After a fire that started on a ship near Philadelphia in 1730 hit land and raged through the city’s streets, Benjamin Franklin formed the country’s first volunteer fire department. Nearly three centuries later, a pair of cybersecurity experts are drawing on that colonial call to direct action for a new-age fight: volunteer hackers vs. malicious actors intent on taking down critical infrastructure.
With the Franklin Project, the brainchild of DEF CON founder Jeff Moss and former White House acting Principal Deputy National Cyber Directory Jake Braun, volunteer hackers are enlisted to help protect some of the most vulnerable sectors in real-world settings, while also serving as resources for some of the thorniest national security and foreign policy debates.
“They want to help, they want to get involved, they want to give back,” Braun told CyberScoop during DEF CON in Las Vegas. “They just need a venue to do it.”
The Franklin Project was one of two initiatives announced at hacker conferences in Las Vegas in August aimed at tapping into the community’s talents in the fight against malicious actors looking to exploit the fragility of the digital infrastructure ecosystem.
The projects, both of which are supported by the Craig Newmark Foundation, come in the weeks after a few bits of bad code managed to derail flights around the globe, shut down critical services and create IT issues at health care facilities. While the CrowdStrike outage wasn’t a cyberattack, it underscored growing calls for civilian cyber corps.
Michael Razeeq, a #ShareTheMicInCyber fellow at New America on a research project focused on the laws governing state civilian cyber corps, said there’s been a concerted push to tap into hackers’ civic-mindedness at a time when critical networks need all the help they can get.
“There’s kind of this whole effort, or this whole ecosystem of like cyber volunteering that’s kind of been springing up,” said Razeeq, who is also privacy counsel for the digital finance company Ramp.
Increasing civic engagement from the hacker community is a top priority for both Newmark-backed initiatives.
Defending water systems, schools
The Franklin Project, Braun said, is all about following the approach to civic involvement that the inventor took in standing up that first volunteer fire department six years after one of the worst fires in Philadelphia’s history.
“It was 100 years later before they had a professional fire department anywhere in the country,” Braun said. “It’ll be 100 years before these little water utilities, whether they’re suburban or rural, have professional cyber people.”
The project is focused specifically on supporting the water and wastewater sector, as well as school systems, all of which are especially vulnerable to malicious hackers. Those sectors are considered critical infrastructure, have been hit hard by criminal and nation-backed hackers, and operate with little resources to implement costly cyberdefenses.
Volunteers for the Franklin Project would help set up basic cyber protections in those sectors to prevent successful intrusion from occuring in the first place. The idea is to get people with the right skills and people with the right needs and match them together. “Instead of being Uber, we’re more like Match.com with a marriage counselor,” Braun said.
The Biden administration has highlighted the severity of both sectors. Through the Environmental Protection Agency, the White House attempted to introduce mandatory cybersecurity rules for the water and wastewater sector, citing national security threats. But the effort was held off after multiple Republican governors and trade associations sued.
K-12 school districts, meanwhile, have been the focus of multiple initiatives from the administration, most recently the Department of Education, which launched a coordinating council to strengthen cybersecurity in educational institutions.
However, the increasing number of ransomware attacks shutting down classrooms and water utilities highlight the limits of federal resources. There are more than 150,000 public water systems in the U.S. and around 120,000 public and private K-12 schools.
“We’re starting to reach a boiling point where we have just a huge number of organizations that need help,” said Sarah Powazek, program director of public interest cybersecurity at UC Berkeley’s Center for Long-Term Cybersecurity. “There’s so much knowledge that they are assumed to have and are almost sort of implicitly required to have that they’ve never received training for.”
Civilian hackers, Braun said, just want to “get involved” and help those vulnerable organizations. He’s not the only former national security official who feels that way.
Disrupting disruption
Josh Corman is looking to prevent that worst-case scenario. He’s seen how close it can get after serving during the pandemic as the chief strategist of the COVID-19 task force at the Cybersecurity and Infrastructure Security Agency.
Corman is worried that the country might not be fully prepared for the next big hit, which could be a cyberattack against sensitive networks. His pilot project, dubbed “UnDisruptable27,” is aimed at ensuring that front-line workers are resilient against cyber-physical possibilities by hackers against lifeline infrastructure like water, power, or health care.
The name of the Institute for Security and Technology-housed project — which Corman said is temporary — is largely centered around China, which national security officials say could target U.S. infrastructure with disruptive intent. The number references 2027, the year Chinese President Xi Jinping wants to have the capabilities to seize Taiwan. Corman said a defining moment was when U.S. intelligence officials gathered to testify before the House to issue a dire warning about the level of infiltration and intent by Beijing.
“We’re over-dependent on undependable technology in areas affecting public safety, economic, national security, and all that’s not is not new,” Corman said. “But it’s taking on a new meaning and a new recognition for the public.”
The Newmark-funded pilot, which was announced at the BSides event in Las Vegas, has $700,000 at its disposal to focus on water and hospitals. The idea is to not only reach owners and operators and those not usually within earshot of federal warnings, but to get ready for what happens when the digital infrastructure collides with the physical.
While the federal government is working to right the ship, Corman said, there is going to be a time when the boat rocks a bit too much for comfort.
Craig Newmark said in a statement that trying to prevent bad actors from harming infrastructure that provides food, shelter, or warmth is anything but “alarmism.”
“It’s all our job to push governments and utilities and companies to be better on this stuff,” he said. “That means extra work for maybe understaffed IT, and they can get very annoyed with me if it helps prepare for the worst. In the meantime, I’m putting my money where my mouth is.”