Connect with us


The Curious Case of a Kentucky Cybersecurity Contract

Kentucky Secretary of State Alison Lundergan Grimes at the convention of state secretaries on July 14, 2018, in Philadelphia. Photo: Mel Evans/AP Photo

When Secretary of State Alison Lundergan Grimes hired a firm called CyberScout to address the state’s election security, she was putting her faith in a company that had never tackled such a challenge and had drawn opposition from her staff. They questioned both the hiring process — and the results.

This story, the third in a three-part series, was co-published by ProPublica and the Lexington Herald-Leader.

In the months after the 2016 elections, state election administrators spent millions of dollars investigating and addressing the cyber intrusions that had penetrated voting systems in dozens of states. Kentucky Secretary of State Alison Lundergan Grimes emerged as one of the loudest voices calling for improvements.

In February 2017, at an elections conference dominated by talk of cybersecurity, Grimes claimed to have found the perfect answer to the threat: A small company called CyberScout, which she said would comb through Kentucky’s voting systems, identify its vulnerabilities to hacking and propose solutions.

Three days later, Assistant Secretary of State Lindsay Hughes Thurston submitted paperwork to give the company a no-bid two-year contract with the State Board of Elections, or SBE, for $150,000 a year. She did not inform the SBE — the agency that oversees the state’s voting systems — that she was doing so.

At the time, CyberScout was new to voting-related cybersecurity. The company acknowledges that it had never had an election-systems client before.

CyberScout’s CEO and his wife had given Grimes a total of $12,400 in contributions over several elections, along with $4,000 to state Democratic groups. (All of the donations fell within state limits.) Ultimately, the contract went through — Grimes denies the contributions had any influence — and CyberScout delivered little in the way of results, according to 15 election officials interviewed for this article. CyberScout’s contract was not renewed after the first stage expired in June.

The story of the CyberScout contract, told here in detail for the first time, suggests a consequence of the unprecedented power that Grimes has amassed as chief elections officer. (The first two articles in this series explored how she expanded her power as well as some of the voter-privacy concerns raised by her actions.) It shows what can happen when one person consolidates decision-making authority that has historically been divided, by design, among different entities.

Grimes has been criticized for overstepping her role as secretary of state by taking day-to-day control of the SBE, a nonpartisan agency that is constitutionally separated from the secretary of state’s office (albeit chaired by the secretary of state). Grimes’ expansion of power, and the ways in which she has used that power, are the focus of three ongoing investigations by state agencies. The investigators have also asked questions about the CyberScout contract, according to people who have been interviewed.

“These allegations demonstrate exactly why Kentucky law is set up to have separation between the secretary of state and the State Board of Elections,” said Joshua Douglas, an election law professor at the University of Kentucky College of Law. “The point is to ensure transparency, oversight and checks on each entity. That may have broken down in this instance.”

Grimes has called the complaints against her “unfounded” and “political,” though they have come from members of both political parties. “I urge all Kentucky agencies to realize partisanship has no role in safeguarding Kentucky against cyber threats,” she said in a statement in September addressing an episode in which some state government email accounts were hacked. “I want to reiterate to all Kentuckians, I won’t back down from doing everything I can to protect you and our elections.”

CyberScout delivered for Kentucky, Grimes said in an interview for this article. The company, she asserted, uncovered “huge weaknesses” in the state’s voting systems. (She declined to detail those deficiencies, citing security reasons.) Grimes called CyberScout “an industry leader in security” with a focus on elections. As she put it, “We wanted to make sure we got the best of the best and no one could make any claims otherwise.”

But that’s not how the state’s own experts viewed CyberScout at the time. “I want to be perfectly clear that contracting with them in no way [fulfills] the actual security needs of our systems and in no way will mitigate our risk of intrusion,” wrote Steve Spisak, a software developer for the Secretary of State’s office who built Kentucky’s voter-registration system, and Tom Watson, a software engineer for the SBE, in a March 30, 2017, email to an executive at the board. “In fact, they don’t offer any security devices or real-world experience of any type.”

The origin of the connection between CyberScout and Grimes is murky. Adam Levin, the founder and CEO, said he and Grimes had been in contact long before the secretary of state tapped his company. “I had spoken to her for years about cybersecurity,” he said before abruptly ending an interview when pressed about their relationship. For her part, Grimes said she was “unaware” whether or not she had met Levin.

What seems clear from interviews with multiple people involved in the state’s election security is that Grimes’ team did not divulge the political contributions when the state was considering a contract for CyberScout. It was not legally required to do so. More specifically, the contributions were not disclosed to the SBE. Don Blevins Sr., a board member at the time the contract was processed (and, like Grimes, a Democrat), said he would have opposed a contract with CyberScout if he’d known about the donations. “In no way would I have ever gone along with that,” he said. “I find that outrageous.”

