[00:00] Welcome, Jake Braun

Rachael Lyon:
Hello, everyone. Welcome to this week's episode of To The Point Podcast. I'm Rachael Lyon, here with my co-host, Jon Knepher. Jon, hello. Hello.

Rachael Lyon:
Can you believe it is May when this is airing?

Jonathan Knepher:
You know, time just keeps going by faster and faster.

Rachael Lyon:
It's weird. I've been reading a lot about, you know, kind of neuroscience and neuroplasticity, and it was saying our brains make. It seems like time goes faster for our brains because we already kind of know all the things, right? Versus when you're younger, it feels like it's going so slowly, and it's because you're learning all these new things. So I don't know what that means. I guess, do I, do we need to start learning new things? The time feels like it's going more slowly. I don't know.

Jonathan Knepher:
Definitely need to spend as much time continuing to learn new things. I agree.

Rachael Lyon:
I'm trying. Just got to find the time. Just got to find the time. So, everyone, I am so excited to welcome to the podcast today Jake Braun. He is the Executive Director of the Cyber Policy Initiative at the University of Chicago Harris School of Public Policy. He's also the CEO and co-founder of Cambridge Global Advisors, a national security consulting firm. He most recently served in the White House as Acting Principal Deputy National Cyber Director. And prior to that role, Mr. Braun was appointed by the President as Senior Counselor to the Secretary of the Department of Homeland Security. He's also a published author, including the 2019 book Democracy in How Hackers and Activists Exposed Fatal Flaws in the Election System. Welcome. Welcome, Jake.

Jake Braun:
Thanks for having me. I'm super excited to talk to you all.

Rachael Lyon:
This is going to be a fun one. So, John, kick us off.

[02:04] Bridging Hackers and Government

Jonathan Knepher:
Yeah. So DEF CON is probably one of my favorite events to go to regularly. And, you know, I know that you publish your report every year on that, but talk to us about what it's like living on both sides of the divide between the hacker community and the government.

Jake Braun:
Yeah, it's really interesting, you know, because you. They just, you know, people speak different languages. Right. So in the government world, your brain has to kind of shift to a certain kind of code, and then you shift to this other code when you're talking to the hacker community. And to your point about learning new things, I do think it's good for my brain to do that because you don't kind of get stuck in one run or the other. And hopefully, it helps me be able to bring different perspectives to both groups that maybe they wouldn't otherwise hear. And I certainly benefit from it because, you know, the stuff going on in government, it's just such intractable problems. And you know, so, you know, in big, you know, you know, life threatening or, you know, you know, things like that, problems, you know, in the hacker community, you know, it's, it's just some of the most creative, you know, and clever, honestly people that I've ever encountered in my entire life in anything I've ever done, you know.

Jake Braun:
And so just being around those two groups with the different problem sets and ways of thinking is been one of the greatest parts of my life for sure.

Rachael Lyon:
So kind of bridging those two together once again. In a recent interview, you mentioned that hackers are fed up with the government. You know, there's always been a healthy skepticism, right? Of power, those in power. But kind of, what would you say is kind of driving this enhanced frustration these days?

Jake Braun:
Well, I think there's a lot of concern about civil rights and civil liberties. Of course, you know, what, what would. So I think in one of the things you're referring to, you know, we said that the ransomware problem is getting worse, not better. You know, the folks in government are doing the best they can, I believe. You know, there's a group at the FBI that spends an enormous amount of time on this, but you know, there are a few dozen people, you know, so it's just not, it's not nearly enough to go after all these ransomware groups. And so we called for bringing in the hacker community as confidential informants to help the FBI go after these groups. And of course, you know, we hear a lot of pushback, saying, well, okay, we're happy to help the government go after ransomware groups, but what else are they going to use us for? They're going to use us to go after migrants. Are they going to use us to go after, you know, political dissidents? Are they going to, you know what? And so, you know, I certainly understand the concern, and one of the things that I, that can be both frustrating to deal with, but I also truly love about the hacker community is they're, they have a near obsession with privacy.

