
Loading summary
Jonathan Neffer
Welcome to to the Point Cybersecurity Podcast. Each week, join Jonathan Neffer and Rachel Lyon to explore the latest in global cybersecurity news, trending topics, and cyber industry initiatives impacting businesses, governments and our way of life. Now, let's get to the point. Speaking of scary, if you will, you know, the critical infrastructure conversation, you know, there's endless discourse on, you know, kind of really the shaky ground there. Right. And just how vulnerable things are. And I read about the Franklin Project, and I would love for you to give our listeners a little bit more about what that is and what it's aiming to do, because I think it's just wonderful.
Jake
Sure, thank you. So, actually this comes back from. Or this comes from, you know, I, myself, Hari Hersty, Matt Blaze and Maggie McAlpine co founded the Voting Machine Hacking Village back in 2017. And we. This is actually where we got the idea for the Hackers Almanac too. We started producing a report the first few years when nobody knew about any of these vulnerabilities and put that out. Got a lot of attention and hopefully drove some, some positive outcomes. But we also, what a lot of people don't know is recruited a bunch of volunteers from DEF CON to provide free technical assistance to election officials around the country. And in fact, we had election officials, and this was all, you know, under darkness of night and whatever, because none of them wanted to say they were going to defcon, who were paying their own way to defcon and meeting with some, with hackers in like, you know, back rooms and so on and so forth to, like, get advice on what to do to secure their systems. And we were like, okay, well, we need to do more of this in the water, the water industry in particular. Because, you know, when I left the White House, it was right, right after Volt Typhoon had started, you know, where the Chinese were putting malware across a lot of our critical infrastructure, particularly power and water, and particularly those that support military assets so that they could degrade capability in the event of a war, presumably over Taiwan. And so the energy community has really upped its game in the last decade or so since we started doing the smart grid and all that type of stuff. That kind of necessitated some better security practices. Water is where power was 15 years ago. I mean, you got all this stuff that was kind of connected to a network somewhere, but nobody really knows. Nobody at the water utility really knows what's connected to what. So you got this ITOT issue. You know, there's 50,000 water utilities in the country, and that's just drinking water. It's like 150 when you include wastewater. And, you know, we talk to these utilities and it's like, you know, it's some guy or gal who, like, in one place, I remember, they, they also run the 4th of July parade for the, for the town and they run the water utility. Like, this is what, you know, we're dealing with, you know, and. Right. So no fault on them that they don't know, you know, what a firewall is, you know, or what asset inventory is, blah, blah, blah. So what we've done is put a call out to the, to the DEFCON community to say, hey, anybody who wants to give back, you know, and use your highly unique skill set to do so, we're going to provide some opportunities for you to support, you know, local water utilities and so on. And so we partnered with a group called the National Rural Water Association. I forget the word rural. It's really the National Small Water association. They support about 85% of the water utilities in the country because again, almost all utilities are very small. And so they're kind of our Sherpa in this world because, you know, the water world is kind of like the hacker world. You know, they have their own language, they have their own. They have their own conferences, they have their, you know, then like, if you're not one of them, people are kind of like, who the hell are you? So NRWA is who kind of brings us in. And so we did some pilots the first year. I think we did five. They all stuck with us. So that was a good sign. And the folks we deployed to, the pilots in the first year all stuck around as well. So, you know, we felt like that kind of proved out our case that, you know, we, that this was kind of going in the right direction. So we've now expanded. I think we're in seven or eight states. We have, you know, several more. A bunch more utilities that are coming online. We're also trying to come up with some more scalable solutions, you know, like looking at things like could we. Could we figure out how to do some sort of an MSSP type offering where we could have volunteers connecting utilities into an MSSP maybe that would be housed under the National Rural Water association or something like that, so we could provide far more scalable support to many more water utilities all at once. So. So we're looking at new options to be able to scale more quickly because there's just a lot of these folks to get to. And one volunteer on this one, and that one is not going to get there fast enough. The interesting thing, by the way, that I did not see coming, but was so awesome when we first started is what often the kind of archetypical goon is at DEF con. You know, it's like some guy with like a beard and maybe some ink and you know, you know, in like one of those long like not necessarily ZZ Top, but longer spears, you know, whatever, and kind of some frumpy clothes. So this guy's like mirror image in the water is like who most of these folks who operate these water utilities are. They're like, just think kind of Duck Dynasty. They're like kind of that looking. So it's like the same guy but with like maybe a Patagonia or like knockoff Patagonia thing, the same beard. Like maybe more of a camouflage hat with like blue blockers on, on the top of it or something like that. You know, it's like you put these guys, you're like, you're the same person, just one of you wound up in water and the other one wound up a hacker. It's, it's so funny. But anyway.
