DEF CON volunteers step up to help water sector after China, Iran attack utilities

When Jake Braun put out a call online last year seeking volunteers who wanted to help secure a water utility, the response was so overwhelming that he had to shut down the website.

He ended up with a list of 350 names, and says he could have probably gathered thousands more. The response enabled the work of DEF CON Franklin, an initiative that recently completed a nine-month pilot program that paired white-hat hackers with water utilities in Indiana, Oregon, Utah and Vermont.

The volunteers — many of them annual participants in the DEF CON cybersecurity conference — provided free services necessary to combat an escalating array of nation-state attacks on utilities over the last three years. The emphasis was on no-cost, hands-on support for operational technology (OT) mapping, password protocols and vulnerability assessments.

Braun and the project’s other founders are now looking to rapidly scale the program up to help the country’s more than 50,000 water utilities — most of which lack the staff, resources and tools to defend themselves against increasingly sophisticated cyberthreats. 

“This next phase brings together top minds from DEF CON, academia, industry, and philanthropy to provide support in ways that are designed specifically for the unique realities of the water sector,” Braun told Recorded Future News on the sidelines of this year’s conference in Las Vegas.

“This isn’t just about protecting networks,” he said. “It’s about protecting drinking water, public health and national resilience.” 

China and Iran in mind

Braun said he was inspired to start Franklin after serving in the Biden administration right as China’s Volt Typhoon campaign emerged as one of the preeminent cyberthreats facing the United States. He is currently executive director at the University of Chicago’s Cyber Policy Initiative.

The Volt Typhoon operation — in which Chinese state-backed hackers breached the systems of U.S. critical infrastructure and embedded themselves in preparation for potential future conflicts  — took place alongside other headline-grabbing attacks on the water industry by Iranian nation-state actors following the October 7, 2023, terrorist attack in Israel.

One of Braun’s first public events after taking over as the White House’s acting principal deputy national cyber director in May 2023 was in Pittsburgh just weeks after a water utility in the area was attacked by Iran. 

“I got deeply immersed in trying to figure out what our response should be. Iran and China threats are even more severe now than they were even a few years ago,” he said. “The government really isn't doing a lot to help them, particularly with cybersecurity.”

Braun was a co-founder of the DEF CON Voting Machine Hacking Village that previously tested election system security, and he knew from that experience that the DEF CON community has a  large pool of volunteers eager to help secure systems critical to the United States. 

Braun announced the initiative at the conference last year, naming it DEF CON Franklin after founding father Benjamin Franklin because he created the first volunteer fire department in the United States while living in Philadelphia in the late 1700s.

The organization also will publish a post-DEF CON report called the Hackers’ Almanack that translates hacker-disclosed vulnerabilities into actionable insights for U.S. cybersecurity policy. 

It is backed financially by Craig Newmark Philanthropies and has already formed partnerships with the National Rural Water Association (NRWA), Cyber Resilience Corps, Aspen Digital, the American Water Works Association, Cyberspace Solarium 2.0 (CSC 2.0) and others.

Ann Cleaveland, executive director of the UC Berkeley Center for Long-Term Cybersecurity and a founding partner of the Cyber Resilience Corps, said the initiative is a replicable model for a more community-centered cybersecurity apparatus

"This is what cyber civil defense looks like, when skilled cyber volunteers are stepping up, when industry is stepping up, and when NRWA and its members are stepping up to fill the cybersecurity gap together,” Cleaveland said. 

Operating as outsiders

One of the biggest issues Braun faced in trying to establish the initiative was with the water utilities themselves. The water utility community is insular, according to Braun, and is deeply antagonistic toward any measures that will force operators to raise prices on customers. 

The Biden administration was forced to rescind a memorandum in 2023 that established new cybersecurity guidelines for water systems after utilities joined together to sue the federal government — in part over alleged concerns that the regulations would force them to raise rates.

Braun credited the NRWA with acting as a sherpa for DEF CON Franklin — ingratiating them to a tight-knit community often distrustful of outsiders. 

“Protecting our nation’s critical infrastructure isn’t a want but a necessity, and for the nearly 50,000 water systems nationwide, they need the tools and resources to not only be cyber aware but also resilient,” said Matt Holmes, CEO of the NRWA. “By designing solutions that are scalable, we are ensuring that even our smallest systems have the ability to protect themselves.” 

The NRWA suggested they start with a small pilot program and Braun agreed, picking utilities in Utah, Vermont, Indiana and Oregon where volunteers were deployed. 

“The pilots have gone quite well and they're all still going, which is great because they could have just walked away,” Braun said.

One of the biggest questions Braun says they get from water industry representatives is why any nation-state actor would care about relatively tiny water utilities serving small communities across the U.S.

Braun has had to remind them of the Volt Typhoon campaign and noted that one of the volunteers recently dealt with a Chinese phishing attack targeting an employee of a utility in Utah. 

“I think I kind of stupidly thought when we launched this that we'd say, ‘Hey, there's this free support, and we'd have 50,000 water utilities raise their hand. But it's kind of an insular community and the little utilities are like, ‘why would the Chinese, or the Iranians care about me?” he said.

“Why would the Chinese care? Well, guess what, they do. The Chinese have heard of you. They make it their business to know about you.”

Braun said when he originally came up with the idea for DEF CON Franklin, he planned on it being a long term effort that would take years. But the escalating threats from China and Iran have coincided with a precipitous drop in federal support thanks to the dismantling of the Environmental Protection Agency (EPA) and downsizing of the Cybersecurity and Infrastructure Security Agency. 

“We don't have 10 years to scale this thing up. So what we've just started doing in the last month or two is trying to figure out how we can deploy technology to scale this faster as opposed to just the humans,” he said.

Understanding the tools

Braun and his team are hard at work searching for free cybersecurity services and tools that can be deployed at utilities to offer basic protections while volunteers offer more detailed advice on specific topics.  

He added that the program did not want to saddle utilities with “freemium” products that would only be cost free for a temporary amount of time. Thankfully, the cybersecurity industry was game for the program, and companies like Dragos offered suites of free tools that can be used by critical infrastructure. 

The cybersecurity volunteers have been critical in helping explain to utilities what tools are available for free and helping them set them up. 

“We're inventorying truly free tools that are out there that can do things like asset inventory, network scanning — the basic stuff that you need for [operational technology] security, and then also trying to understand how to make sure that they're tailored specifically for the water utilities,” Braun said. 

His hope going forward is that local officials will hear about the program and ask why utilities are not taking advantage of the free support available. 

Braun added that it has been inspiring to see the hacker community step up to help organizations in need — at times helping their own region with an issue near and dear to their hearts. He has had to temper expectations for some volunteers, explaining that most organizations need fairly basic help with things like default passwords and multi-factor authentication. 

Franklin has not deployed any volunteers with less than 10 years of experience, he said, and many of those volunteering are former government workers with security clearances or people who work on sophisticated cybersecurity teams for Fortune 500 companies. 

In the end, Braun believes the U.S. government should eventually just step in and pay for more sophisticated tools that can be deployed at every water utility.

“I mean, this is a government's job. It's a national security threat. Having a bunch of volunteers doing this is not the end solution, but it's kind of all we've got right now,” Braun explained.

“As I was saying to one of these guys the other day, it's not like it's one of our volunteers or [services from] Crowdstrike. It's one of our volunteers or nothing — and with the threat level as it is, the government needs to step in eventually.”