Jake Braun:
And, and they're, they're, anytime you talk about government, they start to wonder, okay, well, what, where does any of my data go if I'm doing something for the government, where does that data go? Like, how long are they keeping it for? What are they doing with it, blah, blah, blah. And so I think there are some very well thought-out and good reasons that the hacker community questions what the government is up to, and the right to do so.

[05:30] The Hackers' Almanack and AI on Offense

Jonathan Knepher:
And I think that starts the kind of discussion on your latest Hackers Almanack that came out. Do you want to talk through, like, some of the main things that you've pointed out there and kind of how your Almanack differs from, like, the mainstream kind of enterprise resources that most of our corporate people are normally reading?

Jake Braun:
Yeah, so Jeff Moss and I were joking about this the other day. We're like, you know what we don't talk about? We don't talk about public private partnerships, we don't talk about information sharing, and we don't talk about workforce, because I don't know about you, but any cyber conference you go to, I swear to God, every single corporation that goes up there that paid their, you know, half a million dollars or whatever for a sponsorship and gets to be on a panel or give a speech. Like, I've been going to DEFCON for, you know, well over a decade, actually longer than that. And these other conferences, too. And I could, I can basically read off these speeches before they ever give them at this point, you know, and it's the same speech that I heard in 2012, you know, and at Defcon, it's not that it's real hackers who are really finding critical flaws in the technology that powers modern life. And then what we do is we look at that and say, okay, of these things, what's just kind of a clever hack that was really interesting thing that you were able to figure out how to do to the iPhone or to an undersea ship or something like that. Or is it something that has real policy implications for the broader society and government policy, and policymakers, and so on. And so to that end, I think there was a law passed recently that says that you can't say cyber without saying AI in the same sentence.

Jake Braun:
So, of course we make AI as the first section because we don't want to wind up in jail or, you know, investigated, whatever. But, but anyway, so, but what I'll tell you is last year we were trying to think about, okay, what is there interesting to say about AI? You know, everybody's blah, blah, blah, you know, saying the same stuff. And so as I'm listening to all these talks, because I go and, you know, we do a bunch of DEF CON, but then I listen to like 20, 30% of the talks after DEF CON, as well as a lot of the team that helped put it together. And. And I was like, oh, my God, these guys are enrolling AI in capture the flag competitions, like hacker competitions. And it's winning, or it's placing in the top 10, 20%, whatever. Like, there's one great story, I think, from a guy from, from Quad, who. He's like, yeah, we, you know, I entered it, I let it run, you know, on its own in this competition.

Jake Braun:
We came in the top 10%. He's like, I think we would have done better, but I was doing my dishes when the thing started and forgot it, forgot what time the competition started. So I didn't hit enter on time to start it, but we probably could have gotten higher. And so I'm like, oh, my God, this is it. Like, how are we using AI for offense? Like, what is the implications of AI for offense? Because that was one story. There were a dozen others. And then, you know, you fast forward almost a year, and here we are with Mythos and, and so on and so forth. And so, you know, per usual, the hackers at DEF CON are, you know, talking about this stuff for a year or more before everybody else sees it show up in, you know, regular policymaking circles and so on.

[09:08] Tech Tools Against Authoritarianism 

Jake Braun:
So that, that was one thing that we talked about back then that, again, wasn't on the tip of everybody's tongue when it happened. But of course, now is what everybody's talking about. Separately, we really delved into this idea. Adam Szostak, who's kind of my partner in crime on this and is far more technical than I am, came up with this title for the section, which he calls Power. And it was really about how hackers and the technologist community are being able to use technology to undermine authoritarian governments and what they're doing to oppress, you know, the disenfranchised around the world. And so, as you can imagine, you know, I think normally we don't include talks that aren't very technical because, again, this is DEF con. But probably the least technical talk at DEFCON we included in the section because it was so germane to this human rights group, worked with a group of hackers at DEFCON to go immediately back up digitally, of course, all the art at the museums in Ukraine right after the invasion, so that if the art was stolen or the museums were destroyed, the Ukrainians could preserve their culture. Because, you know, in a world where, you know, all of our information lives online.