Rachel Lyon
Oh, that's a, that's a great comparison. So you've painted the picture of what the, what the attack surface is here and some of the things that are being done. But have you seen evidence that the adversaries are already getting ready here? And like what's our level of panic? What should it be?
Jake
Oh, I mean, it's not like they're getting ready. I mean they're here, I think. I hate saying it's my first event in the White House because my memory is terrible. So maybe it was one of my first events in the White House was they'd send me up to Pittsburgh to go do an event at a community college there about trying to produce more cyber experts and not having to just use the four year institutions, but community colleges. One of the reasons that Pittsburgh was picked was because the war utility that supports Aliquippa right outside Pittsburgh had just been hacked. By who? The Iranians. And we know that the Iranians attacked multiple utilities around the country. You know, as I mentioned, the Chinese we know via Voltai, Food and so on, are already deploying malware in these utilities. The Russian hacktivists, which we all know, like kind of, you know, they're hacktivists during the day and their work for Russian intel at night or maybe vice versa. I mean they, they put out videos of like them hacking our water utilities and turning knobs on and off and so on. And so forth. So it's not just like they're getting ready. I mean, they're here. And, you know, I'm, I, you know, having worked in government during, you know, some crazy things like the Afghan withdrawal and, you know, the Christmas Day BOMBER Back in 2010 and all these things, I try not to panic. So I would say we do need to be. We can't mess around with this for. And think, oh, well, we'll solve this problem in the next five to 10 years. It's like, you know, the Iranians, I don't know if anybody's read the news recently, but they're kind of pissed off and they, they've already hacked their water utilities. We can only expect them to do more. And we know that if China's going to go into Taiwan in 27 or maybe 28, like, they flat out told us they're going to shut off the water. So, like, we know this is coming and is already here at some level. And like, this is a, you know, in the next couple of years, we've got, we've got to get our arms around this water security or cybersecurity for water in particular.
Jonathan Neffer
Right. I kind of coming back to Ukraine briefly, you know, you remember when, when that first kicked off, you heard a lot about these kind of volunteer cyber armies on both sides. And when we talk about kind of the current state with water and all the geopolitical conflicts in the world, you could see that kind of perhaps becoming something that bubbles up again and comes to the forefront. What's your perspective on that? Because you can't really. I mean, how do you even manage volunteer cyber armies who are ostensibly wanting to do good, particularly on the US Side? Because again, then you start getting into the offensive conversation. But again, people want to help, so how can they help in a way that's helpful?
