros

• Book: The CISO Evolution: Business Knowledge for Cybersecurity Executives with Matthew Sharp)

• Session: The Unsolvable Problem: Right to Erasure and Irreversible Nature of LLMs

• When: Wednesday, Mar 25 9:40 AM - 10:30 AM PDT

CCC member & Author: Cassie Crossley

• Author of Software Supply Chain Security

• Session: Panel: Supply Chain Under Siege: Strategic Defense in a Regulated World

• When: Wednesday, Mar 25 1:15 - 2:05 PM PDT

Author: Brian Krebs

• Author of Hall of Fame book: Spam Nation

• Session: From Infiltration to Disruption: Taking on the Russian Cyber Mob

• When: Wednesday, Mar 25 1:15 PM - 2:05 PM PDT

Canon Co-Founder and Author: Helen Patton

• Author of the 2025 Hall of Fame winner, Navigating the Cybersecurity Career Path, and also author of Switching to Cyber: The Mid-Career Guide to Launching a Cybersecurity Career

• Session: Beyond Jericho: Salvaging Zero Trust from Buzzword Bingo

• When: Wednesday, Mar 25 1:15 PM - 2:05 PM PDT

Author: Caroline Wong

• Author of Hall of Fame Nominee book: Security Metrics: A Beginner’s Guide

• Session 2: The Fundamentals Forum: Let’s Get Back to Basics

• When: Wednesday, Mar 25 2:25 PM - 3:15 PM PDT

Author: Bruce Schneier

• Lifetime Achievement Author of Secrets and Lies, Data and Goliath, and Click Here to Kill Everybody

• Session: Integrous System Design

• When: Wednesday, Mar 25 2:25 PM - 3:15 PM PDT

THURSDAY

Author: Nicole Perlroth

• Author of To Catch a Thief: China’s Rise to Cyber Supremacy and Hall of Fame book: This Is How They Tell Me The World Ends

• Session 2: The Cyber Threat Landscape: Year in Review, Future in Focus

• When: Thursday, Mar 26 8:30 AM - 9:20 AM PDT

Author: George Kurtz

• Co-author of Hall of Fame book Hacking Exposed with Stuart McClure, Joel Scambray

• Session 2: Hacking Exposed

• When: Thursday, Mar 26 10:50 AM - 11:40 AM PDT

Bird of Feather sessions

Author: Kelly Shortridge

• BoF Topic: Adapting to the Unknown: Resilience Engineering in a Time of Chaos

• Book: Security Chaos Engineering: Sustaining Resilience in Software and Systems, 2026 Hall of Fame Winner

• When: Monday, Mar 23 1:10 PM - 2:00 PM PDT

CCC Member & Author: Cassie Crossley

• BoF Topic: Exploitable or Not? CRA-Ready Product Security Triage for CVEs

• Cassie is the author of Software Supply Chain Security

• When: Thursday, Mar 26 1:00 - 2:20 PM PDT

Other

College day: Meghan Jacquot of the CyberCanon Committee is volunteering at College Day to help give feedback to college students on their resumes

Next week I’ll be at the RSA Conference in San Francisco wearing a few different hats.

Cybersecurity Canon – I’ll be recruiting new volunteers and committee members, talking with vendors about partnerships, and spending some time at the conference bookstore concierge desk.

First Principles Consulting – I’m meeting with clients and Substack readers, and hopefully connecting with a few new ones.

Author – I’ll also be running a hands-on risk forecasting workshop based on Cybersecurity First Principles and doing a book signing at the conference bookstore.

RSA week tends to fill up fast, but if you’re attending and want to grab a coffee, I’d love to meet. My calendar is already getting tight, but if we can find an opening, let’s make it happen.

Schedule a meeting at RSA

Here is my schedule as it stands now:

Cybersecurity Canon Committee Breakfast

When: Tuesday, Mar 24, 7AM

Where: Mel’s Drive-In, 801 Mission St, San Francisco, CA 94103, USA

Who’s Invited: All Committee and staff

Book Signing:

Author: Rick Howard
Book: Cybersecurity First Principles: A Reboot of Strategy and Tactics

When: Tuesday 3/24 at 3:45pm
Where: RSAC bookstore

Workshop:

Session: LAB2-T09 - First Principles Risk Forecasting: From Theory to Practice

When: Tuesday, Mar 24 1:15 PM - 3:15 PM PDT

Cybersecurity Canon Book Store Concierge Desk

When: Tuesday and Wednesday, Mar 24 and 25th, 2-4 PM

Where: RSA Book Store at Moscone Center

Since the start of the year, I’ve been working my way toward this essay. If you run a Substack called Rick’s First Principles and you’ve spent an entire career in cybersecurity, sooner or later you have to answer the obvious question: what is the actual first principle of cybersecurity?

I wrote three essays to prep the ground.

• The first explains why first-principle thinking matters at all (First Principle Thinking).

• The second looks at who else has tried to define cybersecurity first principles (Prior Research on Cybersecurity First Principles).

• The third examines what most security professionals claim the first principle is and why those answers fall short (The Cybersecurity Ballot: Meet the Perennial Candidates).

The main lesson from the Perennial Candidates essay is that the usual answers miss the mark. They are either too simple or too tactical. They focus on technical activities: preventing exploits, blocking malware, detecting and removing attacker tools, following compliance checklists, or meeting legal requirements. All of those things matter. But none of them explain the real purpose of a security program. When you read these candidates, the reaction is immediate: Yes, that’s useful, but what about everything else? Each one addresses a narrow slice of the problem. None of them describes the whole mission in terms that senior leadership can understand.

There’s another issue. These candidates are binary tasks. Either you complete them or you don’t. There’s no middle ground.

With that groundwork in place, it’s time to put a stake in the ground and describe what I believe the true cybersecurity first principle is.

Think in Terms of Probabilities

Instead of a binary metric, we should be thinking in terms of a sliding scale, something like a probability. We need to build a program that matches leadership’s risk appetite toward the business. Our first principle program should drive us closer to reducing the probability of a cyber adversary damaging the business. That gives us some planning room. For example, we can tell the boss that because we invested X amount of dollars on a new security tool or a new security function, we reduced the probability of an adversary group damaging the business from 20 percent to 15 percent. When we present the infosec program in that manner, then leadership can evaluate whether the spend for the project was worth the effort.

And if it does happen, an adversary successfully steals our intellectual property or encrypts our data, the infosec program is not an instant failure. We didn’t tell the boss that we would stop all adversary campaigns. We told them that we would reduce the probability of a successful one.

That’s getting closer to our absolute first principle. It’s no longer a binary question because we couched it in terms of probabilities for the leadership to consider. But it’s still missing something. It’s still too broad and will cause us to spend resources on things that aren’t important.

Think in Terms of Materiality

What’s missing is a discussion of materiality. Face it, not everything on your network is essential. If the bad guys compromise Luigi’s laptop and steal the menu for the lunch special in the company cafeteria, maybe we don’t need to call in the FBI for that one. You might be a little embarrassed, but the exfiltration of the lunch menu to the APT’s command-and-control server in Tajikistan will not cause the company much heartburn. So, why then would we spend a lot of resources trying to protect it?

I don’t know about you, but the volume of resources that I typically get to spend on cybersecurity has never been infinite. If you try to spread that volume thinly over everything, you run out of resources before you run out of things to do anyway. The projects that you did funnel money to are likely not funded completely enough to solve the entire problem. That’s like trying to feed a platoon of neighborhood teenagers with one spoonful of Jif peanut butter (extra crunchy of course). Nobody is going to be satisfied at the conclusion of that exercise. The clear answer is to focus only on what is material to the business. Everything else is nice to have.

Public Company Materiality

If you’re a public company, Supreme Court Justice Thurgood Marshall crafted the landmark judicial definition of materiality in 1976. He wrote in the TSC Industries vs Northway case that a fact is “material” if there is

... a substantial likelihood that a reasonable shareholder would consider it important in deciding how to vote … [or] ... a substantial likelihood that the disclosure of the omitted fact would have been viewed by the reasonable investor as having significantly altered the ‘total mix’ of information made available.”

Phew! That is a mouthful. Let me restate that in English. For a public company in the United States, “materiality” is any event that significantly impacts share value.

That seems straightforward enough until you view it through the lens of cybersecurity. Except for some obvious significant public cyber attacks, like the 2017 Russian NotPetya campaign where the total estimated damage worldwide was north of $10 billion, network defenders have struggled with articulating materiality. Historically, public companies have never really addressed cybersecurity material risk in their earnings calls; at least, not as a matter of course. Business leaders and infosec professionals haven’t had the language to bridge the gap between typical business materiality issues, like mergers and acquisitions, and the infosec professional’s favorite tool to convey cybersecurity risk, the heat map.

That started to change in 2023. The U.S. Securities and Exchange Commission, the SEC, approved a new rule for all public companies: Leadership must report material cyber events within four business days. All of a sudden, cybersecurity materiality became a real thing that security practitioners in public companies needed to worry about. Every public company CISO worth their salt made a beeline to the CFO’s office in order to come to some understanding about how they were going to define cybersecurity materiality going forward.

But hold the phone. In a landmark decision in 2024, the US Supreme Court reversed its 1984 ruling in the case of Chevron v. the Natural Resources Defense Council, better known as the Chevron doctrine, that allowed federal agencies, like the SEC, to enforce their own rules in lieu of specific laws passed by Congress. Chief Justice John Roberts called the Chevron doctrine “fundamentally misguided.”

And with President Trump releasing the hounds in 2025 to eliminate US government inefficiency in big government institutions, like the SEC, who knows if the SEC will even be around in a couple of years. All of this introduces a period of uncertainty for the enforcement of the SEC’s cybersecurity reporting rule in public companies. The SEC rule doesn’t go away, but now, public companies have a legal path for noncompliance.

What a mess.

Materiality for Everybody

Despite the SEC Rule then, materiality is still an essential concept. But we still haven’t answered the question: what is it?

If you take any three random people walking down the hallway at your headquarters building and lock them in a room with a white board for an hour, they could probably come up with hundreds of potential risks to the business or to some government mission. Some risks would be more likely than others and some would have more impact than others, but the list would be long. If you then brought the senior leaders of the organization into the room, they would most likely extend the list by some meaningful number.

But let me be blunt. A material issue is a potential company killer, organization killer, or mission killer. If you’re trying to prioritize the team’s future work, dividing the potential risks into mission Killers and everything else is a useful exercise. It tends to focus the leadership.

When the REvil hacker gang launched a ransomware attack against Travelex on New Year’s Eve in 2020, the company quickly had to fall into administration. It became insolvent and was unable to pay its debts. That’s a company killer.

In 2014, the Deep Panda Chinese hacker group stole the personnel files of every US government employee past and present from the US Office of Personnel Management (OPM). This is perhaps the most impactful cyber espionage campaign known to the public against any country. One of OPM’s primary missions was to protect the government’s personnel files. OPM completely failed to protect its only material asset: the employee background database

In the U.S. government, that’s not just a list of names and social security numbers. That’s a list of everything you have ever done for the past decade; where you lived, who your neighbors were, who your relatives are and where they lived, every crime you’ve ever committed, and every vice you’ve ever had (drugs, prostitution, etc). Deep Panda vacuumed it all up into the Chinese intelligence machine.