Jake Braun:
And you know, I don't even know what library I would go to find. You know, I mean, a lot of the information that's out there, you know, if your cultural heritage is wiped from the Internet and, and well, first off, blown up by a bomb and then wiped from the Internet or doesn't exist on the Internet, like, is that culture going to exist in 100 years? Like, I don't know, maybe not, you know, and so I think what the hackers are doing in that space is really technically not important, but culturally and from a societal perspective, incredibly important. And so that was one area, another area that we paid a lot of attention to was this meshtastic or mesh networks. Meshtastic being one of the groups that does it, which is communication devices that can roll or communication capability that works on really low-grade or, sorry, really low five radio frequencies. And so, for example, we were doing war games around Taiwan. And what happens if the Chinese cut the undersea cables, and they can do what the Russians couldn't do in Ukraine, and take out the satellites providing communication? Is there a way that we can help now start giving the Taiwanese the capability to communicate and keep fighting for years and years if they need to, to stave off the Chinese, just like the Ukrainians are doing now? And so there was a ton of research going on at DEFCON on this and the military and others were even talking about how they're trying to deploy devices in Taiwan to enable them to, even regular citizens have these communication capabilities because, you know, in the horrible instance in which the war would have, I mean, I think regular citizens would wind up in the conflict, of course. And by the way, the great thing about DEF CON is it's not a pitch, right? And so what we found was one of the groups, I forget if it was Mechastic or who, the hackers all started playing with this stuff.

Jake Braun:
They found a bunch of bugs, and they automatically said, hey, there's bugs in the group that was, there was like, yep, you're right, you did find vulnerabilities. They went back and fixed them like that. That's what DEFCON's for, you know, that's why we do this. And, and, and anyway, so, so those are a couple of the big topics. And then the other, the third big one, was the ransomware stuff. And really trying to think creatively about how governments can get after this because, you know, and look, I was in government, I did meetings in the Situation Room on ransomware. And I'm here to tell you, like we are not winning. The bad guys are winning.

Jake Braun:
We have to have a different approach.

[13:06] DNA Data and Off-Grid Storage

Rachael Lyon:
There's been a lot of talk too, kind of to that point, and recently, with particularly critical infrastructure, but also, how do you protect your data right in these times of AI? And you're hearing a lot more of kind of like taking things off grid, if you will. And, one of the interesting things I read in the Almanackkk, I think it was related to, speaking of creative tools, was DNA in terms of data protection. Could you talk a little bit more about that solution? That sounds fascinating.

Jake Braun:
Oh yeah, that was actually one of my favorite ones. I remember I was running on the lakefront in Chicago, listening to that talk, and I was like, oh my God, I don't care if this doesn't fit in the category. We're including this somewhere. But of course it did. So this guy, I forget his name, and I don't have it in front of me, and I'm terrible at his name, had done this fascinating research. Now granted, from what I understand, we're still kind of a theoretical level, but his research seems to show that you could store data. Like, let's say, for example, if there was folks from the Uyghur population who wanted to back up cultural heritage information from the Uyghur culture, which of course is being erased from the Internet, at least by the Chinese government. And again, so in 200 years, does Uyghur culture exist if none of their cultural artifacts exist? You know, so anyway, so he's trying to figure out, could you store that data in a human gene or in the human genes and then walk it out of a country or an oppressed area or prison, whatever, in the individual who's, who's, you know, whose genes the data is stored in.

