Connect with us


The Curious Case of a Kentucky Cybersecurity Contract

Kentucky Secretary of State Alison Lundergan Grimes at the convention of state secretaries on July 14, 2018, in Philadelphia. Photo: Mel Evans/AP Photo

When Secretary of State Alison Lundergan Grimes hired a firm called CyberScout to address the state’s election security, she was putting her faith in a company that had never tackled such a challenge and had drawn opposition from her staff. They questioned both the hiring process — and the results.

This story, the third in a three-part series, was co-published by ProPublica and the Lexington Herald-Leader.

In the months after the 2016 elections, state election administrators spent millions of dollars investigating and addressing the cyber intrusions that had penetrated voting systems in dozens of states. Kentucky Secretary of State Alison Lundergan Grimes emerged as one of the loudest voices calling for improvements.

In February 2017, at an elections conference dominated by talk of cybersecurity, Grimes claimed to have found the perfect answer to the threat: A small company called CyberScout, which she said would comb through Kentucky’s voting systems, identify its vulnerabilities to hacking and propose solutions.

Three days later, Assistant Secretary of State Lindsay Hughes Thurston submitted paperwork to give the company a no-bid two-year contract with the State Board of Elections, or SBE, for $150,000 a year. She did not inform the SBE — the agency that oversees the state’s voting systems — that she was doing so.

At the time, CyberScout was new to voting-related cybersecurity. The company acknowledges that it had never had an election-systems client before.

CyberScout’s CEO and his wife had given Grimes a total of $12,400 in contributions over several elections, along with $4,000 to state Democratic groups. (All of the donations fell within state limits.) Ultimately, the contract went through — Grimes denies the contributions had any influence — and CyberScout delivered little in the way of results, according to 15 election officials interviewed for this article. CyberScout’s contract was not renewed after the first stage expired in June.

The story of the CyberScout contract, told here in detail for the first time, suggests a consequence of the unprecedented power that Grimes has amassed as chief elections officer. (The first two articles in this series explored how she expanded her power as well as some of the voter-privacy concerns raised by her actions.) It shows what can happen when one person consolidates decision-making authority that has historically been divided, by design, among different entities.

Grimes has been criticized for overstepping her role as secretary of state by taking day-to-day control of the SBE, a nonpartisan agency that is constitutionally separated from the secretary of state’s office (albeit chaired by the secretary of state). Grimes’ expansion of power, and the ways in which she has used that power, are the focus of three ongoing investigations by state agencies. The investigators have also asked questions about the CyberScout contract, according to people who have been interviewed.

“These allegations demonstrate exactly why Kentucky law is set up to have separation between the secretary of state and the State Board of Elections,” said Joshua Douglas, an election law professor at the University of Kentucky College of Law. “The point is to ensure transparency, oversight and checks on each entity. That may have broken down in this instance.”

Grimes has called the complaints against her “unfounded” and “political,” though they have come from members of both political parties. “I urge all Kentucky agencies to realize partisanship has no role in safeguarding Kentucky against cyber threats,” she said in a statement in September addressing an episode in which some state government email accounts were hacked. “I want to reiterate to all Kentuckians, I won’t back down from doing everything I can to protect you and our elections.”

CyberScout delivered for Kentucky, Grimes said in an interview for this article. The company, she asserted, uncovered “huge weaknesses” in the state’s voting systems. (She declined to detail those deficiencies, citing security reasons.) Grimes called CyberScout “an industry leader in security” with a focus on elections. As she put it, “We wanted to make sure we got the best of the best and no one could make any claims otherwise.”

But that’s not how the state’s own experts viewed CyberScout at the time. “I want to be perfectly clear that contracting with them in no way [fulfills] the actual security needs of our systems and in no way will mitigate our risk of intrusion,” wrote Steve Spisak, a software developer for the Secretary of State’s office who built Kentucky’s voter-registration system, and Tom Watson, a software engineer for the SBE, in a March 30, 2017, email to an executive at the board. “In fact, they don’t offer any security devices or real-world experience of any type.”

The origin of the connection between CyberScout and Grimes is murky. Adam Levin, the founder and CEO, said he and Grimes had been in contact long before the secretary of state tapped his company. “I had spoken to her for years about cybersecurity,” he said before abruptly ending an interview when pressed about their relationship. For her part, Grimes said she was “unaware” whether or not she had met Levin.