That’s a mission killer.

Since none of us has an infinite supply of resources in the people-process-technology triad, it makes sense to completely focus our first principle strategies to protect the material things in our environments and not get distracted by all the other things.

And, I hear what you’re saying. There are plenty of potential risks that fall short of the company-organization-mission killer paradigm that would still be significantly painful; that would cause serious disruption to current planning and progress. You could make the case that some of these risks might be material too. Fair enough. But let’s start with the company-organization-mission killers first and work back from there. Those are absolutely material.

Back in 1999, the SEC said that a good rule of thumb is 5% of revenue as a starting place for a material number. In 2025 I heard Richard Seiersen, Canon Hall of Fame author for “How to Measure Everything in Cybersecurity Risk” said at a risk forecasting workshop that a good material number to consider is whatever insurance coverage you have plus whatever cash on-hand is available.

The thing is, what’s material and what isn’t is different for every organization. It depends on factors such as risk tolerance, organizational size, and whether the organization is commercial, academic, or governmental. It also changes over time. What’s material for a startup today won’t be what’s material when the startup becomes a Silicon Valley tech giant down the road.

Think in Terms of a Limited Timespan

So far then, we have “reducing the probability of a material cyber event” shaping up as our ultimate first cybersecurity principle, but it’s still missing something; it’s still not precise enough. With what we have right now, we would be calculating probabilities of material cyber events indefinitely into the future.

Calculating the probability of material impact to an organization any time in the future (say the next 100 years) is a lot different than calculating the probability over the next year. Will cyber adversaries successfully breach our digital environments sometime in the future? That’s likely if the question is open-ended like that, if there’s no end date. But, will they have success in the next year? That probability likely will drop off precipitously if you time bound the question. It also has the added benefit of giving senior leadership something to focus on. Instead of using fear, uncertainty, and doubt (FUD) to get your infosec program funded, as in, “OMG, this is a really scary thing and I need a gazillion dollars to fix it.” It’s just another risk in the set of hundreds that the boss has to deal with. Let’s not try to boil the ocean here. Let’s timebound our risk calculations to some meaningful but short timeframe in the future. It can be three years, one year, six months; whatever is meaningful to the business.

Drum Roll Please: The Cybersecurity First Principle

We have all the preliminaries covered. It’s time for me to reveal what I think is the absolute cybersecurity first principle; our initial building block, the atomic element, that we will base the entire infosec program on. Remember, it must address three things: probability, materiality, and time.

Here is my proposal:

That’s it. Nothing else matters. This simple statement is atomic. You don’t read it and say to yourself, “I like it but there are three other things I have to do too.” Compared to the other first principle candidates discussed earlier, it states precisely and clearly what we are trying to accomplish. And it doesn’t matter what kind of organization you are: Public Company, Private Company, Government organization, or Academic institution.

This has the same feel as the core statements produced by other first-principles thinkers (like Euclid, Descartes, even Musk) when they stripped problems down to their fundamentals (see the earlier essay on first-principles thinking). It doesn’t rely on precedent (how things were done before), analogy (this looks like X), authority (what experts, standards, or competitors say), or incrementalism (tweaking the current system). It captures the essential objective. It also gives you a practical test for every security decision. If you’re spending resources on the people-process-technology triad that don’t reduce the probability of a material cyber event, you’re wasting resources.

Takeaway

In these last four essays, I assumed you weren’t familiar with the idea of first principles. I explained what they are and told the stories of some of the big thinkers in human history (such as Euclid, Aristotle, Descartes, Whitehead & Russell, and Elon Musk) who have used them to solve some of the thorniest problems known to humankind. I then noted that although in the early digital age, many big thinker computer scientists, such as James Anderson, Willis Ware, Bell and LaPadula, Saltzer and Schroeder, Dr. Fred Cohen, and Donn Parker, tried to find the edges of what cybersecurity meant but didn’t quite get there. The closest they came was something called the CIA triad, which is not really a first principle idea at all. I then made the case that other cybersecurity first principle candidates don’t really meet the bill either. Efficient patching, malware prevention, rapid detection and eradication, framework checklists like NIST or ISO, and even compliance law all fall short of what a first principle is supposed to be. They’re all good tactics that we might find useful, but they are not a coherent first principle strategy.

I then made my case for what I claim is the absolute cybersecurity first principle:

“Reduce the probability of a material cyber event over the next business cycle.”

There you have it. I’ve been thinking, debating, and writing about this idea for almost a decade, and it has gone through many versions. But I think this current iteration is as close as I’ve ever been to clearly stating what it is we are all trying to accomplish with our infosec programs.

That begs the question, what’s next? If reducing the probability of a material a cyber event is the thing we are trying to do, what are the follow-on first principle building blocks that we will install that will help us do that? Just like Whitehead and Russell, what are the essential concepts that will allow us to uniquely prove the equivalent of 1 + 1 = 2 in our network defender world?

In future essays, I will cover follow on strategies and tactics that logically follow from this first principle. Stay tuned.

Source

Rick Howard, 2023. Cybersecurity First Principles: A Reboot of Strategy and Tactics [2026 Canon Hall of Fame Book]

• Canon Review URL

• Amazon Buy URL

• Goodreads URL

Resources

Douglas Hubbard, Richard Seiersen, 2016. How to Measure Anything in Cybersecurity Risk [2018 Canon Hall of Fame Book].

• Canon Review URL

• Amazon Buy URL

• Goodreads URL

MATTHEW DALY, 2024. Supreme Court Chevron decision: What it means for federal regulations [Explainer]. AP News. URL https://apnews.com/article/supreme-court-chevron-regulations-environment-4ae73d5a79cabadff4da8f7e16669929

Rick Howard, 2022. Cyber sand table series: OPM. [Podcast]. The CyberWire - CSO Perspectives Podcast. URL https://thecyberwire.com/stories/d0d8b9995bd84c389112385dd95ec4ee/cyber-sand-table-series-opm

Staff, 1999. SEC Staff Accounting Bulletin No. 99: Materiality [Bulletin]. SECURITIES AND EXCHANGE COMMISSION. URL https://www.sec.gov/interps/account/sab99.htm

Staff, 2020. Ransomware vicitim Travelex forced into bankruptcy [News]. Security Magazine. URL https://www.securitymagazine.com/articles/93062-ransomware-vicitim-travelex-forced-into-bankruptcy

The U.S. Supremet Court, 2023. 22-451 Loper Bright Enterprises v. Raimondo (Chevron Doctrine) [Ruling]. Supreme Court of the United States. URL https://www.supremecourt.gov/opinions/23pdf/22-451_7m58.pdf

U.S. Securities and Exchange Commission, 2023. Final Rule: Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure [SEC Ruling] Securities Act Release No. 33‑11216, Exchange Act Release No. 34‑97989, 88 Fed. Reg. 51,896. URL https://www.sec.gov/files/rules/final/2023/33-11216.pdf

We’ve spent three decades refining tactics but we still haven’t agreed on the fundamental rule that governs all of it.

I’ve been thinking about first principles and what might be the cybersecurity first principle for over a decade. Three years ago, I even published a book about the topic.

Cybersecurity First Principles

Since then, I’ve been tightening my thinking. I haven’t changed my mind on the core concepts of the book. I’ve just gotten better at explaining them. To that end, I’ve published two essays refining my ideas:

• First Principle Thinking

• Prior Research on Cybersecurity First Principles

I’m slowly working my way towards discussing what I think the absolute cybersecurity first principle is. But before I get there, it’s worth examining the best-practice strategies most of us have relied on for the past 30 years. These are the leading candidates for the title. They deserve scrutiny before any final claim is made.

The Candidate List

When I ask security professionals what they think is the atomic cybersecurity first principle, they usually respond with one or more items in a set of traditional cybersecurity best practices. Things like

• The CIA Triad

• Vulnerability Management

• Malware Prevention

• Incident Response

• Frameworks

• Compliance

But according to Caroline Wong, author of the Cybersecurity Canon Hall of Fame book Security Metrics: A Beginner’s Guide, the phrase “best practice” is misapplied by most network defenders.

A best practice should refer to an approach or methodology that is understood to be more effective at delivering a particular outcome than any other technique when applied in a particular situation.

She says that many accepted cybersecurity best practices, although good ideas, have not delivered on those outcomes.

I concur with Caroline. In my own career, I’ve built information security programs around these same best practices too. But after 30 years in the field, I have to admit something: I can’t say with any confidence that one best practice is substantially better than some other one. The general theme to all of them is that they all contribute value. But none of them, by themselves, are sufficient as the foundational principle on which to build an entire infosec program. Let’s take each one in turn.

The CIA Triad

The CIA acronym stands for Confidentiality, Integrity, and Availability and the CIA Triad is a general-purpose defensive model intended to apply across all contexts and threat types. But it says nothing about how adversaries actually operate. It doesn’t account for adversary tactics, techniques, or procedures. It doesn’t incorporate the behavior of the roughly 500 adversary campaigns active on the internet at any given time. If a strategy ignores how real attackers behave, how can it be the atomic first principle? The CIA Triad is not bad per se; it’s just not complete.

One thing to note: As of this writing, I estimate that the actual number of active adversary campaigns is between 250 and 700 depending on who is counting. I use the Tydal Cyber platform and the MITRE ATT&CK Framework to get my range (Links in the Resource Section below).

Also, last year, I wrote a three-part series that explores the history, limitations, and potential replacements for the CIA Triad (Links in the Resource Section below).

Vulnerability Management

Vulnerability Management is similar. First, it’s a never-ending task. “I’ve patched all of our vulnerabilities” said nobody ever. More importantly, exploitation of vulnerabilities isn’t the biggest problem infosec practitioners face. The 2025 Verizon Data Breach Investigations Report (DBIR) notes that hackers use vulnerability exploitation as an initial access vector only 20% of the time. If patching is your first principle, what about the other 80% of attacks?

Preventing Malware

The equivalent argument applies to Preventing Malware. The same DBIR says hackers deploy malware in only 45% of breaches. If anti-malware is your first principle, what are you doing about the other 55% of attacks?

Incident Response

Incident response as a formal discipline emerged in the late 1980s. You could argue that Cliff Stoll pioneered the practical model when he tracked East German hackers working on behalf of Soviet intelligence; a story he documented in the Cybersecurity Canon Hall of Fame book The Cuckoo’s Egg: Tracking a Spy Through the Maze of Computer Espionage. But sometime in the 2010s, the infosec community started to pursue the idea that cyber defense is too hard and therefore should be abandoned in favor of incident response; abandon prevention mechanisms in favor of early detection mechanisms and efficient eradication systems. It turns out that this is also too hard to do mostly because it’s expensive. Small-to-medium-sized organizations can’t really afford to do it so they don’t. A true first principle must be universally applicable and not reserved for those with the largest budgets.

