The Franklin Project's Origin and Why Water Matters

Rachael Lyon:
Welcome to the Point Cybersecurity Podcast. Each week, join Jonathan Knepher and Rachael Lyon to explore the latest in global cybersecurity news, trending topics, and cyber industry initiatives impacting businesses, governments, and our way of life. Now, let's get to the point.

Speaking of scary, if you will, you know, the critical infrastructure conversation, you know, there's endless discourse on, you know, kind of really the shaky ground there. Right. And just how vulnerable things are. And I read about the Franklin Project, and I would love for you to give our listeners a little bit more about what that is and what it's aiming to do, because I think it's just wonderful.

Jake Braun:
Sure, thank you. So, actually, this comes back from. Or this comes from, you know, I, myself, Harri Hursti, Matt Blaze, and Maggie MacAlpine co-founded the Voting Machine Hacking Village back in 2017. And we. This is actually where we got the idea for the Hackers' Almanack too. We started producing a report the first few years when nobody knew about any of these vulnerabilities and put that out. Got a lot of attention and hopefully drove some positive outcomes. But we also, what a lot of people don't know is recruited a bunch of volunteers from DEF CON to provide free technical assistance to election officials around the country.

Jake Braun:
And in fact, we had election officials, and this was all, you know, under darkness of night and whatever, because none of them wanted to say they were going to defcon, who were paying their own way to defcon and meeting with some, with hackers in like, you know, back rooms and so on and so forth to, like, get advice on what to do to secure their systems. And we were like, okay, well, we need to do more of this in the water, the water industry in particular. Because, you know, when I left the White House, it was right, right after Volt Typhoon had started, you know, where the Chinese were putting malware across a lot of our critical infrastructure, particularly power and water, and particularly those that support military assets so that they could degrade capability in the event of a war, presumably over Taiwan. And so the energy community has really upped its game in the last decade or so since we started doing the smart grid and all that type of stuff. That kind of necessitated some better security practices. Water is where power was 15 years ago. I mean, you got all this stuff that was kind of connected to a network somewhere, but nobody really knows. Nobody at the water utility really knows what's connected to what.

Jake Braun:
So you got this ITOT issue. You know, there's 50,000 water utilities in the country, and that's just drinking water. It's like 150 when you include wastewater. And, you know, we talk to these utilities, and it's like, you know, it's some guy or gal who, like, in one place, I remember, they, they also run the 4th of July parade for the, for the town, and they run the water utility. Like, this is what, you know, we're dealing with, you know, and. Right. So no fault on them that they don't know, you know, what a firewall is, you know, or what asset inventory is, blah, blah, blah. So what we've done is put a call out to the, to the DEFCON community to say, hey, anybody who wants to give back, you know, and use your highly unique skill set to do so, we're going to provide some opportunities for you to support, you know, local water utilities and so on.

Jake Braun:
And so we partnered with a group called the National Rural Water Association. I forget the word rural. It's really the National Small Water association. They support about 85% of the water utilities in the country because again, almost all utilities are very small. And so they're kind of our Sherpa in this world because, you know, the water world is kind of like the hacker world. You know, they have their own language, they have their own. They have their own conferences, they have their, you know, then like, if you're not one of them, people are kind of like, who the hell are you? So NRWA is who kind of brings us in. And so we did some pilots the first year.

Jake Braun:
I think we did five. They all stuck with us. So that was a good sign. And the folks we deployed to, the pilots in the first year all stuck around as well. So, you know, we felt like that kind of proved out our case that, you know, we, that this was kind of going in the right direction. So we've now expanded. I think we're in seven or eight states. We have, you know, several more.

Jake Braun:
A bunch more utilities that are coming online. We're also trying to come up with some more scalable solutions, you know, like looking at things like could we. Could we figure out how to do some sort of an MSSP type offering where we could have volunteers connecting utilities into an MSSP maybe that would be housed under the National Rural Water association or something like that, so we could provide far more scalable support to many more water utilities all at once. So. So we're looking at new options to be able to scale more quickly because there's just a lot of these folks to get to. And one volunteer on this one, and that one is not going to get there fast enough. The interesting thing, by the way, that I did not see coming, but was so awesome when we first started is what often the kind of archetypical goon is at DEF con. You know, it's like some guy with like a beard and maybe some ink and you know, you know, in like one of those long like not necessarily ZZ Top, but longer spears, you know, whatever, and kind of some frumpy clothes.

