PRESS RELEASE: Cambridge Global Advisors CEO Jake Braun Receives O’Reilly Defender Award for Elevating U.S. Voting Infrastructure Cybersecurity Concerns

November 3, 2017 (New York, NY) – This week, CEO of Cambridge Global Advisors (CGA) Jake Braun was awarded the O’Reilly Defender Award for Research at the annual O’Reilly Security Conference in New York City.  The award “celebrates those who have demonstrated exceptional leadership, creativity, and collaboration in the defensive security field.” It was given to Mr. Braun for his recent contributions in the “Voting Machine Hacker Village” at DEFCON and for increasing awareness around cyber threats and vulnerabilities in U.S. election and voting infrastructure. 

The “Voting Village” was an innovative three-day demonstration (July 27-30, 2017) held in Las Vegas at DEFCON – the world’s largest, longest-running hacker conference – that assembled more than 25 pieces of election equipment including voting machines and pollbooks still widely used in U.S. elections today.  The Voting Village made them accessible to 1000+ hackers who were encouraged to test the technology and expose cyber vulnerabilities for educational purposes. The event’s concept was born out of U.S. intelligence reports regarding Russian attempts to interfere in the 2016 elections and the U.S. Department of Homeland Security’s recent confirmation that voter registration databases in at least 21 states were breached last year. 

Mr. Braun shared the O’Reilly Defender award with several other “Voting Village” colleagues including Matt Blaze (University of Pennsylvania), Joseph Lorenzo Hall (Center for Democracy & Technology), Harri Hursti (Nordic Innovation Labs), Margaret MacAlpline (Nordic Innovation Labs) and Jeff Moss (DEFCON).  Last month, this six-person team released a report on the Voting Village findings. Together, the team has been elevating concerns around vulnerabilities in U.S. election equipment and networks and is currently working to assemble stakeholders critical to invoking policy change at the federal, state and local level ahead of nationwide elections in 2018.

Speaking of the award, Jake Braun said: “The Voting Village was about exposing the weaknesses in our voting systems and finding ways to educate others, especially in light of what we know about Russia’s attempts to hack the 2016 Presidential Election. I am immensely proud of this award, which serves as a recognition that voting security is more than just a cyber or hacker issue. Protecting the vote is indeed a national security imperative that requires our leaders band together to find solutions.”

In addition to his CEO role at CGA, Mr. Braun currently serves as a faculty member at the University of Chicago where he teaches cybersecurity policy. He is also a former White House and Public Liaison for the U.S. Department of Homeland Security and remains an advisor to DHS and the Pentagon on cybersecurity issues.

IN-THE-NEWS: CGA's Nate Snyder Participates in Panel with Former CIA Director John Brennan

Cambridge Global Advisors (CGA) is proud to announce the participation of Nate Snyder, former senior counterterrorism official in the Department of Homeland Security and current CGA employee, in last Wednesday's discussion with John Brennan, former Director of the Central Intelligence Agency regarding the outlook of global security. The event was hosted by The Center on National Security at Fordham University School of Law in New York, where Brennan is Distinguished Fellow for Global Security. It was attended by widely recognized national security thought leaders, published researchers, current CT practitioners, national media, and national security correspondents. 

The conversation was moderated by David Ignatius, columnist for the Washington Post. Video of the conversation can be found here.  

IN-THE-NEWS: CGA Supports DEFCON on Issuing Report on Voting-Village/Election Security

Cambridge Global Advisors (CGA) was pleased to partner with DEFCON and the Atlantic Council to issue a new report on the findings of DEFCON's first-ever Voting Machine Hacking Village.  Held at the DEFCON in Vegas back in July, the Voting Village allowed thousands of participants to "hack" several pieces of election equipment still in use in U.S. elections today.  On the heels of news regarding Russian attempts to infiltrate and influence our elections in 2016, this Village and timely report adds to the growing understanding of the vulnerabilities facing our democracy today.  

Cambridge CEO Jake Braun helped to bring the Village to DEFCON this year, as well as helped to author the report and moderate the report launch event on October 10, 2017 in DC.  CGA Partner and former U.S. Ambassador to NATO, Doug Lute, also participated in the event as a panelist discussing the national security implications of foreign hacking attempts aimed at U.S. elections and our democracy.

Watch the full event at CSPAN.