Frameworks

It’s tough to find a hard number, but there are likely dozens of cybersecurity frameworks globally; maybe as high as 50, depending on how you define “framework.” The number varies because there are many different kinds:

• Governance Frameworks: Like ISACA’s COBIT; Control Objectives for Information and Related Technologies.

• Control Catalogs: Like the NIST Special Publication 800-53 (Revision 5): Security and Privacy Controls for Information Systems and Organizations.

• Maturity Models: Like the U.S. Department of Defense’s Cybersecurity Maturity Model Certification (CMMC).

• Regulatory Schemas: Like the European Union’s General Data Protection Regulation (GDPR).

• Sector-Specific Standards: Like the North American Electric Reliability Corporation’s NERC Critical Infrastructure Protection Standards (NERC CIP)

• Regional Data Protection Regimes: Like the California Consumer Privacy Act (CCPA).

• Tickets to Ride (Compliance to gain access): Like the U.S. General Services Administration (GSA) Federal Risk and Authorization Management Program (FedRAMP).

From the very beginning, many security practitioners understood compliance regulations for what they are: attempts to establish baseline parameters of security and privacy programs. These same security practitioners view them as necessary evils to prevent fines (GDPR, for example) or as the price of doing business (FEDRAMP, for example). But they don’t view them as essential to protecting their organizations on the Internet. You have to follow them because they are requirements for some business need, but most don’t consider them fundamental to their security program and therefore can’t be the basis for any cybersecurity first principle program. Besides, for some organizations, it’s just easier to pay fines if they get caught as a cost of doing business. That doesn’t seem like a cybersecurity first principle.

Takeaway

The uncomfortable truth is this: cybersecurity doesn’t suffer from a lack of tools. It suffers from a lack of clarity. We keep refining mechanisms without agreeing on purpose. If these traditional best practices aren’t first principles, then we’ve been building programs on secondary assumptions for 30 years. That has consequences.

A first principle must be universal, irreducible, and explanatory. None of these candidates meet that bar. They are useful. They are necessary. But they are derivative.

So the real question isn’t which best practice should win the election. The real question is: what is the governing law of cybersecurity?

That’s where we go next.

References

Caroline Wong, 2011. Security Metrics, A Beginner’s Guide [Cybersecurity Canon Hall of Fame Book].

• Goodreads URL https://www.goodreads.com/book/show/13654596-security-metrics-a-beginner-s-guide

• Canon Review: https://cybercanon.org/security-metrics-a-beginners-guide/

• Amazon Link: https://amzn.to/47FT1FA

Rick Howard, 2025. Part I: Is the CIA Triad Dead?: Why has the CIA Triad Endured? [Explainer]. Rick’s First Principles Newsletter. URL https://diffuser.substack.com/p/is-the-cia-triad-dead

Rick Howard, 2025. Part II: Is the CIA Triad Dead? [Explainer]. Rick’s First Principles Newsletter. URL https://diffuser.substack.com/p/is-the-cia-triad-dead-63c

Rick Howard, 2025. Part III: Is the CIA Triad Dead? [Explainer]. Rick’s First Principles Newsletter. URL https://diffuser.substack.com/p/part-iii-is-the-cia-triad-dead

Rick Howard, 2026. First Principle Thinking [Explainer]. Rick’s First Principles Newsletter. URL https://diffuser.substack.com/p/first-principle-thinking

Rick Howard, 2026. Prior Research on Cybersecurity First Principles [Explainer]. Rick’s First Principles Newsletter. URL https://diffuser.substack.com/p/prior-research-on-cybersecurity-first

Staff, n.d. Tidal Cyber [Dashboard]. Community Edition. URL https://app.tidalcyber.com/

Staff, n.d. MITRE ATT&CK Framework [Wiki]. Mitre. URL https://attack.mitre.org/

Robert Duvall passed away this week. He has been one of my favorite actors for as long as I can remember. The tributes I’ve read mostly highlight the performances he is best known for: The Godfather I & II, where he brings calm intelligence to a world of chaos and violence; Tender Mercies, which earned him the Academy Award for Best Actor; and Apocalypse Now, with the unforgettable line, “I love the smell of napalm in the morning.”

But none of those are even in my top three.

Lonesome Dove

I first noticed Mr. Duvall when he starred in my dad’s favorite western, Lonesome Dove, in 1989. The series is set just after the Civil War, during the height of the great cattle drives from Texas to Montana. Duvall plays Captain Augustus “Gus” McCrae, a retired Texas Ranger and arguably one of the most charismatic characters ever to appear in a western. He knows the West is not a myth; hell, he helped tame it. Yet he still believes in love, beauty, conversation, good whiskey, and loyal friendship. And by god, Duvall plays the hell out of that character; probably gave the defining performance of his career in my humble opinion, Tender Mercies notwithstanding. And I’m pretty sure that my dad wanted to be Gus when he grew up. Now that I think about it, so do I.

To Kill a Mockingbird

But that’s not my favorite performance of his. It ranks only third on my list. The second best is Duvall’s turn as Boo Radley, early in his career, in 1962’s To Kill a Mockingbird. He has one line and is in the movie for only minutes right at the end. But wow, what an impact. His character looms in the background throughout the movie, never seen, just talked about, as the neighborhood boogeyman that the children fear. Then, after he saves Scout and Jem from a brutal attack, he steps out of the shadows. He is pale, quiet, shy, almost fragile; not a monster at all; just a gentle, wounded man. In that final scene, without theatrics and almost without words, Duvall lets the humanity pour through. The myth collapses. What remains is quiet goodness. I have watched that end-scene over a dozen times. It always brings tears to my eyes. Gregory Peck gets all the praise for his portrayal of Atticus Finch in this movie; a shiny heroic beacon in the dark of always doing the right thing. Duvall comes in at the end of the movie, playing a man that nobody knows, and brings the message home that anybody can do the right thing too.

Secondhand Lions

But my favorite Duvall performance comes out of a little seen movie called Secondhand Lions. He plays Hub McCann, a retired, rumored-to-be-legendary adventurer who lives out his final years on a dilapidated Texas farm with his brother Garth (played by Michael Caine). Duvall gives a monologue about the meaning of life that is so powerful, so raw, that my wife and I rewatch the movie at least once a year. He’s an old timer and sleepwalks in the middle of the night; dreaming about his lost true love. When his nephew asks him about it, he delivers these lines:

A man should believe in those things, because those are the things worth believing in.

I know that Tim McCanlies wrote the script and directed the movie, so he gets credit for the sentiment, but man, Duvall delivers it. An actor of a lesser caliber would have just made those lines sappy and unbelievable.

Take Away

Robert Duvall could play the mythic adventurer, the invisible protector, the weary consigliere, the broken singer, or the mad colonel and make each one feel completely real. He was that good of an actor. But what binds my three favorite performances together is that he made me believe that I was watching a man of real substance. Whether he was Gus McCrae laughing at death, Boo Radley standing silently in a doorway, or Hub McCann insisting that some things are worth believing in even when the world tells you otherwise, Duvall gave me examples of men that I could use as a north star in my own life’s journey. I will be forever grateful for that.

Thank you Mr. Duvall and Godspeed on your next journey.

References

Robert Duvall and Haley Joel Osment. 2003. The Speech: Secondhand Lions. [Movie Clip] Youtube. URL:

@tomalexander85, 2026. Robert Duvall’s Film Debut [Movie Clip]. YouTube. URL

Staff, 2024. Lonesome Dove | The Final Goodbye [Movie Clip]. FETV - YouTube. URL

Bruce Beresford (Director), Robert Duvall (Actor), 1983. Tender Mercies [Movie]. Letterboxd. URL https://letterboxd.com/film/tender-mercies/

Francis Ford Coppola (Direcetor), Robert Duvall (Actor), 1972. The Godfather [Movie]. Letterboxd. URL https://letterboxd.com/film/the-godfather/

Francis Ford Coppola (Director), Robert Duvall (Actor), 1974. The Godfather Part II [Movie]. Letterboxd. URL https://letterboxd.com/film/the-godfather-part-ii/

Francis Ford Coppola (Director), Robert Duvall (Actor), 1979. Apocalypse Now [Movie]. Letterboxd. URL https://letterboxd.com/film/apocalypse-now/

Lewis John Carlino (Director), Robert Duvall (Actor), 1979. The Great Santini [Movie]. Letterboxd. URL https://letterboxd.com/film/the-great-santini/

Robert Mulligan (Director), Robert Duvall (Actor), Gregory Peck (Actor), 1962. To Kill a Mockingbird [Movie]. Letterboxd. URL https://letterboxd.com/film/to-kill-a-mockingbird/

Simon Wincer (Director), Larry McMurtry (Writer), William D. Wittliff (Writer), Robert Duvall (Actor), Tommy Lee Jones (Actor), 1989. Lonesome Dove [TV Mini-Series]. IMDb. URL https://www.imdb.com/title/tt0096639/

Staff, 2026. Films starring Robert Duvall [List]. Letterboxd. URL https://letterboxd.com/actor/robert-duvall/

Tim McCanlies (Writer and Director), Robert Duvall (Actor), Sir Michael Caine (Actor), 2003. Secondhand Lions [Movie]. Letterboxd. URL https://letterboxd.com/film/secondhand-lions/

Staff, 2018. Top 10 Robert Duvall Roles [Video]. WatchMojo - YouTube. URL

As the United States continues its descent into chaos and anarchy, I’ve been soothing my soul watching movies where the protagonists exude character; a trait that our country’s leadership seems to be in short supply. Movies like

• Superman, when Lois says, “You trust everyone and think everyone you’ve ever met is beautiful.” And Superman says “Well, maybe that’s the new punk rock.”

• The American President, when Michael Douglas, speaking to the press, says “And I can tell you without hesitation that being President of this country is entirely about Character.”

• Lincoln: The entire damn movie

But the movie that really moved me lately was A Bridge of Spies, written by Joel and Ethan Coen and directed by Steven Spielberg. It stars Tom Hanks playing an insurance lawyer who the courts appoint to defend a suspected Russian Spy. The CIA wants Hanks to tell them what his client is saying, violating client-attorney privilege. Hanks take umbrage with the suggestion and explains in simple terms, what it means to be an American. Hanks says,

“Your Agent Hoffman right? German Extraction?

My names Donovan, Irish, both sides, mother and father.

I’m Irish, your German, but what makes us both Americans?

Just one thing. One … One, One.

The rule book. We call it the Constitution.

And we agree to the rules. And that’s what makes us Americans.

It’s all that makes us Americans.

Well, when you put it like that, being an American is pretty simple. It’s not about the color of your skin or where you came from. It’s not about your assigned race or ethnic ancestry. If your an American citizen, the thing that connects you to all the other American citizens is the law, the set of rules embodied in the U.S. Constitution and philosophically grounded in the Declaration of Independence.

We hold these truths to be self-evident, that all men are created equal.

