PRESS RELEASE: Cambridge Global CEO Jake Braun Honored with Multiple Cybersecurity Excellence Awards

March 6, 2018 (Washington, DC)This past month CEO of Cambridge Global Advisors (CGA) Jake Braun was named recipient of three awards for his work in raising awareness around cyber threats facing U.S. democracy and election infrastructure, such as those attempted by Russia during the 2016 elections.  

One of the cyber industry’s most coveted programs, the 2018 Cybersecurity Excellence Awards annually honor individuals and companies that demonstrate leadership in information security. With over 400 entries, Braun was nominated and won respective honors in all categories for which he was nominated:

The Cybersecurity Excellence Awards specifically recognized Braun’s work with DEFCON – the world’s largest, longest-running hacker conference – where Braun led the creation of DEFCON’s first-ever Voting Machine Hacking Village. The Village assembled more than 25 pieces of election equipment including voting machines and pollbooks still widely used in U.S. elections today and made them accessible to thousands of hackers who were encouraged to test the technology and expose cyber vulnerabilities for educational purposes.

Commenting on the honors, Braun said: “I am deeply proud of these awards, which, to me, demonstrate that election security isn’t just a hacker thing. The 2018 elections are getting underway, and it’s critical we approach this issue as the national security concern it is.  We must do all we can to protect the vote – and our democracy – from foreign enemies that want to sow discord and distrust.”

Beyond his work with DEFCON, Braun has partnered with institutions and organizations including the University of Chicago and the Atlantic Council to focus on forwarding of policies and best practices that will help election administrators better safeguard the vote from cyberattacks in 2018 and beyond. In October, Braun worked with the Atlantic Council to release an award-winning report about the DEFCON Voting Village’s findings. This report is still being used by U.S. national security leaders to inform new policies to secure the critical infrastructure of the U.S. election system.

###
Cambridge Global Advisors is a strategic advisory services firm with deep expertise at the global, national, state and local levels. CGA assists clients in the management, development, and implementation of their programs, practices, and policies – with a special emphasis on homeland and cybersecurity. CGA works with government, non-profit organizations, and Fortune 500 companies to provide consulting and project management services as well as public diplomacy, stakeholder engagement, and communications.  To learn more, visit www.cambridgeglobal.com or follow on Twitter at @camb_global

NYTimes: Russia Sees Midterm Elections as Chance to Sow Fresh Discord, Intelligence Chiefs Warn

This article citing CGA Principal Douglas Lute appeared in the New York Times, February 13, 2018.

WASHINGTON — Russia is already meddling in the midterm elections this year, the top American intelligence officials said on Tuesday, warning that Moscow is using a digital strategy to worsen the country’s political and social divisions.

Russia is using fake accounts on social media — many of them bots — to spread disinformation, the officials said. European elections are being targeted, too, and the attacks were not likely to end this year, they warned.

“We expect Russia to continue using propaganda, social media, false-flag personas, sympathetic spokespeople and other means of influence to try to exacerbate social and political fissures in the United States,” Dan Coats, the director of national intelligence, told the Senate Intelligence Committee at its annual hearing on worldwide threats.

Mr. Coats and the other intelligence chiefs laid out a pair of central challenges for the United States: contending with the flow of Russian misinformation and shoring up the defenses of electoral systems, which are run by individual states and were seen as highly vulnerable in 2016.

“There should be no doubt that Russia perceives its past efforts as successful and views the 2018 U.S. midterm elections as a potential target for Russian influence operations,” said Mr. Coats, testifying alongside Mike Pompeo, the C.I.A. director; Christopher A. Wray, the F.B.I. director; and other leading intelligence officials.


“Throughout the entire community, we have not seen any evidence of any significant change from last year,” Mr. Coats said.

The warnings were striking in their contrast to President Trump’s public comments. He has mocked the very notion of Russian meddling in the last election and lashed out at those who suggested otherwise.