Download the full report from DEFCON.org

Read a full clips-wrap up

IN-THE-NEWS: CGA cited in Politico: "Hacker study: Russia could get into U.S. voting machines"

American voting machines are full of foreign-made hardware and software, including from China, and a top group of hackers and national security officials says that means they could have been infiltrated last year and into the future.

DEFCON, the world’s largest hacker conference, will release its findings on Tuesday, months after hosting a July demonstration in which hackers quickly broke into 25 different types of voting machines.

The report, to be unveiled at an event at the Atlantic Council, comes as the investigation continues by four Hill committees, plus Justice Department special counsel Robert Mueller, into Russian meddling in the 2016 elections, on top of the firm intelligence community assessments of interference.

Though the report offers no proof of an attack last year, experts involved with it say they’re sure it is possible—and probable—and that the chances of a bigger attack in the future are high.

“From a technological point of view, this is something that is clearly doable,” said Sherri Ramsay, the former director of the federal Central Security Service Threat Operations Center, which handles cyber threats for the military and the National Security Agency. “For us to turn a blind eye to this, I think that would be very irresponsible on our part.”

Often, voting machine companies argue that their supply chain is secure or that the parts are American-made or that the number of different and disconnected officials administering elections would make a widespread hack impossible. The companies also regularly say that since many machines are not connected to the internet, hackers’ ability to get in is limited.

But at the DEFCON event in Las Vegas, hackers took over voting machines, remotely and exposed personal information in voter files and more.

Las Vegas was a timed event to prove a point. But the hackers say that taking the machines apart in the months since has exposed deeper vulnerabilities. Parts and programs that could easily be embedded with malware and sleeper commands are being incorporated from all over the world, from suppliers and shippers without clear security measures.

That easily opens the possibility that a country with large resources and a long-term view—like Russia—could get access.

It sounds like science fiction, or at least “Ocean’s 11,” but cybersecurity experts are frantically waving their hands, trying to get Americans to see that in foreign capitals, the American voting system just looks like easy opportunity.

Ramsay, who’s been talking with DEFCON about the report but isn’t a formal advisor, pointed out the U.S. is exposed well beyond voting machines, with the same “supply chain” issue creating risks to the electrical grid, the banking system and beyond. She pointed to the Ukrainian power grid’s being shut down twice in the last two years, which researchers have said looks like either Russia flexing its muscle against a rival country, or worse, practicing for a larger American attack.

Security experts and some lawmakers investigating Russia’s digital meddling in the 2016 election have called on voting machine vendors to offer up their code outside for inspection, but the firms have resisted.

The DEFCON report findings are especially compelling in light of the Department of Homeland Security’s recent notification to 21 states last month of Russian attempts to intervene in the 2016 elections.

“We can now definitively say that the Russians could hack our entire elections, remotely, all at once,” said Jake Braun, a former DHS official who’s now the CEO of Cambridge Global Advisors.

Some measures to combat these issues would be complicated, like changing the entire manufacturing process for the machines, and discarding any that have ever been connected to the internet or lack an audit process. Some are as basic as changing a password —the report states that one machine “was found to have an unchangeable, universal default password – found with a simple Google search – of ‘admin’ and ‘abcde.’”

Though President Donald Trump has repeatedly dismissed talk of election hacking attempts, concerns are mounting that Russia and others are already moving to the next incursion.

“What really concerns me is having suffered these probing attacks last year, we may be in for an even more sophisticated, more potentially effective assault next time around—and oh, by the way, others were watching,” said Ambassador Doug Lute, a retired Army lieutenant general who served as the permanent representative to NATO from 2013-2017.

Lute wrote the introduction to the DEFCON report, and said that from watching Russian President Vladimir Putin in action, he is anxious about what looks likely to come based on what he’s already seen, and feels like alarms should be ringing about voting in the 2018 midterms.

“It felt eerily familiar to Russian military tactics,” Lute said. “And it felt very uncomfortable in terms of how little time we have.”

This article originally appeared in Politico, October 9, 2017.

COMMENTARY: DHS office leading the way on federal cyber innovation

This article originally appeared in Fifth Domain, September 26, 2017.

By: Chris Cummiskey

It isn’t often that the words innovation and government find their way into the same sentence. When they do, it is often to decry the lack of innovation in government practices. Silicon Valley and other corporate leaders have long lamented that the federal government just doesn’t seem to understand what it takes to bring innovation to government programs.