Or, if you want a more folksy version of that idea, how about the song lyrics from In America by The Charlie Daniels Band:

From The Sound up in Long Island

Out to San Francisco Bay

And everything that’s in between them is our own

And we may have done a little bit

Of fighting among ourselves

But you outside people best leave us alone

‘Cause we’ll all stick together

And you can take that to the bank

That’s the cowboys and the hippies

And the rebels and the yanks

You just go and lay your hand

On a Pittsburgh Steelers fan

And I think you’re gonna finally understand

I fear we’ve forgotten that sentiment.

If America is a contract, then breaking the rules doesn’t just break laws. It breaks the country.

References

Willoughby Alley, 2016. What Makes Us Americans [WWW Document]. Bridge Of Spies Clip - YouTube. URL

Steven Spielberg (Director), Tom Hanks (Actor), 2015. Bridge of Spies [Movie]. Letterboxd. URL https://letterboxd.com/film/bridge-of-spies/

Rob Reiner (Director), Aaron Sorkin (Writer), Michael Douglas (Actor), 1995. The American President [Movie]. Letterboxd. URL https://letterboxd.com/film/the-american-president/

Lee Hoedl, 2020. The American President - The Final Speech [Movie Clip]. YouTube. URL

Staff, 1776. Declaration of Independence: A Transcription [Founding Document]. National Archives. URL https://www.archives.gov/founding-docs/declaration-transcript

Staff, 1787. The Constitution of the United States: A Transcription [WWW Document]. National Archives. URL https://www.archives.gov/founding-docs/constitution-transcript (accessed 2.15.26).

Charlie Daniels, 2001. In America - The Charlie Daniels Band  [Music Video]. YouTube. URL

JayAye, 2025. Maybe that’s the Real Punk Rock [Movie Clip]. Superman 2025 - YouTube. URL

James Gunn (Writer and Director, David Corenswet (Actor), Rachel Brosnahan (Actor), 2025. Superman [Movie]. Letterboxd. URL https://letterboxd.com/film/superman-2025/

I love me a good vampire story. This one has been on many “must read” lists of late. I read a previous work by this author, Stephen Graham Jones, and liked it. His The Only Good Indians was a unique, funny, and heartbreaking ghost story that I read right at the beginning of the pandemic, so I thought I would give this one a try.

The Buffalo Hunter Hunter combines the epistolary dread of Bram Stoker’s Dracula and the confessional intimacy of Anne Rice’s Interview with the Vampire. The result is a narrative that channels the historic trauma of America’s First Peoples, the enduring rage born of genocide, and a long-delayed, fantastical reckoning.

It begins in 2012, when Etsy Beaucarne, a modern-day academic, discovers a journal within a wall of an old parsonage in Montana. The journal’s author, a Lutheran pastor named Arthur Beaucarne, Etsy’s great-grandfather, wrote it in 1912. It’s a confessional transcript about Arthur’s encounter with a mysterious Blackfeet man known as Good Stab.

[Spoilers]

Good Stab approaches the pastor under the guise of a spiritual confession, but what he offers is a brutal history rooted in colonial violence and genocide. The kicker, though, is that Good Stab claims he’s a vampire. A violent encounter with a grotesque creature (called “Cat Man”) cursed him with immortality and a thirst for blood. But really, Good Stab is there to perform a reckoning against Arthur for his complicity in the slaughter of an Indian village. Arthur was not a buffalo hunter, not a soldier, and not a vigilante. His sin was witnessing the massacre without intervening. Arthur is a proxy for all white people who stood inside the American culture that eradicated Good Stab’s people and did nothing. This is a story about complicity, silence, theology, and moral failure.

Jones has created a genuinely original vampire story, and I appreciate the ambition. It opens strong and ends even stronger, though I felt the middle sagged a bit. Still, the method for killing a vampire in this world is completely fresh, and I loved it. In Jones’s mythology, vampires gradually take on the characteristics of whatever they feed on; too many white victims and they begin to resemble white people; too many from a particular Indigenous tribe and they start to mirror that tribe; too many fish and they literally become more fish-like. At that point, vampire hunting becomes less about stakes and more about dietary planning. That trait has enormous implications when you’re trying to figure out how to dispatch one.

I read a lot of vampire books. I know, it’s a sickness. I keep track of my top 10 favorites. The Buffalo Hunter Hunter debuts at number nine for me and bumps off one of my old time favorites.

My Revised Top 10 Books

1. Salem’s Lot by Stephen King

2. Vampire$ by John Steakley

3. The Kolchak Papers by Jeff Rice

4. Interview with a Vampire by Anne Rice

5. Dracula by Bram Stoker

6. Let the Right One In by John Ajvide Lindqvist

7. The Southern Book Club’s Guide to Slaying Vampires by Grady Hendrix

8. The Lesser Dead by Christopher Buehlman

9. The Buffalo Hunter Hunter by Stephen Graham Jones

10. Nightwatch by Sergei Lukyanenko

Bumped off the list: Guilty Pleasures by Laurel Hamilton

This isn’t a perfect book. The middle stretches a bit. But the ambition, originality, and ending more than earn their keep. Jones takes vampire lore seriously enough to break it, rebuild it, and use it for something meaningful. If you’re a fan of Dracula or Interview with the Vampire, you’ll recognize the lineage immediately. And if you care about what genre fiction can do at its best, this one deserves a spot on your shelf.

Source

Stephen Graham Jones, 2025. The Buffalo Hunter Hunter [Novel]. Narrated by Shane Ghostkeeper, Marin Ireland, and Owen Teale. Goodreads. URL https://www.goodreads.com/book/show/214565614-the-buffalo-hunter-hunter

References

Anne Rice, 1976. Interview with the Vampire [Novel]. Goodreads. URL https://www.goodreads.com/book/show/43763.Interview_with_the_Vampire

Bram Stoker, 1897. Dracula [Novel]. Project Gutenberg . URL https://www.gutenberg.org/cache/epub/345/pg345-images.html

Christopher Buehlman, 2014. The Lesser Dead [Novel]. Goodreads. URL https://www.goodreads.com/book/show/20893407-the-lesser-dead

Grady Hendrix, 2020. The Southern Book Club’s Guide to Slaying Vampires [Novel]. Goodreads. URL https://www.goodreads.com/book/show/44074800-the-southern-book-club-s-guide-to-slaying-vampires

Jeff Rice, 2007. The Kolchak Papers [Novel]. Goodreads. URL https://www.goodreads.com/book/show/996660.The_Kolchak_Papers

John Ajvide Lindqvist, 2004. Let the Right One In [Novel]. Goodreads. URL https://www.goodreads.com/book/show/943402.Let_the_Right_One_In

John Steakley, 1990. Vampire$ [Novel]. Goodreads. URL https://www.goodreads.com/book/show/843588.Vampire_

Sergei Lukyanenko, 1998. The Nightwatch [Novel]. Goodreads. URL https://www.goodreads.com/book/show/222118811-the-nightwatch

Stephen Graham Jones, 2020. The Only Good Indians [Novel]. Goodreads. URL https://www.goodreads.com/book/show/52180399-the-only-good-indians

Stephen King, 1975. ’Salem’s Lot [Novel]. Goodreads. URL https://www.goodreads.com/book/show/11590._Salem_s_Lot

What if the most unrealistic thing in The Lost Symbol isn’t the Freemasons, but the fact that anyone in Washington, D.C. had the energy for a midnight monument tour after nearly dying?

You don’t read a Dan Brown novel (and watch his popular movies) for nuanced character development or strict realism. At least I don’t. I consume it for the entertaining puzzles that the main character, Robert Langdon (think Tom Hanks in the movies), has to solve and Brown’s talent for weaving conspiracy theories out of real-world facts mixed with imaginative speculation. In his first three books, there’s always an umbrella conspiracy theory that glues everything together.

In the 2000 novel Angels & Demons, Brown portrays leaders of the Catholic Church suppressing science in order to preserve their power. In The Da Vinci Code (2003), the central conspiracy is the claim that the Holy Grail is not an object, but a living bloodline descended from Mary Magdalene. In this book, The Lost Symbol (2009), Brown argues that some prominent U.S. Founding Fathers, most notably George Washington and Benjamin Franklin, were Freemasons who believed in the “Ancient Mysteries,” including human apotheosis (the elevation of a person to their highest potential through enlightenment and discipline), and that the Masons deliberately concealed this knowledge to prevent its misuse.

For me though, the best part of The Lost Symbol is that Brown sets the story in Washington D.C., my home town (technically, I live in the suburbs, just south of the beltway but close enough). The story mostly orbits the good guys chasing the bad guy (or vice versa) to fantastic places in and around Washington D.C.:

• The United States Capitol Building plus the Capitol Crypt and the Apotheosis painting inside.

• The Smithsonian Museum Support Center (SMSC)

• Freedom Plaza

• The Washington National Cathedral

• The Washington Monument

• The House of the Temple

• The George Washington Masonic Memorial

My two main knocks on the novel are number one, all the characters are one-dimensional, including Robert Langdon. Number two, the plot is incoherent if you bother to think about it for more than a second.

The bad guy, a young malcontent who inherits a vat of money, turns himself into a muscle-bound, full-body-occult-tattoo-covered Freemason, becomes an expert in the occult, and starts acquiring ancient totems like Indiana Jones because he has daddy issues. He traverses the Freemason hierarchy all the way to the 33d degree (because his dad did it) in an infiltration effort to discover the secrets of the Ancient Mysteries and to become one with the universe. He did this with the ingenious method of sneaking a camera into the Freemason secret meetings hidden in his wig. Diabolical!

And, after the the good guys win, the father, after his son amputated his hand, and Robert Langdon, who the bad guy temporarily drowned, took the time to conduct a midnight tour of the Washington Monument to make a philosophical point. If it was me, I would at least have taken a nap before the tour, or maybe grabbed a sandwich or something.

But, like I said, the plot isn’t the reason I read a Dan Brown book. Even though The Lost Symbol is an an occult thriller, a civic love letter to Washington, D.C., and a New Age manifesto all rolled into one, I came for the conspiracies, the puzzles, and the added bonus that the story occurs in my backyard. I liked it. Three stars.

Source

Dan Brown, 2009. The Lost Symbol (Robert Langdon, #3) [Novel]. Goodreads. URL https://www.goodreads.com/book/show/6411961-the-lost-symbol

References

Dan Brown, 2000. Angels & Demons (Robert Langdon, #1) [Novel]. Goodreads. URL https://www.goodreads.com/book/show/960.Angels_Demons

Dan Brown, 2003. The Da Vinci Code (Robert Langdon, #2) [Novel]. Goodreads. URL https://www.goodreads.com/book/show/55019161-the-da-vinci-code

Janet Masline, 2009. ‘The Lost Symbol’ by Dan Brown: Baddies and Brainiacs and the Secrets of Freemasonry [Review]. The New York Times. URL https://www.nytimes.com/2009/09/14/books/14maslin.html

Maureen Dowd, 2009. Capital Secrets [Review]. The New York Times. URL https://www.nytimes.com/2009/10/11/books/review/Dowd-t.html

Rick Howard, 2003 (Updated in 2019). daVinci [Google Sheets Book Summary - The Da Vinci Code] URL: https://docs.google.com/presentation/d/1JF7DIs6G6kKX6cqfMoWyWThO39iGMR3Bo6gXbDS5guQ/edit?usp=sharing

Ron Howard (Director). Tom Hanks, Ian McKellen, Paul Bettany, and Alfred Molina (actors). 2006. The Da Vinci Code [Movie]. Letterboxd. URL https://letterboxd.com/film/the-da-vinci-code/

Ron Howard (Director). Tom Hanks, Ewan McGregor (Actors). 2009. Angels & Demons [Movie]. Letterboxd. URL https://letterboxd.com/film/angels-demons/

Staff, 2024. The Lost Symbol [Fan Site]. All about Dan Brown -. URL https://allaboutdanbrown.com/the-lost-symbol/

I didn’t expect A Wrinkle in Time to fail a basic parental sanity check, but it did.