Jake
Yeah, well, in the, in the case of Ukraine, Jeff talks about this a lot, actually. He was, explained this to me, I don't know, six, eight months ago. I think that, what I forget if it was the FBI or NATO or who put out this thing right after Ukraine when there was all this call to arms for the hacker community that was like, don't do this. It's illegal to do this. You could wind up dead or exacerbating the conflict. Stop, dude, don't do this. That being said, if you're going to do this, here's the things that you can and can't do, you know, like, you can't hack hospitals. I don't care if they're on the Russian side at the front in the war, you cannot hack hospitals. You know, things like that. Like, there are rules of the road, at least for, you know, democratic societies who care about human rights. There are norms. And so, and so they were kind of promulgating and put out, putting out, like, again, don't do any of this if you're going to do it. Here's the things, here's the things that are just, you know, completely off limits. And, you know, I, I think that approach is probably the right one. You know, when, you know what, when you've got an authoritarian dictators oppressing, you know, the, the most vulnerable people on our planet, you know, people aren't going to stand for that and they're going to do whatever they can to, to, to try and stop it. And, you know, if you're in Ukraine, you can enlist in the army, but if you're not, then, you know, there's, there's, you know, you seek other things to do. And so I think knowing that people are going to do it whether we like it or not, at least putting out there what is totally off limits, like hacking hospitals, can hopefully help folks operate within the bounds of what's still totally illegal but ethically more acceptable.
Jonathan Neffer
Sure.
Rachel Lyon
So in your almanac, you've called for more engagement between the FBI and the hacker community, especially around things like ransomware attacks. I think it touches on to what, what you were just talking about as well. On, on the activist side. Do you think, do you think the government is listening or, or are these requests being ignored? And if so, why?
Jeff Moss
I mean, I know they're listening because I, I've seen them in the audience when we've talked about it. So. And I've been on panels where, you know, they were there or they were like, right before me or right after me. So I know they've heard it. Whether, you know, they're listening. Listening. I don't know. I think a couple different things.
Jake
I think,
Jeff Moss
I think this stuff is hard and, and having been in government, you know, doing something like what we're describing is, is a really different way of thinking about how to approach the problem. Like, I'm going to bring in a thousand hackers, that I'm going to make confidential informants, or I'm going to use that authority to have them start going after these ransomware groups and at the same time make sure they don't start World War 3 because they happen to do something to one that is like, you know, actually operating out of the Kremlin. Or, or, you know, China or whatever. And so I, I think them wrapping their head around how to do it is, is, is not a small issue. Like, I know if I were to walk into a room even, even, you know, in my old job, you know, as the number two cyber official in the White House, if walking in a room saying, hey, guys, you know what I think we should do? I think we should bring a thousand hackers in, use this weird authority we have, you know, we'll find a way to pay them, and we're going to have like five people manage this whole project. Like, people would look at me like I had, you know, 12 heads. And so I get that it's hard. I do think though that they, they know that we're not making real progress against this problem that is getting worse, not better. And so whether it's this solution or another one, I do believe folks, at least the folks I used to deal with, because, yeah, I do believe folks are trying to find creative ways to get after this problem. It'll take some doing before they take our recommendation and run with it. But the good news is we have so much more kind of cross pollination between people from the hacker community going into government and government people, you know, being involved in defcon and so on, that I, I feel like it's more possible today than it would have been 10 years ago. So I remember when I, so I was the White House liaison to Homeland Security during the Obama administration. And part of your job is you, you manage the boards and commissions or that agency. And so I remember talking to Secretary Napolitano, who was the first Homeland Security secretary under Obama. And you know, you know, each administration goes, and they kind of kick all the previous administration's people off the boards and commission they put their new people on. And so she was like, hey, you know, I want to find somebody under 50. She's like, we have no young people on these, on these boards. Find me somebody under 50. And she's like, and by the way, separate comment, you know, we need somebody from the cyber world or whatever. And so I have the staff go, and I'm like, okay, find me. You know, different people met all these different criteria. And, and I'm like, and for