Not only did Grimes fail to disclose the financial links, her team misrepresented how far negotiations with CyberScout had progressed, according to members of the SBE. On Feb. 21, 2017, the day after Thurston sent the initial proposal for the contract “on behalf of the State Board of Elections,” CyberScout gave the board an overview of the company and its offerings.

Blevins called the presentation “vague,” and he said it provided little guidance as to how CyberScout and its subcontractor, Nordic Innovation Labs, would proceed and what work product they would provide. “I asked a bunch of questions, but then just shut up because I wasn’t getting anywhere,” he said.

Board members unanimously voted that day to “allow the State Board of Elections to engage with CyberScout in the future.” They said they believed they were opening the negotiation process. But in the following months, documents show the secretary of state’s office represented this vote to government agencies and the public as having approved a contract with CyberScout.

Shortly after the meeting, the contract proposal was rejected by the Kentucky Finance and Administration Cabinet. It cited a lack of evidence that CyberScout was uniquely qualified for the project, a state requirement for a no-bid contract. Without consulting the SBE, Thurston and CyberScout resubmitted the proposal with a more detailed justification letter on March 7. That submission was approved by March 24.

Grimes maintains that any issues with the contract should be blamed on the Finance Cabinet, which she said is run by “Republican Gov. Matt Bevin.” The Finance Cabinet responded that it “relies on the integrity” of statements made by constitutional officers.

Board members remained unaware that the proposal had been submitted or approved. They continued to raise questions about CyberScout during this time. “I know we had previously voted on approving to allow the Secretary and staff to further engage in discussion,” wrote Josh Branscum, a Republican board member on April 18, 2017. “Have we received any proposal fee or scope of services to look at as a board before we vote to enter into any type of official contract?” Michael Adams, another Republican board member, asked when the board could expect to receive a more detailed proposal.

Thurston responded by asserting that the board had already approved the CyberScout contract. “You will recall on February 21, 2017, the Board unanimously voted to engage CyberScout,” she wrote.

Confusion swirled inside the SBE. The agency’s staff also was unaware that a contract with CyberScout had already been submitted and approved. They were actively researching other cybersecurity contractors. Matt Selph, the assistant executive director of the SBE at the time, said he and then-Executive Director Maryellen Allen appealed to Thurston in a meeting that month, telling her they were not interested in working with CyberScout.

Despite these recommendations, Thurston repeatedly represented to the Finance Cabinet that, as she put it in one letter, CyberScout had “expertise in elections cyber security that is unmatched by any other cyber security firm.” Grimes did not respond when asked what research she or Thurston had done to substantiate this assertion, and Thurston did not respond to calls for comment.

In interviews with ProPublica and the Herald-Leader, multiple cybersecurity experts disagreed that CyberScout was uniquely qualified. Most had never heard of the company. Numerous firms provide near identical services, and several of the services listed in the contract were redundant to those offered by the U.S. Department of Homeland Security for free. (According to its website, CyberScout was founded in 2003 as a consumer-oriented operation called Identity Theft 911 and adopted its current name in 2017. CyberScout spokeswoman Lelani Clark said, “As of today, we believe that no other firms offer the spectrum of election security services we do.”)

Kentucky would have been well aware of these services and other qualified vendors in February 2017, according to Jennifer Morrell, an elections consultant heading up the Democracy Fund’s Election Validation Project. Election officials, she said, were “almost exclusively focused on cybersecurity resources and information” at the time.

Morrell previously ran elections in Arapahoe County, Colorado, and briefly retained Nordic Innovation Labs, CyberScout’s subcontractor, to pilot a new auditing technique. She called Nordic’s work “a complete failure and waste of money.” CyberScout cited this Colorado project in the letter that stated the firm was uniquely qualified for the Kentucky assignment. Morrell said nobody called her for a reference. (Nordic referred a request for comment to CyberScout.)

In the same letter and various reports produced for the state, Eric Hodge, the director of consulting for CyberScout, also claimed “the team” had done similar work in Ohio, Massachusetts and California. When contacted, all three states denied working with CyberScout or Nordic Innovation Labs. Asked about the discrepancy, Hodge said Harri Hursti, a recognized voting-machine security expert and the founding partner of Nordic, had been part of a cybersecurity report commissioned by the Ohio secretary of state in 2007. Hursti was one of 23 named experts in the report. Hodge did not respond to claims regarding the other states.