What seems clear from interviews with multiple people involved in the state’s election security is that Grimes’ team did not divulge the political contributions when the state was considering a contract for CyberScout. It was not legally required to do so. More specifically, the contributions were not disclosed to the SBE. Don Blevins Sr., a board member at the time the contract was processed (and, like Grimes, a Democrat), said he would have opposed a contract with CyberScout if he’d known about the donations. “In no way would I have ever gone along with that,” he said. “I find that outrageous.”

Not only did Grimes fail to disclose the financial links, her team misrepresented how far negotiations with CyberScout had progressed, according to members of the SBE. On Feb. 21, 2017, the day after Thurston sent the initial proposal for the contract “on behalf of the State Board of Elections,” CyberScout gave the board an overview of the company and its offerings.

Blevins called the presentation “vague,” and he said it provided little guidance as to how CyberScout and its subcontractor, Nordic Innovation Labs, would proceed and what work product they would provide. “I asked a bunch of questions, but then just shut up because I wasn’t getting anywhere,” he said.

Board members unanimously voted that day to “allow the State Board of Elections to engage with CyberScout in the future.” They said they believed they were opening the negotiation process. But in the following months, documents show the secretary of state’s office represented this vote to government agencies and the public as having approved a contract with CyberScout.

Shortly after the meeting, the contract proposal was rejected by the Kentucky Finance and Administration Cabinet. It cited a lack of evidence that CyberScout was uniquely qualified for the project, a state requirement for a no-bid contract. Without consulting the SBE, Thurston and CyberScout resubmitted the proposal with a more detailed justification letter on March 7. That submission was approved by March 24.

Grimes maintains that any issues with the contract should be blamed on the Finance Cabinet, which she said is run by “Republican Gov. Matt Bevin.” The Finance Cabinet responded that it “relies on the integrity” of statements made by constitutional officers.

Board members remained unaware that the proposal had been submitted or approved. They continued to raise questions about CyberScout during this time. “I know we had previously voted on approving to allow the Secretary and staff to further engage in discussion,” wrote Josh Branscum, a Republican board member on April 18, 2017. “Have we received any proposal fee or scope of services to look at as a board before we vote to enter into any type of official contract?” Michael Adams, another Republican board member, asked when the board could expect to receive a more detailed proposal.

Thurston responded by asserting that the board had already approved the CyberScout contract. “You will recall on February 21, 2017, the Board unanimously voted to engage CyberScout,” she wrote.

Confusion swirled inside the SBE. The agency’s staff also was unaware that a contract with CyberScout had already been submitted and approved. They were actively researching other cybersecurity contractors. Matt Selph, the assistant executive director of the SBE at the time, said he and then-Executive Director Maryellen Allen appealed to Thurston in a meeting that month, telling her they were not interested in working with CyberScout.

Despite these recommendations, Thurston repeatedly represented to the Finance Cabinet that, as she put it in one letter, CyberScout had “expertise in elections cyber security that is unmatched by any other cyber security firm.” Grimes did not respond when asked what research she or Thurston had done to substantiate this assertion, and Thurston did not respond to calls for comment.

In interviews with ProPublica and the Herald-Leader, multiple cybersecurity experts disagreed that CyberScout was uniquely qualified. Most had never heard of the company. Numerous firms provide near identical services, and several of the services listed in the contract were redundant to those offered by the U.S. Department of Homeland Security for free. (According to its website, CyberScout was founded in 2003 as a consumer-oriented operation called Identity Theft 911 and adopted its current name in 2017. CyberScout spokeswoman Lelani Clark said, “As of today, we believe that no other firms offer the spectrum of election security services we do.”)

Kentucky would have been well aware of these services and other qualified vendors in February 2017, according to Jennifer Morrell, an elections consultant heading up the Democracy Fund’s Election Validation Project. Election officials, she said, were “almost exclusively focused on cybersecurity resources and information” at the time.

Morrell previously ran elections in Arapahoe County, Colorado, and briefly retained Nordic Innovation Labs, CyberScout’s subcontractor, to pilot a new auditing technique. She called Nordic’s work “a complete failure and waste of money.” CyberScout cited this Colorado project in the letter that stated the firm was uniquely qualified for the Kentucky assignment. Morrell said nobody called her for a reference. (Nordic referred a request for comment to CyberScout.)