the under 50 person, why don't we find, why don't we have that be our cyber person? Because it's, you know, new tech, you know, this, all this stuff was, was certainly new to policymakers back then back in like 2009. And one of the guys comes back, one of the researchers comes Back with this picture. And it's this guy, this pasty white guy with jet black hair and a black background and this black T shirt that says DEFCON in white letters. And I'm like, who is that guy? And. And they're like, oh, that's Jeff Moss. He's the founder of this big hacker conference called defcon. I'm like, great, get him on the phone. That's the guy. And. And so they. And Jeff said that he thought we were calling to get, like, discounted badges because I guess the government's always trying to shake them down for cheaper badges. And. And then. And it happened to be me saying, hey, do you want to be on this board? And Jeff was like, he really wanted to do it. You know, he actually has. His degree is actually in criminal justice, his undergrad degree, and he's very committed to public policy issues and so on and so forth, but he's like, oh, God, the community's gonna blow up when I say I'm doing this. But I. But I really do want to do it. And then we had all these fights internally about, you know, our lawyers, like, you can't put a hacker on. On one of our official boards. Oh, my God, all this blah, blah, blah. And to Napolitano's credit, she was like, wait, hold on. Has this guy broken any laws? And they're like, no. She's like, has he been arrested? They're like, no. She's like, then do it. Put him on. It's reputational risk not to have a hacker on one of our boards, you know, so, you know, good honor. But anyway, so. But that was really one of the first times you saw somebody from this community coming in at, like, a relatively senior policy position. Like, he wound up co chairing a few different, like, pretty influential committees that we had and so on. Now it's far more commonplace to have folks kind of going back and forth. You know, Bob Lord, for example, is a great example. Great example. Josh Corman, you know, did a stint in SZA and, you know, has been in the DEFCON community forever. There's a whole host of folks like that. So I do think that with this cross pollination. Sorry, I went down a rabbit hole here. But I do think with this cross pollination, we're getting more than ever solutions like this, bringing in hackers and creative ways to help the FBI and others get after the ransomware problem as well as others, you know, are far more likely in the future.
Jonathan Neffer
So for those of our listeners who are, you know, basically inspired. Right. I Know, I'm inspired when I read about Franklin, I was so stoked to hear that that was happening. I suspect there's a lot of folks out there that want to get involved, that want to get engaged. How would you suggest they get started?
Jeff Moss
Well, first off, just go to the Franklin website or, I mean, you can Google us, so we're easy to find. Just Google Defcon Franklin and sign up, you know, send us a message or whatever. Secondly, you know, one of our biggest challenges actually, with this water thing, you know, as I mentioned before, you know, this. It's this own. They're their own subculture, just like hackers of their own subculture is even within rwa, just kind of getting these folks at these water utilities to understand there's a problem. And it's not because they're dumb. It's just this is what they do for a living. Like, they have no reason to know that this. You know, they often say, like, why would the Chinese care about me? And. And it's like, well, you see that. That factory down the. Like, that makes ball bearings for, like, you know, the F35 or whatever, you know, or like, oh, you know, that thing they're putting in over there, that's a data center for anthropic, you know, or. Or whatever. But they don't. I mean, they don't know, and we shouldn't expect them to. So anyway, one is sign up and reach out to us. Number two is in your local community, like, if you have a relationship or know somebody who knows your mayor, who knows a city council person who knows somebody at the water utility or whatever, who can say, hey, what are you guys doing around cyber? You know, if you could. If you could get free help from, like, highly qualified people, would you take it? And if so, we're happy to help. Help you figure it out. And then let us know, and we have a whole process we'll, you know, work on, you know, making it kind of formalized and easy for them to take the help and so on and so forth. But, yeah, the other thing is, you know, call your. Your local government and ask them what they're doing on cybersecurity around water and see if they'll take the help and then tell us and. And we'll help you help you, you know, support your own community.
Jonathan Neffer
That's fantastic. I know we're coming up on time, Jake, but I do like to kind of wrap up all of our conversations with a bit of a personal question, if you will. And as you kind of referenced earlier, you know, someone with a criminal justice background who, you know, defcon. We find that the road to cyber is always quite an interesting one for people and not always a linear path. And I'd be curious on how you got to this place in time.