Mr. Trump has not directed his intelligence officials to specifically combat Russian interference, they said. But Mr. Pompeo said that the president has made clear that the C.I.A. has “an obligation, from the foreign intelligence perspective, to do everything we can to make sure there’s a deep and thorough understanding of every threat, including threats from Russia.”

Russia appears eager to spread information — real and fake — that deepens political divisions. Bot armies promoted partisan causes on social media, including the recent push to release a Republican congressional memo critical of law enforcement officials.

The bots have also sought to portray the F.B.I. and Justice Department as infected by partisan bias, said Senator Mark Warner of Virginia, the top Democrat on the intelligence committee.

“Other threats to our institutions come from right here at home,” he said. “There have been some, aided and abetted by Russian internet bots and trolls, who have attacked the basic integrity of the F.B.I. and the Justice Department. This is a dangerous trend.”

Russia does not, however, appear to be trying to penetrate voting machines or Americans’ ballots, United States officials said.

“While scanning and probing of networks happens across the internet every day, we have not seen specific or credible evidence of Russian attempts to infiltrate state election infrastructure like we saw in 2016,” Jeanette Manfra, the chief cybersecurity official at the Department of Homeland Security, said in an interview last week.

Right now, Mr. Pompeo said, Russia is trying to focus on what are known as influence operations — using social media and other platforms to spread favorable messages — not hacking.

“The things we have seen Russia doing to date are mostly focused on information types of warfare,” he said.

Intelligence officials and election-security experts have said both the states and federal agencies have made significant progress in addressing voting system vulnerabilities since 2016, when state-level officials could not even be warned of attacks because they lacked the necessary security clearances.

 

The intelligence community was focused on gathering information about potential attacks and then sharing it with local and state election officials, Mr. Coats said during the hearing.

Mr. Coats called Moscow’s meddling “pervasive.”

“The Russians have a strategy that goes well beyond what is happening in the United States,” he said. “While they have historically tried to do these types of things, clearly in 2016 they upped their game. They took advantage, a sophisticated advantage of social media. They are doing that not only in the United States but doing it throughout Europe and perhaps elsewhere.”

Mr. Pompeo was also asked about reports last week by The New York Times and The Intercept that American intelligence agencies spent months negotiating with a Russian who said he could sell stolen American cyberweapons and that the deal would include purportedly compromising material on Mr. Trump. The negotiations were conducted through an American businessman who lives in Europe and served as a cutout for American intelligence agencies.

Mr. Pompeo called the reporting “atrocious, ridiculous and inaccurate” and said the C.I.A. had not paid the Russian. The Times, citing American and European intelligence officials, said only that American spies had paid the Russian $100,000 for the cyberweapons using an indirect channel. Those weapons were never delivered. The Russian did provide information on Mr. Trump, which intelligence agencies refused to accept and remains with the American businessman.

“Our story was based on numerous interviews, a review of communications and other evidence. We stand by it,” said Dean Baquet, the executive editor of The Times.

Mr. Pompeo did appear to acknowledge the operation itself, saying that “the information that we were working to try and retrieve was information we believed might well have been stolen from the U.S. government.”

He and the other intelligence chiefs, including Adm. Michael S. Rogers, the departing director of the National Security Agency, also addressed the slew of other threats they see facing the United States. They cited North Korea’s nuclear program, Islamist militants in the Middle East and even illicit drug trafficking, especially the smuggling of cheaply made fentanyl, a powerful opioid responsible for thousands of deathseach year.

But as has been the case for years, the intelligence leaders presented cyberactivities of rival nations and rogue groups as the foremost threat facing the United States. They warned that such risks were likely to only grow, citing China, Iran, North Korea and Russia, along with militant groups and criminal networks, as the main agitators.

To ease the flow of information, the Department of Homeland Security is trying to get at least one election official in each state a security clearance. To date, 21 officials in 20 states received at least interim “secret”-level clearances, Ms. Manfra said in the interview.

The federal government is also working to provide states with enhanced online security “to ensure the American people that their vote is sanctioned and well and not manipulated in any way,” Mr. Coats said.