In the same letter and various reports produced for the state, Eric Hodge, the director of consulting for CyberScout, also claimed “the team” had done similar work in Ohio, Massachusetts and California. When contacted, all three states denied working with CyberScout or Nordic Innovation Labs. Asked about the discrepancy, Hodge said Harri Hursti, a recognized voting-machine security expert and the founding partner of Nordic, had been part of a cybersecurity report commissioned by the Ohio secretary of state in 2007. Hursti was one of 23 named experts in the report. Hodge did not respond to claims regarding the other states.

The deal with CyberScout worked out as the SBE staff feared. No one in Kentucky could point to a specific change spurred by CyberScout, and SBE employees indicated all changes made in the last two years came as a result of recommendations by the Department of Homeland Security. The company’s contract ended in June, ultimately costing the state about $150,000.

CyberScout “did absolutely zero work and got paid a bunch of money,” Selph said.

Selph was fired in late 2017, after he submitted a complaint about Grimes, including his objections to the CyberScout contract, to the Executive Branch Ethics Commission. Grimes said Selph was fired after harassing employees of the SBE. He has denied that allegation and has filed a whistleblower lawsuit against the state.

Current SBE employees have also expressed confusion as to CyberScout’s work product. As late as August, emails show SBE staffers expressing confusion about the work CyberScout had performed and the bills the company sent.

In his own complaint, which he submitted to multiple state agencies and the SBE, Jared Dearing — a Democrat picked by Grimes as executive director of the SBE — recommended an audit of vendors used by the SBE despite internal objections. He recommended that vendors who provided campaign donations be investigated.

Hodge said it didn’t matter if the SBE was unhappy. “Our client is the secretary of state,” he said. All that matters, he said, was that Grimes was satisfied. In fact, CyberScout’s contract is with SBE. (Clark defended the company’s work and maintained that Kentucky’s IT staff was “hostile” to being audited and dismissive of security concerns.)

County clerks also remain unclear as to what services CyberScout provided. As part of its contract, the company visited a handful of counties to offer guidance on shoring up their wireless connections and on the security of elections systems.

Hodge rejected criticism of the company’s county visits. For example, he asserted that the Crittenden County clerk was “overjoyed” at the company’s recommendations. In an interview, Carolyn Byford, the clerk in the county, said people from CyberScout followed her around during a special election held in September 2017 but issued no report or recommendations. “All it did was make me anxious that day,” she said. “Elections are tough enough as it is.”

In late December, more than six months after the contract expired, CyberScout published a 20-page public report summarizing its work in Kentucky. The report is missing elements generally seen in reports released by cybersecurity contractors. Most, for example, explain the methodology used for security tests. CyberScout did not do so.

The remainder of the report contained rehashed recommendations made to the SBE over the year the contract was active. Some were pasted verbatim from the notes section of a PowerPoint presentation given to the board months before. There were multiple typographical and grammatical errors and inconsistencies: On one page, CyberScout recommended that Kentucky join a multistate group on cybersecurity. On the next page it congratulated the state for having joined the group.

Hodge declined to answer questions about the report’s inconsistencies.

Herald-Leader reporter Bill Estep contributed to this story.


Kentucky Aluminum Plant Investor Is Russian Company Formerly Under US Sanctions



Craig Bouchard speaks at a Braidy Industries launch event as KY Gov. Matt Bevin (right) looks on.

This article was originally published by the Ohio Valley ReSource.

Russian aluminum company Rusal announced Monday it plans to invest in a new Kentucky aluminum mill to be built near Ashland in eastern Kentucky. The $200 million investment in Braidy Industries is Rusal’s first U.S. project since the Trump administration lifted U.S. sanctions placed against the company.

Rusal had been sanctioned by the U.S. government because its major controller, Russian oligarch Oleg Deripaska, who has close ties to Russian President Vladimir Putin, faces accusations of “a range of malign activity around the globe” by Russia, according to the U.S. Treasury Department. Those actions include interference in the 2016 U.S. presidential election and meddling in neighboring Ukraine.

Deripaska also has close business ties to former Trump campaign chair Paul Manafort, who has been convicted of tax evasion and money laundering. Deripaska is suing the U.S. to have sanctions against him removed.