Jake Braun:
And so he seems to believe that that's possible, and his research seems to indicate that it is. I'm certainly not a DNA expert, nor, you know, whatever other experts would be relevant to figure this out, but it's really fascinating research. And, there's some other things that were a little bit less, a little bit more low-tech that were using sneaker net and stuff like that too. Basically one of the guys had figured out how to just save way more data than one could ever, than we ever imagined before on different data storage devices. So you could kind of walk out of an airport, and it looked like you maybe had some cassette tapes or DVDs or whatever. And it turns out you've got everything that you would ever need. So anyway, there's a lot of really interesting stuff in that space as well, which we put under this power heading because it's these communities that are trying to protect themselves from these authoritarian regimes that are oppressing them.

[15:52] The Digital Arsenal of Democracy 

Jonathan Knepher:
So I want to talk about the whole off-grid communication bit for a moment as well. You know, you mentioned Meshtastic. I personally love Meshtastic. All my kids have nodes of their own, and we're able to even Comm all the way from San Diego up to the Ventura area. And so we've been super excited about how well that works. But you also describe the digital arsenal of democracy. Can you kind of tie this all together for us?

Jake Braun:
Yeah. So, you know, I'm a huge FDR buff, you know, Franklin Roosevelt, and he, as you may remember from high school civics, we had this problem during World War II where, you know, we wouldn't enter the. He wouldn't enter the war until we were attacked, but wanted to support the allies because he knew, obviously, that was the right side to be on. And so he came up with this, you know, idea that like, look, we're just going to be the engine. We're going to be the factory that makes all the weapons to keep these guys fighting to degrade the capability of the Nazis and the fascists in Italy and the Japanese Empire and so on and so forth. And so he started what he called the arsenal of democracy. He said, you know, we, America, is going to be the arsenal of democracy, you know, providing the weapons for these folks to fight for democracy. And so as we were thinking about kind of what's been happening a little bit organically, but we feel like it should happen, I think a little bit more strategically and deliberately is that over time the human rights community has started to realize like, hey, we need technology or technological solutions to some of the problems that we're facing and in many cases, like encrypted communication.

Jake Braun:
So a dissident in, you know, Russia or whatever can. Can talk to us and we can help them, you know, with what they're trying to do, preserve democracy or to support democracy and so on and so forth. The hacker community itself has also come up with things of its own accord, like, you know, downloading all the images in the museums in Ukraine, stuff like that. What we say is like, look, we're getting to a point with despotism, whether it be the Chinese government, the Russian government, those who are pressing migrants around the world, et cetera, et cetera, that we need to be far more deliberate about this. And one of the problems we face is that the human Rights community and the hacker community don't really know each other and rarely talk. And so what we want to see is the human rights community to kind of sit down with a handful of hackers and so on and say, look, here's the tools we have today and here's all the stuff that we are trying to do. And let's again, what I believe to be the most clever people on the planet, being the hacker community, to be able to say, okay, cool, great, so we think we can, you know, improve that thing. Improve that thing.

Jake Braun:
We could build something here to do this, and something there to do that, and blah, blah, blah, and basically build. We refer to it as a tech stack, I think, but it's really a suite of tools and an arsenal. Again, not offensive in this case, of course, defensive for those being oppressed by the warlords and despots, and dictators around the world to be able to preserve their human rights, fight for democracy, and do all those things that need to be done to fight the despots and warlords and preserve human rights and democracy on this planet.

Rachael Lyon:
So coming back to this idea of offensive, Jake, you know, there's been a lot of talk about offensive security, particularly in kind of the realm of AI. There was a discussion coming out of RSA. It was a Mandiant report that basically, in 22 seconds, AI can map your, your entire infrastructure. So it's, it's almost moving to a place of, or it is moving to a place of. There is no window for defense, ostensibly. Right, so how does this start looking in terms of offensive security strategies? Right. I mean, the, there's the government aspect, but then there's also, you know, kind of the private company aspect, and are the lines blurring? And it's a very tricky line to walk.