Jake Braun:
So this guy's like mirror image in the water is like who most of these folks who operate these water utilities are. They're like, just think kind of Duck Dynasty. They're like kind of that looking. So it's like the same guy but with like maybe a Patagonia or like knockoff Patagonia thing, the same beard. Like maybe more of a camouflage hat with like blue blockers on, on the top of it or something like that. You know, it's like you put these guys, you're like, you're the same person, just one of you wound up in water and the other one wound up a hacker. It's, it's so funny. But anyway.

Iran, China, and Russia Already Inside US Water

Jonathan Knepher:
Oh, that's a, that's a great comparison. So you've painted the picture of what the, what the attack surface is here and some of the things that are being done. But have you seen evidence that the adversaries are already getting ready here? And like what's our level of panic? What should it be?

Jake Braun:
Oh, I mean, it's not like they're getting ready. I mean they're here, I think. I hate saying it's my first event in the White House because my memory is terrible. So maybe it was one of my first events in the White House was they'd send me up to Pittsburgh to go do an event at a community college there about trying to produce more cyber experts and not having to just use the four year institutions, but community colleges. One of the reasons that Pittsburgh was picked was because the water utility that supports Aliquippa right outside Pittsburgh had just been hacked. By who? The Iranians. And we know that the Iranians attacked multiple utilities around the country. You know, as I mentioned, the Chinese we know via Volt Typhoon and so on, are already deploying malware in these utilities.

Jake Braun:
The Russian hacktivists, which we all know, like kind of, you know, they're hacktivists during the day and their work for Russian intel at night or maybe vice versa. I mean they, they put out videos of like them hacking our water utilities and turning knobs on and off and so on. And so forth. So it's not just like they're getting ready. I mean, they're here. And, you know, I'm, I, you know, having worked in government during, you know, some crazy things like the Afghan withdrawal and, you know, the Christmas Day BOMBER Back in 2010 and all these things, I try not to panic. So I would say we do need to be. We can't mess around with this for.

Jake Braun:
And think, oh, well, we'll solve this problem in the next five to 10 years. It's like, you know, the Iranians, I don't know if anybody's read the news recently, but they're kind of pissed off and they, they've already hacked their water utilities. We can only expect them to do more. And we know that if China's going to go into Taiwan in 27 or maybe 28, like, they flat out told us they're going to shut off the water. So, like, we know this is coming and is already here at some level. And like, this is a, you know, in the next couple of years, we've got, we've got to get our arms around this water security or cybersecurity for water in particular.

Ethical Lines for Volunteer Cyber Armies

Rachael Lyon:
Right. I kind of coming back to Ukraine briefly, you know, you remember when, when that first kicked off, you heard a lot about these kind of volunteer cyber armies on both sides. And when we talk about kind of the current state with water and all the geopolitical conflicts in the world, you could see that kind of perhaps becoming something that bubbles up again and comes to the forefront. What's your perspective on that? Because you can't really. I mean, how do you even manage volunteer cyber armies who are ostensibly wanting to do good, particularly on the US Side? Because again, then you start getting into the offensive conversation. But again, people want to help, so how can they help in a way that's helpful?

Jake Braun:
Yeah, well, in the, in the case of Ukraine, Jeff talks about this a lot, actually. He was, explained this to me, I don't know, six, eight months ago. I think that, what I forget if it was the FBI or NATO or who put out this thing right after Ukraine when there was all this call to arms for the hacker community that was like, don't do this. It's illegal to do this. You could wind up dead or exacerbating the conflict. Stop, dude, don't do this. That being said, if you're going to do this, here's the things that you can and can't do, you know, like, you can't hack hospitals. I don't care if they're on the Russian side at the front in the war, you cannot hack hospitals.

Jake Braun:
You know, things like that. Like, there are rules of the road, at least for, you know, democratic societies who care about human rights. There are norms. And so, and so they were kind of promulgating and put out, putting out, like, again, don't do any of this if you're going to do it. Here's the things, here's the things that are just, you know, completely off limits. And, you know, I, I think that approach is probably the right one. You know, when, you know what, when you've got an authoritarian dictators oppressing, you know, the, the most vulnerable people on our planet, you know, people aren't going to stand for that and they're going to do whatever they can to, to, to try and stop it. And, you know, if you're in Ukraine, you can enlist in the army, but if you're not, then, you know, there's, there's, you know, you seek other things to do.