One office in the federal government is having an outsized, positive impact on bringing private sector innovation to government cybersecurity problem solving. The Cybersecurity Division (CSD) of the Science & Technology Directorate at the Department of Homeland Security has figured out how to crack the code in swiftly delivering cutting edge cyber technologies to the operators in the field. Some of these programs include: cybersecurity for law enforcement, identity management, mobile security and network system security.

The mission of CSD is to develop and deliver new technologies and to defend and secure existing and future systems and networks. With the ongoing assault on federal networks from nation-states and criminal syndicates, the mission of CSD is more important than ever.

CSD has figured out how to build a successful, actionable strategy that produces real results for DHS components. Their paradigm for delivering innovative cyber solutions includes key areas such as a streamlined process for R&D execution and technology transition, international engagement and the Silicon Valley Innovation Program (SVIP).

R&D Execution and Technology Transition

One of the greatest impediments to taking innovative ideas and putting them into action is the federal acquisition process. As a former chief acquisition officer at DHS, I certainly understand why there needs to be federal acquisition regulations. The challenge is these regulations can be used to stifle the government’s ability to drive innovation. I am encouraged by the efforts to overcome these obstacles by federal acquisition executives like DHS Chief Procurement Officer Soraya Correa – who is leading the fight to overcome these hurdles.

Under the leadership of Dr. Doug Maughan, CSD has created a process with the help of procurement executives that swiftly establishes cyber capabilities and requirements with input from the actual users. They have designed a program that accelerates the acquisition process to seed companies to work on discreet cyber problems. The CSD R&D Execution Model has been utilized since 2004 to successfully transition over 40 cyber products with the help of private sector companies. The model sets up a continuous process that starts with workshops and a pre-solicitation dialogue and ends with concrete technologies and products that can be utilized by the operators in the various DHS components. To date the program has generated cyber technologies in forensics, mobile device security, malware analysis and hardware enabled zero-day protections and many others.

International Engagement

Maughan often states that cybersecurity is a global sport. As such, many of the challenges that face the United States are often encountered first by other countries. Maughan and his team have worked diligently to leverage international funding for R&D and investment. CSD is regularly featured at global cyber gatherings and conferences on subjects ranging from international cyber standard setting to sharing R&D requirements for the global entrepreneur and innovation communities.

Silicon Valley Innovation Project (SVIP)

It seems like the federal government has been trying to get a foothold in Silicon Valley for decades. Every president and many of their cabinet secretaries in recent memory have professed a desire to harness the power of innovation that emanates from this West Coast enclave. One of the knocks on the federal government is that it just doesn’t move fast enough to keep pace with the innovation community. Maughan and the folks at CSD recognize these historic impediments and have moved deftly to build a Silicon Valley Innovation Project (SVIP) that is delivering real results. To help solve the hardest cyber problems facing DHS components like the Coast Guard, Customs and Border Protection, the United States Secret Service and the Transportation Safety Administration, SVIP is working with Silicon Valley leaders to educate, fund and test in key cyber areas. The program is currently focusing on K9 wearables, big data, financial cybersecurity technology, drones and identity. The SVIP has developed an agile funding model that awards up to $800,000 for a span of up to 24 months. While traditional procurement processes can take months, the SVIP engages in a rolling application process where companies are invited to pitch their cyber solutions with award decisions usually made the same day. The benefits of this approach include: speed to market, extensive partnering and mentoring opportunities for the companies and market validation.

Conclusion

Moving innovative cyber solutions from the private sector to the federal government will always be a challenge. The speed of innovation and technological advancement confounds federal budget and acquisition processes. What Maughan and CSD have proven is that with the right approach these systems can complement one another. This is a huge service to the men and women in homeland and cybersecurity that wake up every day to protect our country from an ever-increasing stream of threats.

Chris Cummiskey is a former acting under secretary/deputy under secretary for management and chief acquisition officer at the U.S. Department of Homeland Security.

IN-THE-NEWS: Douglas Lute Joins ABC This Week with George Stephanopolous to talk Afghanistan

CGA Principal and former NATO Ambassador Douglas Lute told ABC News Chief Anchor George Stephanopoulos in an interview on "This Week" Sunday that the United States is stuck in a political and military stalemate in Afghanistan, and it is unclear whether President Donald Trump's new strategy in the country will resolve it.  Read more here

IN-THE-NEWS: CNN Segment on DEFCON Voting Machine Hacking Village

At the DEFCON hacking conference, hackers were invited to try their hand at infiltrating the technology we rely on every election, including voting machines and a mock elections office.  Cambridge Global CEO, Jake Braun -- the "brain-child" of the demonstration -- describes how this could be the biggest threat to our American democracy in modern history.  CNNTech's Laurie Segall reports.