Homeland Security has added 32 states and 31 local governments to a system that scans internet-connected systems in the federal government every night for vulnerabilities, offering weekly reports and fixes to any issues they find, Ms. Manfra said.

Specialists also spend weeks auditing cyberdefense systems in both federal agencies and state elections offices, and last month, the department decided to prioritize requests for the latter to ensure that they get done swiftly, she added.

Virtually every state is taking steps to harden voter databases and election equipment against outside attacks and to strengthen postelection audits. When the National Association of Secretaries of State holds its winter meeting this weekend in Washington, half of the sessions will be devoted wholly or in part to election security.

New standards for voting equipment were approved last fall that will effectively require manufacturers to include several security improvements in new devices. States are moving to scrap voting machines that do not generate an auditable paper ballot as well as an electronic one; Virginia has decertified most of its devices, Pennsylvania has declared that all new devices will produce paper ballots, and Georgia — a state whose outdated equipment produces only electronic voting records — has set up a pilot program to move to paper.

But a host of problems remains. Roughly one-fifth of the country lacks paper ballots, and replacing digital-only machines costs millions of dollars. Federal legislation that would allot funds to speed up the conversion to paper is crawling through Congress.

Many experts, meanwhile, believe that Russian meddling in the presidential race was but a foretaste of what is to come — not just from the Kremlin, but also from other hostile states and private actors.

“Russia learned a lot last year in what really, I think, can be seen as a series of probing attacks,” Douglas Lute, a retired Army lieutenant general, deputy national security adviser to President George W. Bush and ambassador to NATO under President Barack Obama, said in an interview. “I think we should expect that they learned and they’re going to come back in a much more sophisticated way.”

Commentary: Firewalling Democracy: Federal Inaction on a National Security Priority

This piece originally appeared in The Hill, January 31, 2018.

January marked the first anniversary of the U.S. Department of Homeland Security’s designation of elections as “critical infrastructure,” placing them into the category of other physical or virtual sectors — such as food, water and energy — considered so crucial that their protection is necessary to our national security. Naming “elections” as a critical infrastructure sub-sector was a key action taken by then-Secretary Jeh Johnson following an Intelligence Community report about ways Russia sought to meddle in the 2016 elections via a variety of hacking tactics aimed at election offices, voter databases and our larger digital democracy.

At the time, I was serving as DHS Under Secretary for Intelligence and Analysis — and I was encouraged greatly by the critical infrastructure move. Voting administration is a state and local responsibility, but these entities often are overburdened, under-resourced and not exactly versed in Kremlin-based cyber crimes. The announcement reflected a new reality that election security is national security — and it provided enhanced capabilities for the feds to coordinate on election cyber threats.

However, since that optimistic moment 13 months ago, there has been unwillingness at the highest levels of the federal government to act.

On Capitol Hill, it’s taken a year for the Secure Elections Act (S. 2261), to be introduced. Although a positive first step toward ensuring that states have grants and other support to protect their voting systems, the bill’s future is unclear beyond the six bipartisan co-sponsors backing it.

At DHS, scores of mid-level staff — especially within the National Protection and Programs directorate — are working to answer state and local election officials requesting cyber assistance, while at the same time gathering what limited resources exist to prepare for 2018.  But these folks are operating minus top cover from the White House or other cabinet-level leaders, many of whom continue to eschew that Russia is a concern altogether.

As I consider possible reasons for this federal lack of leadership, it appears the fear of attaching oneself to the politics of the past election — rather than tackling the real challenges of the upcoming one — emerges as the most plausible explanation.

For one, it’s not for lack of threat. The vulnerabilities within our democratic infrastructure are deepening every day. In June, DHS announced that voting systems and registration databases in at least 21 states had been the aim of Russian hacking attempts in 2016. Last fall, across the pond, the Brits laid claim that the same Russia-based Twitter accounts that targeted the 2016 U.S. election also employed divisive rhetoric to influence the Brexit referendum. Even as recently as November, news emerged that Russian bots flooded the Federal Communications Commission’s public comment systems — an important democratic forum for Americans to voice opinions — during the net-neutrality debate, generating millions of fake comments.