In the Apple TV series Ted Lasso, Trent Crimm ( The Independent) gives a Twitter Line book review of A Wrinkle in Time. He says, “it’s the story of a young girl’s struggle with the burden of leadership as she journeys through space.” I don’t know what book Trent Crimm was reading, but it wasn’t the one I read.

I wasn’t expecting a sci-fi–fantasy fairy tale. Science fiction, yes. Fantasy, maybe. But a fairy tale in which immortal beings, after failing for centuries to defeat a great evil, send underage children to confront it, armed with nothing more than a pair of magic glasses and a few words of encouragement, fully aware that the children have little chance of success and a high probability of dying? And then, after barely escaping for their lives with a rescued dad in tow, the dad turns around and sends his daughter back in by herself to fetch her stupid brother?

Uh ... I don’t think so. I can see why kids might like the story but “my” dad-hat was sitting firmly on my head and there is no way that I’m sending my daughter out by herself to face the ultimate evil. No parent would. I don’t know what I was expecting but I know it wasn’t that and I didn’t like it.

I did appreciate that L’Engle published it in the early 1960s and her ideas were ahead of their time. Back then, science fiction readers consumed stories about adults dismantling societies through intellect and ideology (Stranger in a Strange Land), mathematicians predicting civilizations (Foundation), and adults grappling with power, ethics, and technology (A Canticle for Leibowitz). A Wrinkle in Time is written in the language of science with children interacting and understanding tesseracts, relativity, higher dimensions, and psychological control. And she just expects her audience to go with it. I liked that part.

Back then, we were still feeling the impact of fighting off a totalitarian system (Nazis in WWII) and were worried about another one (Stalinism). Nuclear annihilation was plausible and imminent. George Orwell’s 1984, published in 1949, was on everybody’s mind in the West, and there was a real fear that we might slide into a similar dystopia The great evil in this book represented totalitarianism, mind-numbing conformity, and no freedom of thought. L’Engle was saying that this is something to defeat by all means, like we did with the Nazis; even sending your daughter in alone is justified. I think many parents reading it for the first time like I did, would bounce off that idea hard.

But many people love this book. It did win three literary awards:

• Newbery Medal (1963)

• Sequoyah Book Award (1965)

• Lewis Carroll Shelf Award (1965)

Clearly, many readers see something here that I don’t. But for me, two stars. It had some good parts but not enough for me to recommend it.

As a fairy tale, I guess A Wrinkle in Time works. As a story I’d trust with my kids though, it leaves me uneasy and that’s not nothing.

Source

Madeleine L’Engle, 1962. A Wrinkle in Time [Book]. Read by Hope Davis, Ava DuVernay, Madeleine L’Engle, and Charlotte Jones Coiklis. Goodreads. URL https://www.goodreads.com/book/show/33574273-a-wrinkle-in-time

In the modern world, the computer era started in earnest when the mainframe computer became useful to governments, universities, and the commercial world (circa 1960–1981). It took about a decade before the mainframe community realized that they might have a computer security problem and it started with the U.S. military. Willis Ware’s Security Controls For Computer Systems, published in 1970 when Ware was working for the Rand Corporation, started the process. The paper is not so much a definition of cybersecurity as it is a listing and description of all the ways computers were going to be a problem in the future when they started sharing resources across networks. I would put this in the category of, “the first step in solving any problem is recognizing that you have a problem.”

Early Derivative Thinking

Attempts to solve the problem didn’t start with first principle thinking. Thought leaders in the space pursued derivative thinking; specifically analogy at first (This looks like X, so I’ll do something similar.) Digital systems look kind of similar to physical systems (like buildings), so let’s just adopt physical security ideas to our digital environments. That’s what Ware’s paper recommends: the security community needs to determine how to build a secure digital system. That idea became the focus of researchers through the 1990s. In the Cybersecurity Canon Hall of Fame book, A Vulnerable System: The History of Information Security in the Computer Age, published in 2021, the author, Andrew Stewart, laments the fact that since the beginning of the digital age, nobody has been able to build a secure system. Today, this idea has largely been abandoned. But back then, it was driving all the thinking.

James Anderson

The paper Computer Security Technology Planning Study, published by James Anderson for the U.S. Air Force in 1972, feels like a continuation of thought from the Willis Ware paper.

This is more derivative thinking in the form of Incrementalism (Take the current system and improve it slightly). Now that Ware identified the problem, Anderson was thinking through ways to solve it. He may be the first to suggest the idea that security shouldn’t be added on after the system is built, something that security professionals still talk about today when you hear them discuss the idea of shifting left or security by design. Anderson accepts Ware’s idea that building a secure system is the ultimate goal but proposes that any secure systems will require a way to monitor that system for defects and intrusions.

Bell and LaPadula

The next year, David Bell and Len LaPadula, then working for MITRE, published their paper called Secure Computer Systems: Mathematical Foundations. In it, they provide the arithmetic proof that would guarantee that a computer system is secure (More incrementalism). Unfortunately, they admit up front that even if you could build a system that adheres to the proof, how would system builders guarantee that they implemented everything correctly? Theoretically, you could do it, but practically, how would you vouch for the veracity? And this is the problem that plagued this kind of research for 30 years.

Saltzer and Schroeder

In 1975, Jerome Saltzer and Michael Schroeder published their paper, The Protection of Information in Computer Systems,” in Proceedings of the IEEE. In it, they lay out the early beginnings of the CIA triad, even though they don’t use that exact terminology. This is more derivative thinking but this time in the form of Precedent (How has this been done before?). Confidentiality and Integrity are ideas taken from the physical paper world of protecting sensitive information. Availability is a new but adjacent idea, a nod to the nature of digital environments. How do you ensure that the digital system is always up and running?

Saltzer and Schroeder also likely make the first case that username/password combinations are a weak form of authentication and two-factor authentication will be required. They were among the first to argue that security mechanisms should be as simple as possible (complexity kills) and that their effectiveness should not depend on secrecy of the design (security through obscurity). Finally, they promote an idea called fail-safe defaults, meaning deny everything first and allow by exception. This idea anticipates what later became known as perimeter defense, in which a defined system boundary is established to regulate access. This was about a decade before we had the technology to do it (firewalls). It also sounds very much like what turned out to be Zero Trust some 35 years later.

Fred Cohen

Dr. Fred Cohen published the first papers in 1991 and 1992 that used Defense-in-Depth to describe a common cybersecurity model in the network defender community. This is more derivative thinking in the form of incrementalism trying to build a secure system. He didn’t invent the phrase, Defense-in-Depth, but he is most likely the first one to describe it in a paper.

Defense-in-Depth is the idea that network architects erect an electronic barrier that sits between the Internet and an organization’s digital assets. To get on the inside of the barrier from the Internet, you had to go through a control point (usually a firewall but sometimes in the early days, with a router). From the 1990s until present day, the common practice has been to add additional control tools behind the firewall to provide more granular functions. In the early days, we added intrusion detection systems and antivirus systems. All of those tools together formed something called the security stack, and the idea was that if one of the tools in the stack failed to block an adversary, then the next tool in line would. If that one failed, then the next would take over. That is defense in depth.

John McCumber

In 1991, John McCumber published Information Systems Security: A Comprehensive Model at the 14th Annual National Computer Security Conference (NCSC). He doesn’t coin the phrase CIA Triad in the paper but he does say that the three elements are a triad (more derivative incrementalism). As near as I can tell, this is the origin story of the phrase.

Donn Parker

In 1998, Donn Parker published his book Fighting Computer Crime: A New Framework for Protecting Information, where he strongly condemns the elements in the CIA triad as being inadequate. He never mentions the phrase “CIA triad,” though. He proposed adding three other elements (possession or control, authenticity, and utility; more incrementalism) that eventually became known as the Parkerian Hexad, but the idea never really caught on for reasons probably only a marketing expert could explain. Notice that Parker is still using derivative thinking here, not first principle thinking, even though he thinks we haven’t solved the problem yet.

(ISC)²

In 1997, (ISC)² codified their Common Body of Knowledge (CBK); a formal taxonomy of knowledge domains designed for the cybersecurity profession and the conceptual foundation for (ISC)² certifications, most notably the CISSP (Certified Information Systems Security Professional). At the time, people in the industry were desperate to show their qualifications in this brand new field and we all flocked to get the CISSP certification. CISSP exam questions started using the CIA Triad phrase sometime around the 1998–1999 exam cycle and certification seekers had to recognize and correctly use the term “CIA Triad” to pass. And that is how a derivative idea becomes an industry standard.

Clouds Change the Derivative Thinking Game

In the 2000s, most security practitioners spent time improving the security stack in one form or the other. As cloud environments emerged around 2006, the number of digital environments we had to protect exploded. Organizations started storing and processing data in multiple locations that I like to call Data Islands (traditional data centers, mobile devices, cloud environments, and SaaS applications). The security stack idea became more abstract. It wasn’t one set of tools physically deployed behind the firewall any longer; it was a series of security stacks deployed for each data island. In an incremental way, the security stack became the set of all tools deployed that improved the organization’s defensive posture regardless of where they were located. This is Defense-in-Depth applied abstractly to all of the environments. Most of the research in this period focused on improving our CIA Triad capability by building better tools for the security stack such as application firewalls, identity and access management systems, XDR, etc.

First Principle Thinking Emerges

First principle thinking didn’t appear until the 2010s when researchers started to realize that the community’s derivative thinking wasn’t really solving the problem. A cluster of influential works appeared that challenged prevailing assumptions and implicitly grappled with foundational ideas, including John Kindervag’s Zero Trust: No More Chewy Centers (2010), Lockheed Martin’s Intrusion Kill Chain Prevention model (2010), the United States Department of Defense’s Diamond Model (2011), and the MITRE Corporation’s ATT&CK Framework (2013).