Watch the VIDEO SEGMENT here

WHITE PAPER: Govnet: An Architecture for a More Secure Federal Civilian Network

In a new white paper sponsored by Northrup Grumman, CGA makes the case for "GOVNET."

Summary:  For almost two decades, Federal cybersecurity leaders have debated the merits of consolidating 100+ Federal civilian agency networks into a single, federated enterprise network. This concept was dubbed “Govnet” in the Bush Administration. While at that time the technology to implement the proposal was in its infancy, today advances in networking provide a practical approach.  This paper reviews the feasibility and benefits of creating Govnet today to provide a sound basis for discussion as the Trump Administration and Congress consider next steps to secure Federal information systems.  Download the full white paper.

PRESS RELEASE: First-Ever DEFCON "Voting Machine Hacker Village" Highlights Vulnerabilities in U.S. Voting Systems

Cambridge Global participates in event to bring together critical stakeholders to elevate cyber threats, identify solutions to safeguard our elections

Las Vegas, NV – In light of recent headlines concerning Russian attempts to “hack” and interfere in the 2016 U.S. elections, DEFCON – one of the world's largest and best-known hacker conventions – debuted an interactive "Voting Machine Hacker Village" today a its annual gathering in Las Vegas. The first of its kind in the conference's 25 year history, the Voting Village provided a national stage for hackers, voting experts, government officials and others to raise the alarm on cyber vulnerabilities and threats related to U.S. voting machines, networks, and voter file databases currently in use around the nation.

Cambridge Global Advisors (CGA) – a strategic advisory services firm with deep expertise in cyber and homeland security policy at the global, national, state and local level – provided support to the Voting Village by way of concept development, media outreach, and stakeholder engagement. CGA also contributed to the day-long speaking program, with Jake Braun, CEO of CGA emceeing speeches and panels featuring subject matter experts from a variety of public and private sector organizations such as Verified Voting, the Center for Internet Security, National Governors Association, and National Institute of Standards and Technology (NIST).  

“Without question, our voting systems are weak and susceptible. Thanks to the contributions of the hacker community today, we've uncovered even more about exactly how,” said Jake Braun, who originally proposed the idea of the Voting Village to conference founder Jeff Moss earlier this year. “The scary thing is we also know that our foreign adversaries – including Russia, North Korea, Iran – possess the capabilities to hack them too, in the process undermining principles of democracy and threatening our national security.”

Douglas Lute, CGA principal and former U.S. Ambassador to NATO, also spoke at the conference on Friday, noting the importance of bringing the national security community to the table. “Elections have always been the concern and constitutional responsibility of state and local officials. But when Russia decided to interlope in 2016, it upped the ante. This is now a grave national security concern that isn't going away,” said Lute via Skype. “In the words of former FBI Director James Comey, ‘They're coming after America...they will be back.’”

The Voting Village featured more than 30 pieces of equipment for hackers to try their hand at, along with a cyber training range that simulated an board of elections office network and voter registration database.  Within the first 90 minutes, hackers successfully hacked several pieces of equipment, including a machine and pollbook.  The village is expected to be a fixture for DEFCON for at least the next three years, with more equipment, software and other hacking demonstrations to be added in the future.

Voting Village organizers also said that DEFCON provided an initial forum to convene various stakeholders that will be critical to forwarding solutions as a next step. Post-DEFCON, Cambridge Global and others will work to align allies for a national advocacy campaign to implement election security measures in all fifty states. Details and a campaign launch date are expected in the coming weeks.

“The Voting Hacking Village was just the start. This is one conversation that needs to leave Vegas,” said Braun. “There are ways to secure our democracy, but we need an organized advocacy campaign. We need to take these lessons back to DC, to state capitals, and to local election boards around the country to invoke change.”

About CGA

Cambridge Global Advisors (CGA) is a strategic advisory services firm with deep expertise and experience at the global, national, state and local level.  Our mission is to assist our clients in the management, development, and implementation of their national security programs, practices, and policies, with a special interest in homeland and cyber security.

CGA’s senior leadership has been working on cybersecurity policy for some of the largest end users for governments, NGOs, and corporations for a combined 100+ years of experience.  Through client work and numerous positions on advisory boards, the team has served as cyber consults for a host of entities from the President of the United States to local governments such as Cook County, Illinois. Learn more at: www.cambridgeglobal.com

###