Federal procrastination is also seemingly not tied to lack of pressure. It is true that DHS’s initial offers for cyber assistance were not embraced by state and locals in past elections. But since last year, there’s been a backlog of requests pouring in. Meanwhile, local election directors such as Cook County, Illinois’ Noah Praetz, have taken it upon themselves to develop election cybersecurity plans, despite no federal backing. Even the hacker community — traditionally allergic to Washington — has been raising the alarm on election security. For example, DEFCON, the world’s largest hacker conference, held an educational voting machine hacking demonstration last summer to show how susceptible election equipment is to cyber attack.

Finally, I surmise absent response is not a factor of the arduous process that is federal policymaking. Historically, when a national security threat to America is imminent, I’ve seen leaders act swiftly, honorably and without regard for politics. In this case, we have waning time to act: The 2018 election season is weeks away with primaries starting in March in Illinois and Texas. And when it comes to Russia’s goal of undermining democracy, they’re not likely to take this cycle off. Indeed, they will most likely apply the lessons of 2016 with a more calculated approach.

After 47 years in working in national security — much of that spent in the military and federal government — I respect the evolving threats facing democracy today. Yet the urgent work at the state and local level to prepare for future elections will be insufficient if it is not fully matched and funded by the federal government.

With new leaders, including DHS Secretary Kirstjen Nielsen, assuming the helm, this is a moment to choose national defense over politics. A window, albeit closing, exists to support state and locals — along with mid-level civil servants — focused on the problem.

In the vital cause to reassure Americans that their democracy can withstand outside attacks, our enemies are counting on political division and chaotic discourse. I encourage leaders at every level to leverage the best of our national security resources, unite and then prove them wrong.

Francis X. Taylor, a senior advisor at the security consulting firm Cambridge Global Advisors in Washington, is the former under secretary for intelligence and analysis at the Department of Homeland Security. He also served as the former head of diplomatic security with the State Department and is a retired U.S. Air Force brigadier general.

IN-THE-NEWS: Feds Team with Foreign Policy Experts to Assess US Election Security

This article originally appeared in Dark Reading, January 18, 2018.

Expert panel lays out potential risks for the 2018 election cycle and beyond

Speaking at a panel on election security in Chicago last night, Douglas Lute, former US Ambassador to NATO, said he remains very concerned that Russian interference in the 2016 elections has eroded the public’s confidence in the election system, the cornerstone of the American democracy.

“What happened in the 2016 election is as serious a national security threat as I’ve seen in the last 40 years,” said Lute. “When you think of events such as Pearl Harbor and 9-11, those are physical attacks and terrible as they are, we can recover from them. But if we lose confidence in the election system, that erosion is more serious.”

The panel discussion, "Secure the Vote," was sponsored by DEF CON, which held a Voting Machine Hacker Village during its August event, and by the Chicago Council on Global Affairs. Also participating were Rick Driggers, deputy assistant secretary at the US Department of Homeland Security's (DHS) Office of Cybersecurity & Communications, and Greg Bales, community outreach coordinator in Sen. Richard Durbin’s (D-Ill.) office. The panel moderator was Jake Braun, cybersecurity instructor at the University of Chicago.

Braun hailed the panel as the first time the executive and legislative branches of government got together to publicly discuss hacking of the US election system.

In September, DHS informed 21 US states that some component of their respective election systems had been targeted by Russian state-sponsored cybercriminals during the 2016 election campaign. According to DHS, no votes were changed and many of the targets experienced only vulnerability scans. Last night’s discussion was held ahead of the nation’s first primaries this March in Illinois and Texas, both of which were among the 21 targeted states. 

