Jake Braun Discusses Election Security, Cyber Policy, and His Stint at the White House

After several years working in the White House and the Department of Homeland Security, Jake Braun has returned to the University of Chicago Harris School of Public Policy as a senior lecturer and executive director of the Cyber Policy Initiative (CPI). One of the world’s leading cybersecurity experts, Braun previously served in the Obama White House as liaison to DHS and is the author of Democracy in Danger: How Hackers and Activists Exposed Fatal Flaws in the Election System. Cybersecurity issues and threats are especially paramount today, both for the upcoming presidential election and beyond, making Braun’s work keenly important for our national moment.

Harris Public Policy sat down with Jake Braun to ask about his work in the federal government, his assessment of the current landscape in cybersecurity threats, and his forthcoming plans for CPI:

Some experts claim that the 2024 presidential election will be the most secure in our nation’s history. What’s your assessment of the cybersecurity threats we might face this November?

On one hand, the 2024 presidential election is night and day more secure than the 2016 election. People now truly understand that there is a serious threat, and so there are correspondingly serious measures being taken to address that threat. Since 2016, we’ve seen a large shift back to paper ballots, which are an important safeguard since you can go back and physically recount them.

On the other hand, the idea that this is the most secure election in history is, from a cyber perspective, fundamentally untrue. There was no internet for the first two centuries of our elections, so by default they were more secure because they were fully analog. And though there are certainly many historical instances of ward-level and city-level voter fraud—where you had people physically stuffing ballot boxes—you simply could not scale election fraud at a national level. Today, however, with the internet, nearly all the country’s voting machines and voter registration databases run on the same technology. This means that there are now an essentially unlimited number of attack vectors that didn’t exist before, as well as numerous smaller instances of hackable entry points.

Beyond the election, what are some of the other looming threats to cybersecurity that you think should be on Americans’ radar?

We’re very focused on water utilities right now because of the possibility of bad actors pre-positioning malware on water utilities. With 50,000 water utilities in the country—many of which don't even have an IT person much less a dedicated cybersecurity expert —we think protecting water systems from a cyber perspective is a very important service for us to provide out there, and also should provide an enormous amount of opportunity for research in terms of what seems to work, what doesn't work. Fortunately, we've forged a partnership with the National Rural Water Association, who are the folks who actually know the water industry. They are working with us to build out the programs that will deploy our cybersecurity resources – including thousands of volunteer cyber experts -- effectively over the course of the next 1-2 years. Supporting American water utilities is also a crucial component of our newly established DEF CON Franklin initiative, which I’ll get into more later.

What can you tell us about your time working for the Department of Homeland Security?

The first major initiative I worked on at DHS was resettling the 120,000-plus Afghan refugees in the U.S. following the large-scale military evacuations. Once those folks boarded the C-17 aircrafts leaving Kabul, they were the responsibility and priority of DHS. It was our job to vet them but also to make sure that they had vaccines, since this resettlement took place during the COVID-19 pandemic. Then, once they arrived on U.S. soil, we helped them to become integrated into their new communities and start to build a life here.

After what ended up being six months working on Afghan refugee resettlement, I spent about two years working on the front lines of our counter-fentanyl operation, first for the Department of Homeland Security and then later National Security Council team that worked to combat the Sinaloa Cartel’s fentanyl smuggling operations, which account for 95% of fentanyl sales in the U.S. It was one of the most fulfilling experiences of my life to see the Afghans resettled in American communities.  We often told the myriad NGOs and private sector organizations helping with the effort that this was not just about helping those who helped our soldiers after the attacks on 9/11.  Rather this was just as much about the next war we will have to fight and those living in that future country knowing that if they have our soldiers’ backs, we will have theirs when the chips are down.

I was then brought over to the White House to lead the inaugural implementation of the National Cybersecurity Strategy, which is a sweeping government-wide strategy involving dozens of agencies and departments that the Biden administration released in March 2023.

What are some of the things that distinguish this new national cybersecurity strategy from previous efforts?

There are two big differences. The first is the attempt to shift the burden of building and maintaining cybersecurity infrastructure away from the individual and over to the entities who actually possess the resources to do it—meaning corporate giants like Google, Amazon, and Microsoft. These big tech companies will now be both incentivized and required to build tech with cybersecurity on the front end, which is a major shift from how things have stood previously.

The second is incentivizing long-term investments in cybersecurity. This has already begun with some of the Biden administration’s big legislative investments. The CHIPS and Science Act, and the Bipartisan Infrastructure Law all had substantial sums for cybersecurity, totaling tens of billions of dollars over the next decade. Even the Inflation Reduction Act, though it was largely a clean energy bill, contained funding and provisions for things like cyber securing the grid. These investments total about $2 trillion, which wound up making it up the biggest cyber investment in American history.

What ambitions do you have for the Cyber Policy Initiative now that you’re rejoined Harris?

We’ve set up a groundbreaking partnership with DEF CON, which is the world’s largest hacker conference as well as a year-round community of the best and brightest in the hacker and technologist research creator communities. This partnership, named DEF CON Frankin, will infuse research from the hacker community into national security and foreign policy debates, and allow cyber experts to offer support and guidance world to the under-resourced organizations who support our nation’s critical infrastructure. Like Benjamin Franklin, DEF CON Franklin strives to embody the ethos of The Enlightenment: a commitment to science and empirical research in the pursuit of happiness and a more just and equitable society. With that in mind, we’re going to replicate two of Franklin’s contributions—the publication of Poor Richard’s Almanack and the establishment of America’s first volunteer fire department—by producing an annual Hackers’ Almanack that compiles the best discoveries from DEF CON’s annual conference, and by establishing a cyber volunteer force to help fireproof American infrastructure. These initiatives are well under way – and should be in the public arena in the next couple of months.

How can Harris students get engaged with CPI?

We’ll have a variety of programming throughout the year and are always looking for graduate assistants and interns to pitch in, get involved, and gain some experience they can take with them to some high-level places after they leave Harris. We’ve had some incredible success stories of folks who’ve come through CPI, including three alums who now work in the White House supporting cybersecurity efforts, and we’re excited to continue that pattern into the future.