Jake Braun:
And so I think knowing that people are going to do it whether we like it or not, at least putting out there what is totally off limits, like hacking hospitals, can hopefully help folks operate within the bounds of what's still totally illegal but ethically more acceptable.

Rachael Lyon:
Sure.

Bridging the Hacker-Government Divide

Jonathan Knepher:
So in your almanack, you've called for more engagement between the FBI and the hacker community, especially around things like ransomware attacks. I think it touches on to what, what you were just talking about as well. On, on the activist side. Do you think, do you think the government is listening or, or are these requests being ignored? And if so, why?

Jake Braun:
I mean, I know they're listening because I, I've seen them in the audience when we've talked about it. So. And I've been on panels where, you know, they were there or they were like, right before me or right after me. So I know they've heard it. Whether, you know, they're listening. Listening. I don't know. I think a couple different things.

Jake Braun:
I think,

Jake Braun:
I think this stuff is hard and, and having been in government, you know, doing something like what we're describing is, is a really different way of thinking about how to approach the problem. Like, I'm going to bring in a thousand hackers, that I'm going to make confidential informants, or I'm going to use that authority to have them start going after these ransomware groups and at the same time make sure they don't start World War 3 because they happen to do something to one that is like, you know, actually operating out of the Kremlin. Or, or, you know, China or whatever. And so I, I think them wrapping their head around how to do it is, is, is not a small issue. Like, I know if I were to walk into a room even, even, you know, in my old job, you know, as the number two cyber official in the White House, if walking in a room saying, hey, guys, you know what I think we should do? I think we should bring a thousand hackers in, use this weird authority we have, you know, we'll find a way to pay them, and we're going to have like five people manage this whole project. Like, people would look at me like I had, you know, 12 heads. And so I get that it's hard. I do think though that they, they know that we're not making real progress against this problem that is getting worse, not better.

Jake Braun:
And so whether it's this solution or another one, I do believe folks, at least the folks I used to deal with, because, yeah, I do believe folks are trying to find creative ways to get after this problem. It'll take some doing before they take our recommendation and run with it. But the good news is we have so much more kind of cross pollination between people from the hacker community going into government and government people, you know, being involved in defcon and so on, that I, I feel like it's more possible today than it would have been 10 years ago. So I remember when I, so I was the White House liaison to Homeland Security during the Obama administration. And part of your job is you, you manage the boards and commissions or that agency. And so I remember talking to Secretary Napolitano, who was the first Homeland Security secretary under Obama. And you know, you know, each administration goes, and they kind of kick all the previous administration's people off the boards and commission they put their new people on. And so she was like, hey, you know, I want to find somebody under 50.

Jake Braun:
She's like, we have no young people on these, on these boards. Find me somebody under 50. And she's like, and by the way, separate comment, you know, we need somebody from the cyber world or whatever. And so I have the staff go, and I'm like, okay, find me. You know, different people met all these different criteria. And, and I'm like, and for the under 50 person, why don't we find, why don't we have that be our cyber person? Because it's, you know, new tech, you know, this, all this stuff was, was certainly new to policymakers back then back in like 2009. And one of the guys comes back, one of the researchers comes Back with this picture. And it's this guy, this pasty white guy with jet black hair and a black background and this black T shirt that says DEFCON in white letters.

Jake Braun:
And I'm like, who is that guy? And. And they're like, oh, that's Jeff Moss. He's the founder of this big hacker conference called defcon. I'm like, great, get him on the phone. That's the guy. And. And so they. And Jeff said that he thought we were calling to get, like, discounted badges because I guess the government's always trying to shake them down for cheaper badges.

Jake Braun:
And. And then. And it happened to be me saying, hey, do you want to be on this board? And Jeff was like, he really wanted to do it. You know, he actually has. His degree is actually in criminal justice, his undergrad degree, and he's very committed to public policy issues and so on and so forth, but he's like, oh, God, the community's gonna blow up when I say I'm doing this. But I. But I really do want to do it. And then we had all these fights internally about, you know, our lawyers, like, you can't put a hacker on.

Jake Braun:
On one of our official boards. Oh, my God, all this blah, blah, blah. And to Napolitano's credit, she was like, wait, hold on. Has this guy broken any laws? And they're like, no. She's like, has he been arrested? They're like, no. She's like, then do it. Put him on. It's reputational risk not to have a hacker on one of our boards, you know, so, you know, good honor.