Lute kicked off the panel with five points for attendees to consider:

  • Russia is a proven threat. Although President Donald Trump has rejected the validity of reports on election tampering, national security agencies agreed that Russia attacked our election system in 2016 and that it was state-sponsored under the direction of Russian President Vladimir Putin, said Lute.
  • Russia is not going away. President Putin is likely to win another six-year term this year in an uncontested election, and even if something happened to Putin, he would be replaced by a similar figure who will look to expand on global election hacking efforts, said Lute.
  • Other nation-states are potential threats. It’s clear that other nations such as China, Iran and North Korea have the capability to hack into our elections and other critical businesses and infrastructure.
  • Time is short. The election cycle of 2018 is a short two months away and the 2020 Presidential race is just around the corner.
  • Our allies are vulnerable. Other countries' elections are already experiencing cybersecurity incidents, like the data breach that hit French president Francois Macron days before the election. 

The DHS’s Driggers said DHS is available upon the request of state and local governments to provide security services such as technology assessments, information sharing and basic cyber hygiene. He said in early January 2017, DHS identified the US election system as part of the nation’s critical infrastructure, putting it on the level of our IT, defense, energy, and financial services systems.

"It's definitely a priority in our planning," Driggers said. "We realize that US elections are run by local election officials and our efforts are primarily to support state and local efforts."

On the legislative front, Bales said Sen. Durbin is working hard to support the Secure Elections Act, a bill sponsored by Sen. James Lankford (R-Okla.) and Sen. Amy Klobuchar (D-Minn.) that seeks to protect against foreign interference in future elections.

"Voting is a bi-partisan American issue, so we have to make sure outside actors like Russia are not involved," Bales said.

As for potential solutions, Lute offered three suggestions: get the entire election system off the Internet; protect the state voter registration databases; and create an audit trail by using optical scanners to track individual paper votes.

Most of Lute’s suggestions are based on the Election Security Plan developed by Noah Praetz, director of elections with the Cook County Clerk’s Office. Praetz’s plan represents the first known formal response by a local government to reported US election hacking in 2016.

Many cybersecurity researchers also called for paper voting or systems that use optical character readers to generate voter-verified paper trails after two (decommissioned) voting machines were hacked within 90 minutes during DEF CON's Voting Machine Hacker Village in August

In-The-News: New York governor wants state pension fund to divest fossil fuel company stocks

This article originally appeared in the New Castle News, December 22, 2017

ALBANY, N. Y. — As Gov. Andrew Cuomo tells it, the state pension fund — the third largest retirement nest egg for public employees in the nation — should sell off its investment in fossil fuel companies that have polluted the environment with products that worsen global climate change.

"That is the energy of yesterday," he told reporters this week after previewing a proposal that he plans to stitch into his Jan. 3 State of the State speech. "It is literally polluting the planet."

The $201.3 billion New York State and Local Retirement System fund, as it is officially called, is managed by state Comptroller Thomas DiNapoli.

As the fund's sole trustee, DiNapoli has resisted earlier calls from green activists for divestment in oil and natural gas companies. He has contended that as a shareholder with a seat at the table he is in a better position to influence corporate behavior than he would be if he sold off the pension fund's stake in those companies.

Cuomo, who has no oversight role over the fund, cast his interest in an avuncular way, suggesting that he wants to "protect the retirement savings of New Yorkers." But with the governor poised to seek a third term in Albany in 2018 and leaving the door open for a run for the White House in 2020, the pension fund divestment issue has already triggered speculation that political considerations were a factor in the proposal.

But the governor's move has spawned concerns that a green energy litmus test over investment decisions could end up limiting the fund's growth should Cuomo's prognostications regarding energy sector stocks prove to be flawed.

"The comptroller needs to stick to his guns and understand that his fiduciary responsibility is to the beneficiaries" of the fund, said Christopher Burnham, the former Connecticut state treasurer who served as the sole trustee of the Nutmeg State's pension fund from 1995 to 1997.

"You have to invest these monies cautiously, carefully and wisely, and without allowing a personal agenda to play a role in how you execute your duties," said Burnham, a Republican and native New Yorker who is chairman of Cambridge Global Advisors in Virginia.

DiNapoli and Cuomo are downstate Democrats, though at times the relationship between the two has been chilly. Since Cuomo advanced his pension proposal, the comptroller has avoided arguing with the governor over the issue, instead signaling that he welcomes the "opportunity to partner" with Cuomo via an advisory council aimed at "achieving investment returns."