The Trump administration released Rusal from sanctions in January after the company reduced the ownership stake held by Deripaska. Congressional Democrats attempted to block the White House decision and passed legislation in the House that would keep sanctions in place. However, the bill fell short in the Republican-controlled Senate, where Majority Leader Mitch McConnell of Kentucky accused Democrats of trying to “politicize” the sanctions.

Braidy Bunch

According to a press release, RUSAL will earn a 40 percent share in the factory’s profits, and Braidy will keep the remaining 60 percent. The plant has also received $15 million in direct investment from the state of Kentucky. Gov. Matt Bevin cut a deal to attract Braidy to the state with that public money and additional tax incentives totaling more than $10 million.

As part of his reelection bid, Bevin has pointed to the Braidy development as evidence of job creation in an economically struggling part of the state.

“This is a seed that has been in the ground, the germination so often seems invisible to people,” Bevin said at an event over the weekend in Martin County, Kentucky. “But good things have been happening.”

The project is expected to cost more than $1 billion and employ over 500 people.

The Ashland project will produce rolled aluminum for the American auto and aircraft markets, and is the type of project President Donald Trump hoped to support with his tariffs on aluminum imports.

Braidy Industries CEO Craig T. Bouchard discussed the partnership at the New York Stock Exchange Monday morning.

“We’re really lucky and honored to have them as our partner in Kentucky,” Bouchard said of Rusal, adding that his company had chosen to partner with Rusal for its record of environmentalism.

We are going to lead the world in highest quality, lowest cost, and the least use of carbon from start to finish in the manufacturing process, and we’re changing the world,” he said.

The Ashland aluminum mill would be the first such plant to be built in the U.S. in 37 years, according to industry sources. Final agreements among the partners are expected to be signed later this year.

Continue Reading


Kentucky’s Secretary of State Turns Up Heat in Fight With Elections Board

Kentucky Secretary of State Alison Lundergan Grimes Photo: Win McNamee/Getty Images

Alison Lundergan Grimes removed the State Board of Elections’ executive director, a longtime critic of her actions, from a national committee on improving the country’s voting systems.

Kentucky Secretary of State Alison Lundergan Grimes escalated her fight with the State Board of Elections last week when she removed its executive director from a national committee devoted to improving the country’s voting systems and better protecting them from cyberattacks.

Grimes took the action against the executive director, Jared Dearing, just days before he was expected to travel to Memphis, Tennessee, to participate in a meeting dealing with upgrading the voting machines and technology used by states across the country. The meeting is being held by the federal Election Assistance Commission’s Standards Board, and is widely considered to be the most significant meeting of the EAC in years.

Dearing has been a longtime critic of actions taken by Grimes, by law the state’s top elections official, and last year he filed a nine-page complaint with the Executive Branch Ethics Commission accusing Grimes of creating a hostile work environment and overstepping her authority. Dearing’s complaint helped prompt a number of investigations into Grimes’ performance and played a role in the state legislature’s decision last month to strip Grimes of some of her authority over state elections.

Grimes has steadfastly denied the claims against her, calling them politically motivated. Grimes is a Democrat, as is Dearing. In a statement, Grimes’ spokeswoman, Lillie Ruschell, said appointments to the Standards Board remain at the secretary’s discretion, and she made new appointments using “the same routine practice as previous appointments over the past eight years.”

Ruschell said the decision to remove Dearing was based on his “absence from the 2018 EAC meeting.” In a statement, Dearing said he skipped last year’s meeting at the direction of Grimes.

“I was unable to attend the 2018 meeting because the secretary did not give me approval to travel, and at that time the secretary approved all travel requests,” he said. “The Standards Board meetings are an important function of securing the commonwealth’s election systems. The State Board of Elections will continue to do everything in our power to secure our systems whether or not we are in attendance.”

This will be the first time in the history of the EAC’s Standards Board that Kentucky will not be represented by an SBE director. Trey Grayson, a former secretary of state in Kentucky, said “It’s puzzling to see this deviation from Kentucky’s long-standing practice of appointing a staff member from the SBE to this board. And the timing of Dearing’s removal, given his outspoken criticism of her, is curious.”