Jake Braun:
But anyway, so. But that was really one of the first times you saw somebody from this community coming in at, like, a relatively senior policy position. Like, he wound up co chairing a few different, like, pretty influential committees that we had and so on. Now it's far more commonplace to have folks kind of going back and forth. You know, Bob Lord, for example, is a great example. Great example. Josh Corman, you know, did a stint in CISA and, you know, has been in the DEFCON community forever. There's a whole host of folks like that.

Jake Braun:
So I do think that with this cross pollination. Sorry, I went down a rabbit hole here. But I do think with this cross pollination, we're getting more than ever solutions like this, bringing in hackers and creative ways to help the FBI and others get after the ransomware problem as well as others, you know, are far more likely in the future.

How to Get Involved and Jake's Path to Cyber

Rachael Lyon:
So for those of our listeners who are, you know, basically inspired. Right. I Know, I'm inspired when I read about Franklin, I was so stoked to hear that that was happening. I suspect there's a lot of folks out there that want to get involved, that want to get engaged. How would you suggest they get started?

Jake Braun:
Well, first off, just go to the Franklin website or, I mean, you can Google us, so we're easy to find. Just Google Defcon Franklin and sign up, you know, send us a message or whatever. Secondly, you know, one of our biggest challenges actually, with this water thing, you know, as I mentioned before, you know, this. It's this own. They're their own subculture, just like hackers of their own subculture is even within rwa, just kind of getting these folks at these water utilities to understand there's a problem. And it's not because they're dumb. It's just this is what they do for a living. Like, they have no reason to know that this.

Jake Braun:
You know, they often say, like, why would the Chinese care about me? And. And it's like, well, you see that. That factory down the. Like, that makes ball bearings for, like, you know, the F35 or whatever, you know, or like, oh, you know, that thing they're putting in over there, that's a data center for Anthropic, you know, or. Or whatever. But they don't. I mean, they don't know, and we shouldn't expect them to. So anyway, one is sign up and reach out to us.

Jake Braun:
Number two is in your local community, like, if you have a relationship or know somebody who knows your mayor, who knows a city council person who knows somebody at the water utility or whatever, who can say, hey, what are you guys doing around cyber? You know, if you could. If you could get free help from, like, highly qualified people, would you take it? And if so, we're happy to help. Help you figure it out. And then let us know, and we have a whole process we'll, you know, work on, you know, making it kind of formalized and easy for them to take the help and so on and so forth. But, yeah, the other thing is, you know, call your. Your local government and ask them what they're doing on cybersecurity around water and see if they'll take the help and then tell us and. And we'll help you help you, you know, support your own community.

Rachael Lyon:
That's fantastic. I know we're coming up on time, Jake, but I do like to kind of wrap up all of our conversations with a bit of a personal question, if you will. And as you kind of referenced earlier, you know, someone with a criminal justice background who, you know, defcon. We find that the road to cyber is always quite an interesting one for people and not always a linear path. And I'd be curious on how you got to this place in time.

Jake Braun:
So Jane and I are sitting at a bar in Brussels to celebrate passing this big data sharing agreement with the European Union. I think she's having a glass of wine, I'm having a beer, and she looks at me and says, hey, Jake, you know, the. The White House has said that they want me to. To take over running cybersecurity at dhs. You know, this is before CISA and everything else. And she's like, and I'd like you

Jake Braun:
to help me with it.

Jake Braun:
And I said, ma', am, I can't spell cyber security. And she says, well, that's okay.

Jake Braun:
Nobody else in public policy knows anything about cyber either.

Jake Braun:
We'll have a bunch of technologists explain it to us.

Jake Braun:
And I said, okay.

Jake Braun:
And that's how I wound up in cyber.

Rachael Lyon:
That's fantastic. That's fantastic. And so much has changed in that time. It's crazy to think that's why I stay in cyber. I don't know about you, but I love it. Every day is a new day, and you're always learning something new. I just. I can't speak highly enough of it for those that may be looking to enter this world.

Rachael Lyon:
It is a lot of fun and sometimes scary.

Jake Braun:
Yeah. You know, one of the things.

Jake Braun:
Yeah. I mean, the great thing about it, as we said at the beginning with AI and everything, you know, it's a. It's an industry that is always changing. You know, it's. There's always some new crazy thing we're

Jake Braun:
dealing with, some new innovative way the

Jake Braun:
bad guys have figured out how to mess with us and so on and

Jake Braun:
so forth, and what.