DiNapoli further stated that while he has "no immediate plans to divest our energy holdings," the New York pension fund has been a leader in advancing climate change goals and is increasing its current stake of more than $5 billion in "sustainable" investments.

"We believe in engagement with companies," DiNapoli said in responding in June to a CNHI inquiry about a push for divestment by a coalition calling itself Elected Officials to Protect New York.

Republicans lost no time in accusing Cuomo of meddling in an arena where they say he has no business.

“The public pension fund does not exist so Andrew Cuomo can use it to build a campaign platform for a presidential run," said Assembly GOP Leader Brian Kolb, who has announced he is a candidate for governor.

By taking on the fight for divestment, though, Cuomo may be choosing a pathway that could put octane into any future run for the presidency, said Harvey Schantz, the chairman of the political science department at the State University at Plattsburgh.

"Running for governor in New York state and running for the Democratic nomination for the presidency present overlapping opportunities," Schantz said. "You have to show liberal bona fides and you have to show executive ability. First, he has to get re-elected as governor. But by staking out liberal positions, he could be helping himself in New York and also helping himself win the Democratic nomination."

In advancing his proposal, Cuomo pointed out that the World Bank plans to stop financing gas and oil exploration projects, and the Norwegian sovereign wealth fund is already shedding its fossil fuel investments.

While it is DiNapoli who calls the shots at the pension fund, Cuomo is not out of line in suggesting that its portfolio mix be shuffled in ways that promote greater reliance on renewable energy, said Larry Levy, a longtime observer of New York politics and director of the National Center for Suburban Studies at Hofstra University,

Levy suggested that Cuomo has been steadily building his record as an advocate for expanded use of solar and wind energy and is the architect of the state's policy to have the state's energy diet include no less than 50 percent renewable energy by 2030. The Cuomo administration, he added, has also kept the gas drilling technique known as hydraulic fracturing from being introduced in New York.

"He can't be accused of posturing on this issue because he has gone all-in on reducing the reliance of fossil fuels in a big way," he said. "It's not as if he has suddenly discovered an issue and is coming out to please a certain constituency."

As to the speculation that Cuomo is preparing a White House run, Levy said, "2018 is 2020. If a U.S. senator or governor doesn't knock it out of the park in his home state in 2018, then he or she is going to drop precipitously on any list for any national election."

Commentary: Pensions should avoid politics and invest for the benefit of our workers

This OpEd authored by Cambridge Global Chairman, Christopher Burnham, originally ran in the The Hill, December 10, 2017.

Why do public fiduciaries think they should impose their political agenda on other people’s retirement benefits? Is not the standard of care to manage public retirement funds with the highest return at the lowest reasonable risk? With more than 50 percent of all state pension funds significantly underfunded and at least five states, including my native Connecticut, facing immanent bankruptcy due to grossly unfunded state employee and teacher pension systems, why would both beneficiaries and taxpayers, who will be forced to makeup those liabilities, want to politicize the management of the money? As I will also be a beneficiary in a few years, please manage the money without a political agenda.

When I was elected state treasurer of Connecticut in 1994, I inherited the worst performing state pension system in America for the previous 10 years. Within the first six months we fired the vast majority of money managers and indexed 75 percent of the portfolio. Yet, I was attacked for holding tobacco stocks in the portfolio, by virtue of the fact that we owned an S&P 500 stock index fund. I refused to play politics with the pension, particularly after 10 years of politics had relegated pension fund performance to the gutter. Instead, we focused on the highest return at a reasonable risk, and performance skyrocketed from dead last to the top 25 percent in the country, overnight.

Now a new era of activists, without any regard to fiduciary responsibility, is injecting politics into pension systems, yet again, by trying to make states, counties and municipalities across the country divest of shares in energy companies. Why would we seek to undermine the integrity of a secure retirement for our teachers and government employees? If they, individually, want to invest in activist funds, they should force states to move to a system similar to the U.S. government employee retirement system, or to a full or partial defined contribution system, such as Rhode Island recently did. Then retirees can make decisions for themselves.