I’m not sure exactly when I heard about the two mathematicians (Whitehead and Russel) who rebuilt the language of math from the ground up using first principles, but it started me thinking and writing about cybersecurity first principles as early as 2016. That new cluster of ideas mentioned above hadn’t really caught on yet in the community. My own thoughts weren’t fully formed yet either, but even then, I knew that the security practitioner community was going in the wrong direction. We had somehow chosen, in a groupthink kind of way, that securing individual systems with the CIA Triad was the way to go. And yet, the number of reported breaches continued to grow. I knew even then that the CIA Triad wasn’t elemental enough to solve the problem originally articulated by Ware in the 1970s. We are all thinking too tactically. We didn’t need to secure individual computer systems. At this point, we knew it was impossible to do anywat. We needed something else. It was clear to me that we needed to get back to first principles.

In 2017, Dr. Matthew Hale, Dr. Robin Gandhi, and Dr. Briana Morrison turned toward first principle thinking in their Introduction to Cybersecurity First Principles designed for elementary students (K-12). They declare that cybersecurity is a design problem and just stipulate 10 cybersecurity first principles that they cribbed from the NSA without any question as to why these 10 are the most atomic notions in cybersecurity. In 2021, Dr. John Sands, Susan Sands, and Jaime Mahoney, from Brookdale Community College, cover the same material with more detail but again don’t offer any argument about why these are first principles, just that they are.

Shouhuai Xu published his paper The Cybersecurity Dynamics Way of Thinking and Landscape at the 7th ACM Workshop on Moving Target Defense in 2020. Xu proposes a three-dimensional axis with first principles modeling analysis (assumption driven), data analytics (experiment driven), and metrics (application and semantics driven). But again, there is no discussion of why his first principles are elemental.

Nicholas Seeley published his master’s thesis at the University of Idaho in 2021: Finding the Beginning to Discover the End: Power System Protection as a Means to Find the First Principles of Cybersecurity. Out of all the papers reviewed here, this is the most complete in terms of first principle thinking. Seeley reviewed most of the papers I have referenced here before he drew any conclusions. He makes the case that the main ideas that emerge from those papers revolve around the issue of trust. He then questions whether the idea of trust is fundamental enough to be a first principle. He quotes James Coleman and his book The Foundations of Social Theory that says “situations that involve trust are a subset of situations that involve risk.” Or, as Seeley says, “without risk there is no need for trust.” Seeley says that risk is a function of probability, a measure of uncertainty. He believes that uncertainty is more fundamental than the CIA Triad or any of the other analytical checklists that the previous authors came up with. Interestingly, the father of decision analysis theory, Dr. Ron Howard, says the same thing in his book The Foundations of Decision Analysis.

Seeley takes an idea from the Luhmann/King/Morgner book Trust and Power that trust allows us to reduce complexity in our lives. He then proposes a set of assumptions (postulates or axioms), similar to Euclid, that are his set of cybersecurity first principles.

• Complete knowledge of a system is unobtainable; therefore, uncertainty will always exist in our understanding of that system.

• The principal of a system must invest trust in one or more agents.

• Known risks can be mitigated using controls, transference, and avoidance, else the risks must be accepted.

• Unknown risks manifest through complexity.

But then he stops short of identifying the absolute cybersecurity first principle and uses his axioms to design a better proof than Bell and LaPadula to decide if one system design over another is more secure using eigenvalue analysis of the associated graphs. In other words, he went back to the traditional well of trying to design secure systems.

Take Away

A review of the prior research demonstrates that cybersecurity did not evolve from first-principles reasoning, but rather from a long sequence of derivative approaches shaped by analogy, precedent, and incremental improvement. Early foundational work by Ware, Anderson, Bell and LaPadula, and Saltzer and Schroeder correctly identified the emergence of computer security as a systemic problem and focused the field on the goal of building secure systems. However, those efforts largely assumed that security could be achieved through improved system design, formal proofs, and increasingly sophisticated control mechanisms; an assumption that proved untenable as systems became more complex, interconnected, and economically constrained.

As the discipline matured, the CIA Triad emerged as the dominant organizing heuristic, reinforced through frameworks, professional certifications, and tooling ecosystems; the de facto cybersecurity first principal so to speak. Despite repeated critiques and attempts to refine or expand it, the triad remained fundamentally system-centric. Subsequent models, such as Zero Trust architectures and Intrusion Kill Chain Prevention frameworks challenged the status quo, but they did not redefine the foundational objective of cybersecurity. Instead, they optimized tactics within an inherited conceptual structure.

Explicit discussions of cybersecurity first principles did not meaningfully appear until the late 2010s. Even then, most efforts either asserted principles without justifying their elemental nature or retreated back to the traditional goal of designing secure systems. Of the works reviewed, Seeley’s 2021 thesis comes closest to a true first-principles analysis by grounding cybersecurity in uncertainty and risk, yet it ultimately stops short of identifying an irreducible, outcome-oriented principle and instead re-enters the secure-systems paradigm.

Taken together, the literature reveals a discipline that recognized its problems early, refined its tools continuously, but rarely questioned its foundational assumptions. While the language of first principles has appeared sporadically, cybersecurity has lacked a unifying, atomic principle from which strategy, tactics, measurement, and governance can be logically derived.

Next week, we will discuss candidates for the ultimate cybersecurity first principle.

Resources

Andrew J. Stewart, 2021. A Vulnerable System: The History of Information Security in the Computer Age [Canon Hall of Fame Candidate]. Goodreads. URL: https://www.goodreads.com/book/show/57645492-a-vulnerable-system. Canon URL: https://cybercanon.org/a-vulnerable-system-the-history-of-information-security-in-the-computer-age/.

Blake E. Strom, Andy Applebaum, Doug P. Miller, Kathryn C. Nickels, Adam G. Pennington, Cody B. Thomas, 2018. MITRE ATT&CK: Design and Philosophy [White Paper]. MITRE. URL https://www.mitre.org/sites/default/files/publications/pr-18-0944-11-mitre-attack-design-and-philosophy.pdf

David Bell and Len LaPadula, 1973. SECURE COMPUTER SYSTEMS: MATHEMATICAL FOUNDATIONS [Paper] URL: https://websites.umich.edu/~cja/LPS12b/refs/belllapadula1.pdf

Donn Parker, 1983, updated 1998. Fighting Computer Crime: A New Framework for Protecting Information [Book]. Goodreads. URL https://www.goodreads.com/book/show/605372.Fighting_Computer_Crime

Dr. Matthew L. Hale, Dr. Robin Gandhi, Dr. Briana B. Morrison, 2021. Introduction to Cybersecurity First Principles [Web Framework]. Nebraska GenCyber. URL https://mlhale.github.io/nebraska-gencyber-modules/intro_to_first_principles/README/

Eric Hutchins, Michael Cloppert, Rohan Amin, 2010. Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains [White Paper]. Lockheed Martin Corporation. URL https://www.lockheedmartin.com/content/dam/lockheed-martin/rms/documents/cyber/LM-White-Paper-Intel-Driven-Defense.pdf

Fred Cohen, 1989. Models of practical defenses against computer viruses [White Paper] Computers & security, 149–160. URL: https://www.semanticscholar.org/paper/Models-of-practical-defenses-against-computer-Cohen/d3640a7d245ee1042ec3f3308b0f1747dfdbfea4

Fred Cohen, 1992. Defense-in-depth against computer viruses [White Paper] Computers and Security 11, 563–579. URL: https://www.semanticscholar.org/paper/Defense-in-depth-against-computer-viruses-Cohen/0332710ef0a81c48f694180a5164bf027e4dd4ba

James Anderson, Eldred Nelson, Melvin Conway, Bruce Peters, Daniel Edwards, Charles Rose, Hilda Faust, Clark Weissman, Steven Lipner, October 1972, Computer Security Technology Planning Study, Volume 1 - Executive Summary [Contracted Research Paper] US Air Force Information Systems Technology Division (Command and Management Systems) - Computer Security Resource Center - NIST. URL https://csrc.nist.gov/files/pubs/conference/1998/10/08/proceedings-of-the-21st-nissc-1998/final/docs/early-cs-papers/ande72a.pdf

James Samuel Coleman, 1998. Foundations of Social Theory [Book]. Goodreads. URL https://www.goodreads.com/book/show/236795.Foundations_of_Social_Theory

JEROME H. SALTZER, MICHAEL D. SCHROEDER, 1975. The Protection of Information in Computer Systems [Journal Article]. Fourth ACM Symposium on Operating System Principles (October 1973). Manuscript received October 11, 1974; revised April 17. 1975. Communications of the ACM, University of Virginia. URL www.cs.virginia.edu/~evans/cs551/saltzer/.

John Kindervag, 2010. No More Chewy Centers: Introducing The Zero Trust Model Of Information Security [White Paper]. Palo Alto Networks. URL https://media.paloaltonetworks.com/documents/Forrester-No-More-Chewy-Centers.pdf

John R. McCumber, October 1991. Information Systems Security: A Comprehensive Model [Proceedings] 14th Annual National Computer Security Conference (NCSC), National Institute of Standards and Technology (NIST) / National Computer Security Center (NCSC), Baltimore, Maryland, 1–4 October 1991, pp. 328–337. URL https://people.cs.georgetown.edu/~clay/classes/spring2009/555/papers/McCumber91.pdf

Nicholas Seeley, 20 December 2021. Finding the Beginning to Discover the End: Power System Protection as a Means to Find the First Principles of Cybersecurity [White Paper] URL: https://objects.lib.uidaho.edu/etd/pdf/Seeley_idaho_0089N_12228.pdf

Niklas Luhmann, 1982. Trust and Power [Book. Goodreads. URL https://www.goodreads.com/book/show/733259.Trust_and_Power

PI Mike Qaissaunee (NCYTE), Dr. John Sands and Susan Sands (Moraine Valley Community College), Jaime Mahoney (Bunker Hill Community College), n.d. Cybersecurity Principles [Interactive lesson]. NCyTE Center. URL https://www.ncyte.net/academia/faculty/cybersecurity-curriculum/college-curriculum/interactive-lessons/cybersecurity-principles

Rick Howard, 2025. Part I: Is the CIA Triad Dead?: Why has the CIA Triad Endured? [Analysis]. Rick’s First Principles Newsletter. URL https://diffuser.substack.com/p/is-the-cia-triad-dead

Rick Howard, 2026. First Principle Thinking [Explainer]. Rick’s First Principles Newsletter. URL https://diffuser.substack.com/p/first-principle-thinking

Ronald A. Howard, Ali Abbas, 2013. Foundations of Decision Analysis [Book]. Goodreads. URL https://www.goodreads.com/book/show/14794158-foundations-of-decision-analysis

Sergio Caltagirone, Andrew Pendergast, Christopher Betz, 2011. The Diamond Model of Intrusion Analysis. Center for Cyber Threat Intelligence and Threat Research [White Paper]. https://www.activeresponse.org/. URL https://www.activeresponse.org/wp-content/uploads/2013/07/diamond.pdf

Shouhuai Xu, 2020. The Cybersecurity Dynamics Way of Thinking and Landscape [White Paper]. Proceedings of the 7th ACM Workshop on Moving Target Defense, Pages 69 - 80 . URL https://dlnext.acm.org/doi/10.1145/3411496.3421225

Willis H. Ware et al, 11 February 1970. The Ware Report: SECURITY CONTROLS FOR COMPUTER SYSTEMS (U): Report of Defense Science Board [Study] Defense Science Board - Task Force on Computer System Security - The Rand Corporation - Computer Security Resource Center - NIST. URL: https://csrc.nist.gov/csrc/media/publications/conference-paper/1998/10/08/proceedings-of-the-21st-nissc-1998/documents/early-cs-papers/ware70.pdf

For first principles must not be derived from one another nor from anything else, while everything has to be derived from them.