Jake Braun:
You know, it keeps you young, it keeps your brain working. You know, as I think Benjamin Franklin had this great quote, which is, once you're done changing, you're done. And I really take that to heart. And cyber gives you an opportunity to kind of reinvent yourself over and over and over again, because the threats and the technology just constantly changes,

Rachael Lyon:
really does so quickly. It's fun trying to keep up, keeps it always challenged, but it's wonderful. So, Jake, I want to thank you for your time today. This has been wonderful. Really appreciate your insights, and thank you for all the work you're doing. Like I said before, when I read about the Franklin project, I was just. I was like, thank you. It's wonderful that people like you and others are out there want to help where they can.

Rachael Lyon:
Right. There's so much we can do when we kind of come together in terms of the changes we can make. So thank you. Thank you for that. And to all of our listeners out there, thanks again.

Jake Braun:
Well, thank you guys for. What are you doing?

Rachael Lyon:
Yeah. Thank you. And John, what do we like to tell our listeners to do every single week?

Jonathan Knepher:
Smash that subscribe button

Rachael Lyon:
And you get a fresh episode every single Tuesday. So until next time, everybody stay secure. Thanks for joining us on the to the Point Cybersecurity podcast, brought to you by Forcepoint. For more information and show notes from today's episode, please visit forcepoint.com/podcast and don't forget to subscribe and leave a review on Apple Podcasts or your favorite listening platform.

About Our Guest

Jake Braun, Executive Director, Cyber Policy Initiative, University of Chicago, and Former acting Principal Deputy National Cyber Director, The White House

Jake Braun is Executive Director of the Cyber Policy Initiative at the University of Chicago Harris School of Public Policy and CEO and Co-Founder of Cambridge Global Advisors, a national security consulting firm. He most recently served in the White House as acting Principal Deputy National Cyber Director. Prior to that role, Mr. Braun was appointed by the President as Senior Counselor to the Secretary of the Department of Homeland Security. Mr. Braun is the author of Fentanyl: Fighting the Mass Poisoning of America and the Cartel Behind It (Bloomsbury, 2025), and Democracy in Danger: How Hackers and Activists Exposed Fatal Flaws in the Election System (Rowman & Littlefield, 2019).

Mr. Braun’s career has spanned a litany of modern hybrid threats facing America, from counter terrorism to cybersecurity to election interference, fentanyl, cartels and AI security. While at the White House, he oversaw implementation of the National Cybersecurity Strategy, including efforts to secure our water systems, modernize the federal cyber workforce, enhance cyber cooperation with allied nations, and develop AI security policy.  During his most recent tour at DHS, he advised on multiple cross-cutting initiatives to mitigate hybrid threats.  He helped spearhead the first DHS-wide counter-fentanyl strategy and worked on the National Security Council team that developed the first U.S. government-wide counter-fentanyl strategy.  He also helped lead the effort to resettle nearly 150,000 Afghan allies during the withdrawal from Afghanistan.

In 2009, Mr. Braun was appointed by President Obama as White House Liaison to the Department of Homeland Security. He was instrumental in the effort to gain passage in the European Parliament of the largest data-sharing agreement in history between the United States and the European Union to combat terrorism. In addition, before his tenure as White House Liaison, Mr. Braun served on the Presidential Transition Team for the Obama Administration as Deputy Director for the National Security Agencies Review.

In addition to his role at the University of Chicago, Mr. Braun co-founded the DEF CON Voting Machine Hacking Village. In that capacity, he co-authored two award-winning reports on election interference: the DEF CON 25 and 26 Voting Village Reports.  Most recently, he partnered with DEF CON, the world's largest and longest-running hacker conference, to launch “Franklin,” a program to memorialize the most innovative and impactful findings from DEF CON in the annual “Hackers’ Almanack.”  “Franklin” also recruits cyber volunteers to support underresourced water utilities.

Mr. Braun began his career in politics and journalism.  He has worked on five presidential campaigns and, separately, as a journalist for newspapers in Illinois and Taiwan. He holds an MA in International Relations from Troy St. University, an MA in Secondary Education from National-Louis University, Chicago, and a BA in Philosophy from Loyola University of Chicago.

Check Out DEF CON Franklin and the Harris School of Public Policy at the University of Chicago