However, to force a political agenda to be shoved into the investment of their retirement accounts is wrong, and a clear violation of fiduciary responsibility. Moreover, if you divest from energy investments, where do you stop? If you remove energy companies, why not remove fast food companies? How about booze, gambling and producers of sugary drinks? As a combat veteran, I am very grateful for the strength of our American defense industry and believe we should invest more in defense companies. Would everyone else agree with me?

Additionally, pressure is mounting on banks. Recently, U.S. Bank, the leading provider of financial products and services to the federal government for over 30 years, has ceded to these activist groups and announced radical changes to corporate policies, including ceasing its investments in energy infrastructure. Its management announced that U.S. Bank plans to stop providing construction for energy pipelines, although it has not announced that that it will no longer service the major railroad carrier, which carry all of the coal Minnesota uses to produce over 30 percent of their electric energy needs. Fiduciary responsibility also means responsibility to shareholders.

We must not allow individual political and ideological agendas to break the special trust and confidence our government and teacher retirees should have in those who are elected or appointed to be the fiduciaries of retirement systems across our country. Unless mandated by law, such as owning shares in companies doing business in North Korea, there is no room for ideological agendas in the management of other people’s money, particularly our teachers and government employees.

Christopher B. Burnham is the former state treasurer of Connecticut, where he was sole fiduciary of the $16 billion Connecticut pension system, and former undersecretary general of the United Nations, where he was sole fiduciary of the $42 billion United Nations pension system. He is now chairman of consulting firm Cambridge Global Advisors.

IN-THE-NEWS: CGA's Doug Lute tells USA Today about the national security implications of protecting our election infrastructure

This piece originally appeared in USA Today, December 7, 2017

Illinois' most populous county has a plan to keep hackers out, after the state's voter registration list was breached during last year's presidential race. There's one big sticking point: the money. 

The director of elections for Illinois' Cook County and a group including Ambassador Douglas Lute will present a strategy to bolster U.S. election systems' defenses against foreign intruders on Thursday. 

That roadmap comes with a request for the federal government to fund their plan, underlining a hurdle for many municipalities as they head into the 2018 midterm and 2020 presidential elections.

While last year's general election made clear the voting system was vulnerable to hackers, and the federal government has instructed the nation's 9,000 election officials to make their voting rolls safer, many municipalities lack funding to make these changes. 

The last time there was significant federal funding for election infrastructure at the local level was the Help America Vote Act of 2002, passed in the aftermath of the controversy surrounding the 2000 president election recount. That resulted in almost $3 billion in funds for new voting equipment

"For a relatively modest investment it seems to me that we can shore up the system significantly," Noah Praetz told USA TODAY.

His five-page plan, sponsored by Cook County Clerk David Orr and being presented at the University of Chicago's Harris School of Public Policy, is part of a broader effort by an ad hoc bipartisan group working to strengthen the U.S. election system after Russian intrusions during the 2016 U.S. presidential race. It calls on the federal government to aid states, laying out a list of 20 defense tactics election officials can take to protect election integrity.

"Make no mistake, this will be a painful and expensive undertaking," it reads.

Just how expensive isn't known. The U.S. election system is highly decentralized. Each jurisdiction has different staff, equipment and funding and must deal with differing local and state regulations governing elections.

For Cook County, which is responsible only for county-wide elections as the city of Chicago holds its own elections, "it's going to cost many millions." Praetz said he couldn't be more specific because the county is in the middle of a procurement process.

Even hundreds of millions is just "a rounding error of the defense department budget," said Lute, a retired three-star general who served under both Obama and George W. Bush.

"We're buying hard defense for America to the tune of $700 billion a year. And for literally less than one-one-thousandth of that, we could make dramatic inroads to secure our election systems. Which quite frankly may be more fundamental [to our security] than the next fighter plane," he said.

Russia will be back

The problem with Russia, which denied any interference in the U.S. election, isn't going to go away, say election officials. The 2016 attacks were a classic Russian intelligence military operation.