Dearing was widely expected to be an active participant in the Memphis meeting, and he had been consulting with elections officials across the state and country in preparation. He is being replaced by Assistant Secretary of State Erica Galyon, who has been largely absent from national conversations on voting machines.

Grimes also removed Madison County Clerk Kenny Barger from the Standards Board and appointed Johnny Collier, the clerk from Jessamine County. Barger has also been an outspoken critic of Grimes. Ruschell said Barger was removed because of his lack of “communication” about the meeting. He did not respond to a request for comment.

Collier also did not respond to a request for comment, but his office indicated he would not attend the meeting in Memphis family issues. This has left Grimes’ office scrambling to find another elections official only one day before the meeting begins.

Neither Barger nor Dearing’s term on the Standards Board officially ends until the end of the month, making it unclear to Kentucky’s elections officials why Grimes chose to make appointments only days ahead of a crucial meeting.

“This meeting is huge,” said Gabrielle Summe, the clerk in Kenton County, who is also the president of Kentucky’s statewide clerks association. “It decides the machines Kentucky will be able to buy.”

Summe said Grimes’ replacement of Barger may have been improper. She said national regulations required that “local election officials” select one of their own for the Standards Board. Summe said the Kentucky County Clerks Association was neither told that Grimes intended to dismiss Barger nor consulted about his replacement. The association is taking steps to prevent Barger’s removal. said the KCCA had never before complained about the appointment process.

“There’s no vacancy,” Summe said. “There’s no reason to replace him and he’s got at least a little more experience with the process.”

According to federal and state officials, last September Dearing was in the process of being approved for a security clearance when Grimes abruptly asked the Department of Homeland Security to halt the process. The move came only weeks after Dearing first issued his public grievances with Grimes.

In her statement, Ruschell did not explain why Grimes halted the process but said security clearances were at the secretary’s discretion.

In pushing back against the legislation that reduced her powers over state election matters this year, Grimes had argued that she alone had the security clearance necessary to respond to real or potential threats to election security in the state. In doing so, she failed to mention she had played a role in making sure members of the SBE lacked such clearances.

“At a time when election security is a top concern for our nation, our Republican majority wants to remove the only member of the State Board of Elections with a National Security Clearance from having a voice in protecting Kentucky, placing the process solely in the hands of unelected bureaucrats appointed by the Governor,” Grimes said in a statement last month.

After the 2016 election, DHS allowed the “chief elections official” in each state to apply for a security clearance and to sponsor the applications of two appointees in order to streamline communication between the federal government and the states.

The clearance allows DHS to quickly communicate threats to Kentucky’s elections infrastructure. Without the clearance, Dearing would likely not be among the first to know about imminent risks. The SBE is largely responsible for the day to day management of elections.

Officials indicated the SBE has expressed its intention to ask for additional clearances to be given to its members now that legislation has given the board clearer authority. It is likely this process will move forward.

EAC spokeswoman Brenda Soder said the general counsel is reviewing Grimes’ new appointments to the Standards Board “to determine the right course of action for all involved” and that a decision on how to move forward will be guided by relevant federal law.

“This will have a huge impact on the way our state is run,” Summe said. “We need to keep the people there who should be there.”

Update, April 11, 2019: The Election Assistance Commission rejected Kentucky Secretary of State Alison Lundergan Grimes’ attempt to replace one of Kentucky’s representatives on the commission’s Standards Board. The commission said Grimes lacked the authority to replace Kenny Barger, the local elections representative serving on the Standards Board. Grimes had tried to replace Barger in the days leading up to a major conference on voting machine reform.

This article was originally published by ProPublica.

Continue Reading


Kentucky Legislature Passes Bill Stripping Grimes of Authority Over State Board of Elections



Kentucky Secretary of State Alison Lundergan Grimes. Photo: Alex Slitz/Lexington Herald-Leader/TNS via Getty Images

The bill takes multiple steps to scale back the level of control Secretary of State Alison Lundergan Grimes has asserted over the board in recent years.

The Kentucky legislature passed a bill on Thursday that strips Secretary of State Alison Lundergan Grimes of her authority over the State Board of Elections, restructures the SBE and makes misusing the voter registration system a misdemeanor crime.

The bill takes multiple steps to scale back the level of control Grimes has asserted over the SBE in recent years, including removing the secretary of state as the chair of the board. The secretary will become a nonvoting member of the board, and the board will now include two former county clerks — one from each party.