—Aristotle, philosopher

…in order to study the acquisition of [knowledge], we must commence with the investigation of those first causes which are called Principles.

—Rene Descartes, philosopher

I think it’s important to reason from first principles rather than by analogy…. [With first principles] you boil things down to the most fundamental truths…and then reason up from there.

—Elon Musk, SpaceX founder

How Do People Solve Problems?

Most people don’t start from first principles. They start with derivative thinking. When I have a problem to solve, I generally look around to see if anybody else has solved it already and steal their work (Hey - don’t judge me. The goal is to get the job done, not produce original work.) If there are no available solutions, then I look around for solutions to problems that are related to mine, not exactly identical but in the same ballpark, and then I steal that solution. Sometimes, the community has produced standards or the government has passed compliance laws that dictate what I should do. If that’s the case, then that’s an easy steal. And sometimes, I’m not looking for a new solution at all. I’m just interested in improving the existing system a little bit.

To simplify, for known solutions to common problems or, if you like, derivative thinking, you generally have four choices.

• Precedent (How has this been done before?)

• Analogy (This looks like X, so I’ll do something similar.)

• Authority (What do experts / standards / competitors do?)

• Incrementalism (Take the current system and improve it slightly.)

If I’m trying to learn how to scramble an egg, it’s easy enough to find a YouTube video of Gordon Ramsey showing how he does it (Precedent). If I’m trying to scramble an ostrich egg, Ramsey’s video will probably be good enough (Analogy). If I’m scrambling an egg for a new diner I’m opening in my home state of Virginia, then the Virginia Administrative Code (12VAC5‑421: Food Regulations, Chapter 421) probably has something to say in the matter (Authority). And if I just want to make my scrambled egg more fluffy in the morning, Ramsey’s advanced class on breakfast meals can help me there (Incrementalism).

No Workable Solution for Cybersecurity

For cybersecurity though, from the very beginning, vendors and governments have provided a recommended solution set since the late 1970s. I’ve been in the industry for over 30 years and, for all the advances made in that period (1990s until today), cyber bad guys are still remarkably successful. Here’s what I mean.

Even though it’s tough to calculate real numbers between the good old days of the 1990s (since we didn’t keep track of them that well) and today, we can do some back-of-the-envelope calculations about the estimated annual monetary loss attributable to cyber attacks on public companies. Adjusting for inflation, I estimate that in the 1990s, the loss was between $80m and $150m dollars (USD) worldwide. In the 2020s, I estimate the range to be between $15 billion and $20 billion. That’s at least a 100X increase depending on how you count it.

When viewed through that lens, the solutions pursued by the infosec community do not appear to be effective. My peers and I have relied on precedent, analogy, authority, and incremental improvement, yet none of these approaches has eliminated the problem.

If there is no known solution set that stops cyber bad guys from being successful, maybe we haven’t identified the correct problem that we are all trying to solve. Maybe, we’ve simply tackled symptoms of the problem, like

• Vulnerability management to patch buggy software.

• Red teaming to find unknown design flaws in our networks.

• Incident response to formalize how to react to crisis moments.

• and lots of other things.

But as I said, cyber bad guys still have amazing success. I have to say, after a full career in cybersecurity, that’s disconcerting.

First Principle Thinking

First-principle thinking is a different way to solve problems. Rather than looking at what’s been done before and taking the next step, you first reduce the problem to irreducible truths and build up from there. Contrary to accepting assumptions, conventions, analogies, or best practices, you ask what must be true at the lowest possible level and what can be logically derived from that foundation. It’s problem solving 101. While you’re breaking the problem into smaller bits, ignore any previous assumptions or best practices that have constrained past solutions. The difference between the two approaches then is that derivative reasoning optimizes within existing frameworks and first-principle thinking questions whether those frameworks are valid at all. And that’s what I’m proposing here. I’m pretty sure our cybersecurity derivative thinking over the last 30 years isn’t valid.

Origin of First Principle Thinking

The idea of first principles goes all the way back to the great philosopher Aristotle (384–322 BCE) in his published work Physics (about 340 BCE), where he established his initial concepts of natural philosophy, the study of nature (physis). Before he starts his main thesis, though, he establishes that we can’t really understand a concept completely until we understand its essence:

For we do not think that we know a thing,

until we are acquainted with its primary conditions or first principles,

and have carried our analysis as far as its simplest elements.

He describes his method for finding these primary conditions by taking what we think we know from casual observation and working our way back to the core of it. He says,

The natural way of doing this

is to start from the things which are more knowable and obvious to us

and proceed towards those which are clearer and more knowable by nature.

He makes it clear, though, that these indivisible explanatory causes, we would call them atomic ideas today, are unique building blocks, and all study starts there.

For first principles must not be derived from one another

nor from anything else,

while everything has to be derived from them.

Once you find these essential concepts, they are the “big bang” to the overall hypothesis.

First principles are eternal and have no ulterior cause.

A Sampling of First Principle Thinkers in History

Euclid, the ancient Greek mathematician, never mentions “first principles” in his foundational math book Elements (~300 BCE). But, his sparse presentation of 23 definitions, five assumptions (postulates or axioms), and five common notions has been the underlying bedrock of geometry and other math disciplines for more than 23 centuries. His book is a clear demonstration of how first-principle reasoning can produce long lasting coherent systems with extraordinary explanatory power. As President Lincoln said about Euclid in the 2012 movie,

“[They are rules] of mathematical reasoning. [They’re] true because [they] work. Has done and always will do. In his book, Euclid says that this is self-evident.”

In 1644, René Descartes, the greatest philosophical doubter of all time, and the father of modern philosophy, published Principles of Philosophy. He begins by outlining the essence of philosophical thinking:

… the word PHILOSOPHY signifies the study of wisdom,

and that by wisdom is to be understood,

not merely prudence in the management of affairs,

but a perfect knowledge of all that man can know,

as well for the conduct of his life,

as for the preservation of his health,

and the discovery of all the arts.

Now that’s a gigantic research goal. How would you ever pursue it? He says, to procure that understanding, we must infer it from initial sources.

To subserve these ends, must necessarily be deduced from first causes;

so that in order to study the acquisition of it (which is properly called philosophizing),

we must commence with the investigation of those first causes,

which are called PRINCIPLES.

He then says that these first principles must meet two requirements.

In the first place, they must be so clear and evident

that the human mind,

when it attentively considers them,

cannot doubt of their truth;

in the second place, the knowledge of other things

must be so dependent on them

as that though the principles themselves

may indeed be known apart from

what depends on them.

What he means is that all knowledge about the subject comes from these first principles.

It will accordingly be necessary thereafter to endeavor so

to deduce from those principles

the knowledge of the things that depend on them,

as that there may be nothing in the whole series of deductions

which is not perfectly manifest.

One thing to note here is that finding first principles for any subject is hard. It requires us to willingly discard accepted best practices and think deeply about what is fundamental. It means we are questioning the status quo and have to be willing, in public, to be considered crazy for long periods. First Principle thinking challenges authority, invalidates sunk costs, and threatens professional identity. It breaks standards and frameworks and requires saying “everyone before us was wrong.”

With his book, Descartes completely upended the current philosophical thinking of the day saying that Aristotle and his contemporaries (Plato and Socrates) never found the first principle of philosophy. Ouch! Descartes’ approach, by doubting everything, established the ultimate first principle of philosophy:

“I think, therefore I am (Cogito, ergo sum).

Two British mathematicians, Alfred Whitehead and Bertrand Russell, published a book, Principia Mathematica, in 1910, that attempted to rebuild the language of math from the ground up using a small set of first principles. They recognized some inconsistencies in the current set of rules used by the math community at the time. You could use the same rules to get two different and absolutely correct results, something called the Russell paradox. In a precision engineering world, that was a recipe for disaster. So, they went back to the drawing board, threw everything out, and started from scratch. It took them 80 pages to mathematically prove that 1 + 1 = 2. In a footnote, Whitehead and Russell famously wrote this line:

The above proposition is occasionally useful.

And you all thought that math nerds weren’t funny. Shame on you.

Modern Day First Principle Thinkers

In our modern day, when asked about how he approached the concepts of economic space flights, Elon Musk didn’t say that he looked at what NASA and Boeing had done during the Apollo and Space Shuttle missions in the 1960s and 1970s and took the next step. Instead, he threw all of that out and started over with first principles; a gutsy move for sure but that’s probably why he is a gazillionaire, and I’m not.

In the last 30 years, there are many other examples where upstart businesses or new cybersecurity strategy thought leaders completely changed the world by identifying the atomic first principle in their associated problem domains. Here are just a few:

• 1995: Jeff Bezos (Amazon Store): Real time logistics vs real estate ownership.

• 1999: Marc Benioff (Salesforce): Software as a Service (leased) vs software ownership.

• 2006: Jeff Bezos (Amazon Cloud): Infrastructure (compute and storage) as a service vs ownership.

• 2007: Steve Jobs (Apple iPhone): Handheld devices are computers that make phone calls vs mobile phones that have some computer capability.

• 2010: Reed Hastings (Netflix): On-demand movie viewing flexibility vs appointment TV.

• 2010: John Kindervag (Zero Trust): Continuously verify entities and access permissions vs trusting everybody and everything inside the perimeter.

• 2010: Eric Hutchins, Michael Cloppert, and Rohan Amin (Intrusion Kill Chain Prevention): Deploy prevention and detection controls for specific known adversaries vs generic controls that might apply to any adversary.
  2012: Elon Musk (Tesla): Electric cars need ubiquitous power stations vs longer battery life.

Note the two cybersecurity entries in that list, the white papers from Kindervag on Zero Trust and from Hutchins, Cloppert, and Amin on Intrusion Kill Chains. Yes, even cybersecurity nerds can be first principle thinkers. I will note however, that even these game changer ideas (Zero Trust and Intrusion Kill Chain Prevention) didn’t solve the problem. The monetary cost still skyrocketed.

Take Away

If we accept monetary loss as a rough but meaningful signal, the conclusion is uncomfortable: despite decades of investment, frameworks, standards, tools, and expertise, cybersecurity outcomes have worsened, not improved. Adjusted for inflation, losses have increased by orders of magnitude. That alone should force us to question whether we are solving the right problem at all.

For thirty years, the infosec community, including me, has relied almost exclusively on derivative thinking. We borrowed what worked elsewhere, followed authority, complied with standards, optimized existing systems, and incrementally improved controls. That approach works well when the underlying model is sound. But when the model itself is wrong, incremental improvement simply entrenches failure more efficiently.