Jake Braun:
Oh, yeah. I mean it, as I always say, you know, cyber is probably the most dual-use technology, you know, that's out there. And this is kind of why I say or not why, why we. The group, which is not just me, it's a series of people. Again, you know, my main partner in crime here is Adam Szostak, A guy named Paul Chang is great, who works for us at the university, and a whole host of others, not to mention Jeff Moss, of course, that we don't think this should be done at the behest of a government. Frankly, I think that would totally undermine this because it can't be an American thing, it can't be an EU thing, it can't, you know what I mean? It can't be something like that, that really, it should be the NGOs that, you know, their whole mission is human rights. Not to wage war, not to, you know, put people in prison, nothing like that. It's to protect the human rights of the most vulnerable in our world and really to support those organizations.

Jake Braun:
Now, to your point, of course, the bad guys will. Could easily go in and, you know, grab one of these technologies and turn it around and use it for, you know, offensive purposes. That's, that's of course there, but, you know, I mean, my God, that's, that's there for everything. So. But, but your point is a very good one. And that's why we don't say, oh, well, you know, they need to reestablish USAID, and it needs to do this. Like, no, like this should be Doctors Without Borders, Human Rights Watch, the, you know, the big migration groups around the world. I'm forgetting the names of course right now, but you know, that type of those types of organizations, you know, there's

[22:02] The AI Security Standards Gap

Jonathan Knepher:
There's also been a lot of, I don't know, excitement or fear out there right now with some of these new models that are coming out, finding more defects, but also like, you know, you're bringing up how fast offensive AI is. What do you think is like the actual risk, threat level that's out there? How real are some of these things we're, we're hearing about? And, and kind of after describing how real it is, what do you think the, any gaps there might be around, around policy and kind of government's acceptance of these issues in these areas?

Jake Braun:
Yeah, well, I think what was amazing to me as we were doing this last year was that the year before the first Hackers Almanack RA section, I think the headline was AI Red teaming is bullshit. Because no one could define what, what red teaming is with AI. Like, what, what are you red teaming? Are you red teaming the ChatGPT app on my phone? Are you red teaming the data center? Are you red teaming the model and the weights, or are you red teaming the data that was used to train the model? I mean, like, what do we even. What do we, how do we even define what we're red teaming and that, and red teaming, it's really a proxy for security in general with AI. And, we were gonna like. Our headline initially for this year was AI Red teaming is still bullshit, yet AI is now winning these hacker competitions and so on. And I think Jeff was like, it's too confusing. So we changed it to the more simple headline we use.

Jake Braun:
But it is true like there's no industry definition of what AI security is right now. And yeah, there's a bunch of companies out there selling it, and they're not bad people. They're trying to do a good job and make a buck at the same time. Fine, good on them. But there's no NIST cybersecurity model. There's no 20 critical cybersecurity controls that CIS runs. I think it's down to 18 now. For some reason, that doesn't exist for AI.

Jake Braun:
And I think that just to kind of back into your question, that's the huge risk for me. Like, I don't think these guys have any idea how to secure any of this stuff. And until we understand how to do that, like, oh my God, the fact that it can do all this offensive stuff more than I think any of us thought it was going to be able to do even last year, that's, that's the real concern, you know, are the bad guys just going to hack in and take this and then go use it of their own volition? And I think there's evidence that's already happening from the, I think you probably saw the report to the unauthorized users, and I forget if it was Mythos or Claude or what. I don't want them to sue me. So I don't want to say exactly what it is because I'm sure I'll get it wrong. But we already know that things like this are happening, and that's incredibly disconcerting. And so what needs to happen from our perspective is exactly what happened when NIST put out the cybersecurity framework is you need to get a multi-stakeholder group together, industry, government, academics, blah blah, blah, research community, like the hackers. Sit down.