"Initially it is rather clumsy. They probe and they make mistakes and they get found out. But they also learn very quickly. I expect that in 2018 they will be back, with a much more sophisticated and targeted approach," said Lute, most recently the former United States Permanent Representative to the North Atlantic Council, NATO’s standing political body.

2016 was a heads up

The 2016 election was a watershed in terms of awareness about foreign election meddling. No one knows the problem better than Illinois, one of two states where federal authorities say Russian hackers succeeded in infiltrating the election system.

The hackers operated undetected for three weeks, viewing the records of 90,000 voters and, according to the Illinois State Board of Elections, attempted to delete or alter some voter data.

Time is also short. Illinois also is one of two states with the earliest primaries in the county, meaning its voters will go to the polls in March.

The white paper suggests the creation of a national digital network for local election officials to quickly share information about threats and incidents. This is in contrast to 2016, when officials in 21 states only learned they'd been targeted almost a year after the fact.

Next, every local and state election official should have a security officer on staff, to deal with these issues. 

The paper then goes on to outline a standard list of the things any company would implement to protect the security of its networks, but which election officials have overall been slow to roll out because of a lack of funding, knowledge and awareness of the dangers.

The final suggestion is the idea that every election jurisdiction needs to come up with a plan about how it will recover if it is hacked. That could mean paper backups of voter registration lists, storing paper ballots or saving digital scans of ballots.

"If we detect breaches and recover from them quickly, we will survive. And so will our democracy," the paper says.  

PRESS RELEASE: Cambridge Global Advisors CEO Jake Braun Receives O’Reilly Defender Award for Elevating U.S. Voting Infrastructure Cybersecurity Concerns

November 3, 2017 (New York, NY) – This week, CEO of Cambridge Global Advisors (CGA) Jake Braun was awarded the O’Reilly Defender Award for Research at the annual O’Reilly Security Conference in New York City.  The award “celebrates those who have demonstrated exceptional leadership, creativity, and collaboration in the defensive security field.” It was given to Mr. Braun for his recent contributions in the “Voting Machine Hacker Village” at DEFCON and for increasing awareness around cyber threats and vulnerabilities in U.S. election and voting infrastructure. 

The “Voting Village” was an innovative three-day demonstration (July 27-30, 2017) held in Las Vegas at DEFCON – the world’s largest, longest-running hacker conference – that assembled more than 25 pieces of election equipment including voting machines and pollbooks still widely used in U.S. elections today.  The Voting Village made them accessible to 1000+ hackers who were encouraged to test the technology and expose cyber vulnerabilities for educational purposes. The event’s concept was born out of U.S. intelligence reports regarding Russian attempts to interfere in the 2016 elections and the U.S. Department of Homeland Security’s recent confirmation that voter registration databases in at least 21 states were breached last year. 

Mr. Braun shared the O’Reilly Defender award with several other “Voting Village” colleagues including Matt Blaze (University of Pennsylvania), Joseph Lorenzo Hall (Center for Democracy & Technology), Harri Hursti (Nordic Innovation Labs), Margaret MacAlpline (Nordic Innovation Labs) and Jeff Moss (DEFCON).  Last month, this six-person team released a report on the Voting Village findings. Together, the team has been elevating concerns around vulnerabilities in U.S. election equipment and networks and is currently working to assemble stakeholders critical to invoking policy change at the federal, state and local level ahead of nationwide elections in 2018.

Speaking of the award, Jake Braun said: “The Voting Village was about exposing the weaknesses in our voting systems and finding ways to educate others, especially in light of what we know about Russia’s attempts to hack the 2016 Presidential Election. I am immensely proud of this award, which serves as a recognition that voting security is more than just a cyber or hacker issue. Protecting the vote is indeed a national security imperative that requires our leaders band together to find solutions.”

In addition to his CEO role at CGA, Mr. Braun currently serves as a faculty member at the University of Chicago where he teaches cybersecurity policy. He is also a former White House and Public Liaison for the U.S. Department of Homeland Security and remains an advisor to DHS and the Pentagon on cybersecurity issues.