The bill now awaits the signature of Republican Gov. Matt Bevin.

ProPublica and the Lexington Herald-Leader published stories this year detailing the secretary of state’s office’s use of the voter registration systemto look up information on political rivals, as well as the range of misconduct allegations against Grimes being explored by state investigators.

Records released last week confirmedthat staff in her office had looked up those named in the reports by ProPublica and the Herald-Leader, including members of a state ethics agency currently investigating Grimes’ conduct.

Last October, the attorney general’s office appointed a special counsel to investigate ethics complaints made against Grimes, involving both a no-bid contract given to a campaign donor as well as an allegation she’s intentionally failed to comply with a federal consent decree dealing with the state’s voter rolls. Grimes, a Democrat, is also under investigation by two state agencies: The Executive Branch Ethics Commission is investigating similar claims, and the Personnel Board is investigating allegations that Grimes has created a hostile work environment and that she inappropriately searched the voter registration system to discover the political affiliation of potential and current employees.

There are no specific dates set for investigators to issue their findings, although the special counsel is expected to release his initial report in the coming weeks.

The Republican lawmakers behind the legislation — which passed largely along party lines — said they had grown to fear Grimes was exerting undue influence over state election matters. While the secretary of state is statutorily the “chief elections officer,” the process of helping counties facilitate elections has long been primarily managed by the SBE.

“In her last year in office, we needed to take significant steps to ensure our elections are protected, and to send a message to the next secretary of state — be it a Republican or a Democrat — that these types of shenanigans will not be tolerated,” said Sen. Damon Thayer, a Republican and the author of the bill.

In a statement released after the bill’s passage, Grimes said she was considering taking legal action to prevent the bill from going into effect, claiming it would dangerously centralize authority with the governor’s office. The only expansion of the governor’s authority under the bill is officially appointing two new board members, a role he already fulfills for the six current members who are selected by the parties.

Kentucky’s county clerks, who manage elections at the local level and operate largely independently from the state, widely supported the bill. Clerks from both parties have been critical of Grimes’ alleged interference in election policy.

Julie Griggs, a Democrat and the clerk in McCracken County, called the bill a “good start” that will be “helpful” to the clerks. “I’m glad the vote went the way it did,” she said.

The Republican clerk in Kenton County, Gabrielle Summe, who is also the president of the statewide clerks association, said that the bill will help the clerks have more of a voice at the SBE. “We were ignored [by Grimes], and because she could control the State Board of Elections, we couldn’t even have a relationship with them,” she said. “We’ll move forward with better communication and a clearer process.”

Grimes has denied all of the accusations against her. She has said her staff used the voter registration system for legitimate purposes and has “at all times” followed the law. She has called the accusations of inappropriate searches, hostile treatment and abuse of power filed by two SBE employees — one Democrat and one Republican — “political.”

Some number of Democrats have sided with Grimes, and they called the legislation “vengeful,” saying it would “weaken” election systems. Democratic Rep. Angie Hatton called it a “big baby bully bill.”

During her time in office, Grimes has seized more authority over the SBE than any other secretary before her — dictating when board meetings were to be held, shifting the location of meetings from the SBE office to the Capitol, approving all records requests releases by the SBE and asking the board to pass a resolution granting her day-to-day authority over the SBE. Under her guidance, the secretary of state’s office also received access to the voter registration system for the first time. None of these moves violated existing state law but were in stark contrast to her predecessors’ hands-off treatment of the SBE and its employees.

“There was a situation where a politician identified a place in the law where it didn’t say they could do something and it didn’t say she couldn’t, and she drove a truck through that,” said Tres Watson, a Republican strategist in Kentucky and former communications director for the Kentucky GOP. Watson said the bill restores the prior power balance and called Grimes “the first truly partisan secretary of state that anyone can really remember.”

“When someone behaves like that, it opens the door to others,” he said.

Grimes, in her statement and in a tweet, said the bill would create “chaos.” Griggs and Summe took issue with the claim.

“I can’t imagine what that’s supposed to mean,” said Griggs, who said the bill would not change how voters cast their ballot or the way clerks manage elections. “We do our jobs and we do them well, and I don’t see that this is going to cause chaos in the least bit.”

This article was originally published by ProPublica.

Continue Reading


100 Days