Jake Braun:
Come up with something. I would prefer if it was not as complicated as the NIST framework and more like the 18 critical controls from CIS. And then, you know, and then by the way, let's let case law go to work. And when folks aren't implementing what's considered a best practice or standard of due care, then let's, you know, people will take them to court, and then we'll have case law, and hopefully folks will start to get their act together more. But we're in a pretty scary, scary place right now because of this, this lack of security. I mean, and then, I don't know if that answered your whole question. What was the rest of it?

Rachael Lyon:
Yeah,

Jonathan Knepher:
You hit it all.

Jake Braun:
Yeah, okay.

Rachael Lyon:
It was a 10-part question. Yeah. And I hate to do this, everyone, but we're going to pause today's discussion right here and pick back up next week. Thanks for joining us this week. And as always, don't forget to smash that subscription button, and we'll see you next week. Until next time, stay safe. Thanks for joining us on the Two to the Point Cybersecurity Podcast, brought to you by Forcepoint. For more information and show notes from today's episode, please visit forcepoint.com/podcast and don't forget to subscribe and leave a review on Apple Podcasts or your favorite listening platform.

About Our Guest

Jake Braun, Executive Director, Cyber Policy Initiative, University of Chicago, and Former acting Principal Deputy National Cyber Director, The White House

Jake Braun is Executive Director of the Cyber Policy Initiative at the University of Chicago Harris School of Public Policy and CEO and Co-Founder of Cambridge Global Advisors, a national security consulting firm. He most recently served in the White House as acting Principal Deputy National Cyber Director. Prior to that role, Mr. Braun was appointed by the President as Senior Counselor to the Secretary of the Department of Homeland Security. Mr. Braun is the author of Fentanyl: Fighting the Mass Poisoning of America and the Cartel Behind It (Bloomsbury, 2025), and Democracy in Danger: How Hackers and Activists Exposed Fatal Flaws in the Election System (Rowman & Littlefield, 2019).

Mr. Braun’s career has spanned a litany of modern hybrid threats facing America, from counter terrorism to cybersecurity to election interference, fentanyl, cartels and AI security. While at the White House, he oversaw implementation of the National Cybersecurity Strategy, including efforts to secure our water systems, modernize the federal cyber workforce, enhance cyber cooperation with allied nations, and develop AI security policy.  During his most recent tour at DHS, he advised on multiple cross-cutting initiatives to mitigate hybrid threats.  He helped spearhead the first DHS-wide counter-fentanyl strategy and worked on the National Security Council team that developed the first U.S. government-wide counter-fentanyl strategy.  He also helped lead the effort to resettle nearly 150,000 Afghan allies during the withdrawal from Afghanistan.

In 2009, Mr. Braun was appointed by President Obama as White House Liaison to the Department of Homeland Security. He was instrumental in the effort to gain passage in the European Parliament of the largest data-sharing agreement in history between the United States and the European Union to combat terrorism. In addition, before his tenure as White House Liaison, Mr. Braun served on the Presidential Transition Team for the Obama Administration as Deputy Director for the National Security Agencies Review.

In addition to his role at the University of Chicago, Mr. Braun co-founded the DEF CON Voting Machine Hacking Village. In that capacity, he co-authored two award-winning reports on election interference: the DEF CON 25 and 26 Voting Village Reports.  Most recently, he partnered with DEF CON, the world's largest and longest-running hacker conference, to launch “Franklin,” a program to memorialize the most innovative and impactful findings from DEF CON in the annual “Hackers’ Almanack.”  “Franklin” also recruits cyber volunteers to support underresourced water utilities.

Mr. Braun began his career in politics and journalism.  He has worked on five presidential campaigns and, separately, as a journalist for newspapers in Illinois and Taiwan. He holds an MA in International Relations from Troy St. University, an MA in Secondary Education from National-Louis University, Chicago, and a BA in Philosophy from Loyola University of Chicago.

Check Out DEF CON Franklin and the Harris School of Public Policy at the University of Chicago