First-principle thinkers throughout history did not accept persistent failure as inevitable. When outcomes contradicted expectations, they assumed the assumptions were wrong. They discarded precedent, challenged authority, and rebuilt their understanding from irreducible truths. That process was slow, uncomfortable, professionally risky, and often ridiculed, but it was also how durable progress was made.

Cybersecurity now sits at that same inflection point. If attackers remain consistently successful, then prevention, detection, response, and compliance, while necessary, are almost certainly symptoms, not causes. Until we identify the true first principles of cybersecurity, we will continue to optimize the wrong system and wonder why the results never change.

The next step, then, is not another framework, maturity model, or control catalog. It is the harder task: to clearly define the atomic first principles of cybersecurity itself. I wrote a book about that and I will look at that next week.

Source

Rick Howard, 2023. Cybersecurity First Principles: A Reboot of Strategy and Tactics [Book]. Amazon. URL: https://amzn.to/4mI7QMU

Buy on Amazon

References

Alfred North Whitehead and Bertrand Russel, 1910. Principia Mathematica, Vol 1., Vol 2. Vol 3. [Books] URL: https://www.goodreads.com/book/show/6482515-principia-mathematica-vol-1

Aristotle, 350 BCE. Physics. [Book] MIT Classics. URL: https://classics.mit.edu/Aristotle/physics.mb.txt

Ashlee Vance, 2015. Elon Musk: Tesla, SpaceX, and the Quest for a Fantastic Future [Book]. URL: https://www.goodreads.com/book/show/25541028-elon-musk

Colby Hopkins, 2023. The History of Amazon and its Rise to Success [History]. Michigan Journal of Economics. URL: https://sites.lsa.umich.edu/mje/2023/05/01/the-history-of-amazon-and-its-rise-to-success/

Drake Baer, 2015. Elon Musk Uses This Ancient Critical-Thinking Strategy To Outsmart Everybody Else [Analysis] Business Insider. URL: https://www.businessinsider.com/elon-musk-first-principles-2015-1

Eric Hutchins, Michael Cloppert, Rohan Amin, 2010. Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains [White Paper]. Lockheed Martin Corporation. URL https://www.lockheedmartin.com/content/dam/lockheed-martin/rms/documents/cyber/LM-White-Paper-Intel-Driven-Defense.pdf

Euclid, 300 BCE. Euclid’s Elements of Geometry [Book] Richard Fitzpatrick Collection, The University of Texas at Austin. Translated from the The Greek text of J.L. Heiberg (1883–1885). URL: https://farside.ph.utexas.edu/Books/Euclid/

Harry Deutsch, Oliver Marshall, and Andrew David Irvine, 1995 (First published); 2024 (substantive revision). Russell’s Paradox [Explainer]. Stanford Encyclopedia of Philosophy. URL: https://plato.stanford.edu/archives/win2025/entries/russell-paradox

Jeff Barr, 2014. Eight Years (And Counting) of Cloud Computing [History]. Amazon Web Services. URL https://aws.amazon.com/blogs/aws/eight-years-and-counting-of-cloud-computing/

John Kindervag, 2010. No More Chewy Centers: Introducing The Zero Trust Model Of Information Security [White Paper]. Palo Alto Networks. URL https://media.paloaltonetworks.com/documents/Forrester-No-More-Chewy-Centers.pdf

Kevin Rose, 2012.Elon Musk and Kevin Rose [Interview]. Kevin Rose Show - YouTube. URL:

Rene Descartes, 1644. The Principles of Philosophy [Book] Translated by John Veitch, Late Professor of Logic and Rhetoric in the University of Glasgow. URL: https://www.fulltextarchive.com/book/The-Principles-of-Philosophy/

Rick Howard, 2025. Part I: Is the CIA Triad Dead?: Why has the CIA Triad Endured? [Essay] First Principles Consulting Newsletter - Substack. URL: https://diffuser.substack.com/p/is-the-cia-triad-dead

Staff, 2007. Apple Reinvents the Phone with iPhone [Announcement]. Apple. URL https://www.apple.com/newsroom/2007/01/09Apple-Reinvents-the-Phone-with-iPhone/

Staff, 2012. Tesla Motors Launches Revolutionary Supercharger Enabling Convenient Long Distance Driving [Announcement]. Tesla Investor Relations. URL https://ir.tesla.com/press-release/tesla-motors-launches-revolutionary-supercharger-enabling

Staff, 2016. Marc Benioff [Profile]. MIT Initiative on the Digital Economy. URL https://ide.mit.edu/people/marc-benioff/

Steven Spielberg (Director), Sir Daniel Michael Blake Day-Lewis (Actor), 2012. Lincoln [Movie] URL: https://letterboxd.com/film/lincoln/

Steven Spielberg (Director), Sir Daniel Michael Blake Day-Lewis (Actor), 2012. Euclids’ Statement of Equality [Movie] Gentle WorldOrg - YouTube. URL:

William L. Hosch, Nancy Ashburn, n.d. Netflix [History]. Encyclopedia Britannica. URL https://www.britannica.com/money/Netflix-Inc

Willis H. Ware et al, 11 February 1970. The Ware Report: SECURITY CONTROLS FOR COMPUTER SYSTEMS (U): Report of Defense Science Board [Study] Defense Science Board - Task Force on Computer System Security - The Rand Corporation - Computer Security Resource Center - NIST. URL https://csrc.nist.gov/csrc/media/publications/conference-paper/1998/10/08/proceedings-of-the-21st-nissc-1998/documents/early-cs-papers/ware70.pdf

I’ve been in love with the King Arthur legend since I was a wee lad: noble knights in shining armor (Lancelot, Sir Galahad), heroic quests (the Holy Grail, the Lance of Longinus, The Questing Beast, The Dolorous Guard), chivalry (protect the weak and defenseless), mysterious wizards (Merlin, Morgan le Fay), magical entities (the Lady in the Lake, fairies, Avalon), magical weapons (Excalibur, Clarent, Galatine), and the adulterous love affair between Lancelot and Queen Guinevere that breaks the round table. I love all that stuff.

When I found out Lev Grossman had written a version of it, I was intrigued.. He’s the author of the excellent Magicians series, essentially Harry Potter for adults. Even better, Syfy adapted the book into a strong five-season TV series that ran from 2015 to 2020. I was in.

I read T.H. White’s “The Once and Future King” when I was in high school, but I have to admit, the stories didn’t cohere for me. They are at best, disjointed, and many are told secondhand. Characters have no depth or consistency. But I loved the idea of the round table and chivalrous knights. So, of course, I ran to the theater with my fiancé (now wife) to see the 1981 movie “Excalibur.” I liked it but it was a mishmash of stories similar to White’s book and just plainly weird. I still loved the lore though.

Grossman fixes all of that. He presents a through line that I hadn’t seen before. Each character has a well-described back story, a narrative arc, that contributes to the overall saga. He doesn’t try to make everything realistic like in the Bernard Cornwell series, “The Warlord Chronicles;” a historical fiction trilogy that reimagines the Arthurian legend in a gritty, realistic setting of post-Roman Britain. No, he embraces the anachronisms like knights wearing plate armor, England, tournaments, castles, and Camelot. He expertly weaves magic into the story, such as casually sidestepping into the fairy world, as if it were as ordinary as eating breakfast in the morning.

At the end, Grossman writes a fascinating historical footnote that describes the Arthurian legend. He says that Arthur likely started in a collection of elegies for fallen warriors called “Y Gododdin.” And then, for 1400 years, each author that picked up the story added their own twist. Geoffrey of Monmouth (”Historia Regum Britanniae) in the twelfth century promoted Arthur to king, invented Merlin, and the “traitorous nephew—not yet son—named Mordred.” The Norman poet, Wace, added the Round Table 20 years later. Poet Chrétien de Troyes added the Holy Grail, Camelot, and the Arthur-Guinevere-Lancelot love triangle.

Grossman says that “Arthur didn’t spring to life fully formed, he was deposited in layers, slowly, over centuries, like the geological strata of a landscape... by authors who weren’t much interested in historical rigor.”

That is fascinating.

Back in the 1990s, my wife and I did a spur-of-the-moment trip to England. We didn’t have a plan. We we’re just trying to get away. We decided that we would just chase the Arthur legend. We visited Castle Tintagel (Arthur’s birthplace), Camelot (now a cow pasture), Glastonbury (site of the legendary Isle of Avalon where Arthur was taken to heal after his final battle, Arthur and Guinevere’s burial site, a rest stop where Joseph of Arimathea is said to have brought the Holy Grail, and entrance to the fairy realm of Annwn). It didn’t matter that none of that is true in the historical sense. All of those locations invoked the feeling of the Arthurian legend and I was in heaven.

If you’re a King Arthur fan, Grossman’s book is for you. It invokes the Arthurian legend in a fresh and coherent way unlike anything I have experienced before.

• Recommended for Arthurian Legend Fans

• Recommended for Lev Grossman fans

• Recommended for “The Magicians” book series and TV show.

• Needs to be a movie

Source

Lev Grossman, 2024. The Bright Sword [Book]. Narrated by Nicholas Guy Smith. Goodreads. URL https://www.goodreads.com/book/show/201750794-the-bright-sword

References without Notes

Alfred Tennyson, 1885. Idylls of the King [Book]. Goodreads. URL https://www.goodreads.com/book/show/393636.Idylls_of_the_King

Aneirin, 1300. Y Gododdin [Poem]. Goodreads. URL https://www.goodreads.com/book/show/1250908.Y_Gododdin.

Bernard Cornwell, 1994. The Winter King (The Warlord Chronicles, #1) [Book]. Goodreads. URL https://www.goodreads.com/book/show/68520.The_Winter_King

Bernard Cornwell, 1996. Enemy of God (The Warlord Chronicles, #2) [Book]. Goodreads. URL https://www.goodreads.com/book/show/68524.Enemy_of_God

Bernard Cornwell, 1997. Excalibur (The Warlord Chronicles, #3) [Book]. Goodreads. URL https://www.goodreads.com/book/show/68521.Excalibur

Boorman, J., 1981. Excalibur [Movie]. IMDb. URL https://www.imdb.com/title/tt0082348/

Geoffrey of Monmouth, 1136. Historia Regum Britanniae: Arthurian Classics [Book]. Goodreads. URL https://www.goodreads.com/book/show/51523760-historia-regum-britanniae

Lev Grossman, 2009. The Magicians (The Magicians, #1) [Book]. Goodreads. URL https://www.goodreads.com/book/show/6101718-the-magicians

Sera Gamble, John McNamara, 2015. The Magicians [5 Season TV Series 2015 - 2020]. IMDb. URL https://www.imdb.com/title/tt4254242/

Thomas Malory, 1485. Le Morte d’Arthur: King Arthur and the Legends of the Round Table [Book]. Goodreads. URL https://www.goodreads.com/book/show/672875.Le_Morte_d_Arthur

T.H. White, 1958. The Once and Future King [Book]. Goodreads. URL https://www.goodreads.com/book/show/43545.The_Once_and_Future_King