Jake
So Jane and I are sitting at a bar in Brussels to celebrate passing this big data sharing agreement with the European Union. I think she's having a glass of wine, I'm having a beer, and she looks at me and says, hey, Jake, you know, the. The White House has said that they want me to. To take over running cybersecurity at dhs. You know, this is before CISA and everything else. And she's like, and I'd like you
to help me with it.
And I said, ma', am, I can't spell cyber security. And she says, well, that's okay.
Nobody else in public policy knows anything about cyber either.
We'll have a bunch of technologists explain it to us.
And I said, okay.
And that's how I wound up in cyber.
Jonathan Neffer
That's fantastic. That's fantastic. And so much has changed in that time. It's crazy to think that's why I stay in cyber. I don't know about you, but I love it. Every day is a new day, and you're always learning something new. I just. I can't speak highly enough of it for those that may be looking to enter this world. It is a lot of fun and sometimes scary.
Jake
Yeah. You know, one of the things.
Yeah. I mean, the great thing about it, as we said at the beginning with AI and everything, you know, it's a. It's an industry that is always changing. You know, it's. There's always some new crazy thing we're
dealing with, some new innovative way the
bad guys have figured out how to mess with us and so on and
so forth, and what.
You know, it keeps you young, it keeps your brain working. You know, as I think Benjamin Franklin had this great quote, which is, once you're done changing, you're done. And I really take that to heart. And cyber gives you an opportunity to kind of reinvent yourself over and over and over again, because the threats and the technology just constantly changes,
Jonathan Neffer
really does so quickly. It's fun trying to keep up, keeps it always challenged, but it's wonderful. So, Jake, I want to thank you for your time today. This has been wonderful. Really appreciate your insights, and thank you for all the work you're doing. Like I said before, when I read about the Franklin project, I was just. I was like, thank you. It's wonderful that people like you and others are out there want to help where they can. Right. There's so much we can do when we kind of come together in terms of the changes we can make. So thank you. Thank you for that. And to all of our listeners out there, thanks again.
Jake
Well, thank you guys for. What are you doing?
Jonathan Neffer
Yeah. Thank you. And John, what do we like to tell our listeners to do every single week?
Rachel Lyon
Smash that subscribe button and you get
Jonathan Neffer
a fresh episode every single Tuesday. So until next time, everybody stay secure. Thanks for joining us on the to the Point Cybersecurity podcast, brought to you by forcepoint. For more information and show notes from today's episode, please visit forcepoint.com podcast
Jeff Moss
and
Jonathan Neffer
don't forget to subscribe and leave a review on Apple Podcasts or your favorite listening platform.
Podcast: To The Point – Cybersecurity
Host(s): Rachael Lyon, Jonathan Knepher
Guest(s): Jake Braun (co-founder of Voting Machine Hacking Village, cybersecurity policy advisor); brief appearances from Jeff Moss (DEF CON founder)
Release Date: May 26, 2026
This episode explores the urgent need for stronger cybersecurity in America's water infrastructure, focusing on the innovative Franklin Project—a grassroots initiative bridging the gap between the hacker community and government to help secure vulnerable local water utilities. Jake Braun shares how lessons from election security can be transferred to the water sector, the current threat landscape (from Iranian, Chinese, and Russian actors), and how volunteers from DEF CON and beyond are being mobilized. The conversation covers government engagement with hackers, the challenges and benefits of "cyber cross-pollination," and practical ways for cybersecurity professionals to get involved and support their communities.
This episode provides an urgent, hopeful perspective on closing the cybersecurity gap in water utilities by uniting the skills of hackers with the needs of under-resourced critical infrastructure. It offers practical advice for aspiring volunteers and highlights the growing collaboration between government and the hacker community—an essential trend as the threat environment continues to escalate.
For more information on the Franklin Project, volunteering, or supporting local water cyber initiatives, search “DEF CON Franklin” or contact the National Rural Water Association.