The deal with CyberScout worked out as the SBE staff feared. No one in Kentucky could point to a specific change spurred by CyberScout, and SBE employees indicated all changes made in the last two years came as a result of recommendations by the Department of Homeland Security. The company’s contract ended in June, ultimately costing the state about $150,000.

CyberScout “did absolutely zero work and got paid a bunch of money,” Selph said.

Selph was fired in late 2017, after he submitted a complaint about Grimes, including his objections to the CyberScout contract, to the Executive Branch Ethics Commission. Grimes said Selph was fired after harassing employees of the SBE. He has denied that allegation and has filed a whistleblower lawsuit against the state.

Current SBE employees have also expressed confusion as to CyberScout’s work product. As late as August, emails show SBE staffers expressing confusion about the work CyberScout had performed and the bills the company sent.

In his own complaint, which he submitted to multiple state agencies and the SBE, Jared Dearing — a Democrat picked by Grimes as executive director of the SBE — recommended an audit of vendors used by the SBE despite internal objections. He recommended that vendors who provided campaign donations be investigated.

Hodge said it didn’t matter if the SBE was unhappy. “Our client is the secretary of state,” he said. All that matters, he said, was that Grimes was satisfied. In fact, CyberScout’s contract is with SBE. (Clark defended the company’s work and maintained that Kentucky’s IT staff was “hostile” to being audited and dismissive of security concerns.)

County clerks also remain unclear as to what services CyberScout provided. As part of its contract, the company visited a handful of counties to offer guidance on shoring up their wireless connections and on the security of elections systems.

Hodge rejected criticism of the company’s county visits. For example, he asserted that the Crittenden County clerk was “overjoyed” at the company’s recommendations. In an interview, Carolyn Byford, the clerk in the county, said people from CyberScout followed her around during a special election held in September 2017 but issued no report or recommendations. “All it did was make me anxious that day,” she said. “Elections are tough enough as it is.”

In late December, more than six months after the contract expired, CyberScout published a 20-page public report summarizing its work in Kentucky. The report is missing elements generally seen in reports released by cybersecurity contractors. Most, for example, explain the methodology used for security tests. CyberScout did not do so.

The remainder of the report contained rehashed recommendations made to the SBE over the year the contract was active. Some were pasted verbatim from the notes section of a PowerPoint presentation given to the board months before. There were multiple typographical and grammatical errors and inconsistencies: On one page, CyberScout recommended that Kentucky join a multistate group on cybersecurity. On the next page it congratulated the state for having joined the group.

Hodge declined to answer questions about the report’s inconsistencies.

Herald-Leader reporter Bill Estep contributed to this story.


When W.Va. Delegate Compared LGBT to KKK, He Highlighted the History of Religious Right Prejudice



Newly elected Del. Eric Porterfield was sworn in to the West Virginia House before the start of the 2019 session. Photo: Perry Bennett/West Virginia Legislative Photography

When West Virginia House of Delegates member Eric Porterfield, R-Mercer, called the LGBT community “the modern-day version of the Ku Klux Klan” in an interview with a Charleston Gazette-Mail reporter last week, it drew condemnation not just in the state, but nationwide. But Porterfield, in fact, joined a long legacy of right-wing evangelicals who have conflated legal protections for lesbians, gay men, bisexuals and transgender people with white supremacy and domestic terrorism.

The Southern Baptist Convention in 2012 resolved that “homosexual rights activists” had “misappropriated the rhetoric of the Civil Rights Movement” in advocating for marriage equality and other legal protections.

Bryan Fischer, former director of issues analysis for the American Family Association, has compared LGBT people to Nazis numerous times, arguing in a 2010 column that “homosexuality gave us Adolph [sic] Hitler.”

And Tony Perkins, president of the Christian conservative lobbying group the Family Research Council, argued in a 2018 column on the organization’s website that marriage equality was really “about obliterating every moral and cultural boundary humans have ever known.”

“The LGBTQ is suppressing the freedom of people that disagree with them and forcing their ideology,” Porterfield told Rachel Anderson, a reporter and weekend anchor with the Bluefield, West Virginia, TV station WVVA, in a separate interview.  

“If they do not get their way, they cause chaos, apply pressure, intimidate, internet stalk,” he added. “They’re the most evil-spreading and hate-filled group in this country.”

Porterfield’s comments came after a controversial rant in a legislative committee meeting, during which lawmakers were debating a bill to add protections to the state’s housing and employment nondiscrimination law for sexual orientation and gender identity.

His broader claim that “the LGBTQ” are harming America by lobbying for equal protections under the law is not new either. It’s right out of the right-wing evangelical playbook, according to Randall Balmer, an Episcopal priest and historian whose work studying the religious right has been recognized with numerous accolades, including an Emmy nomination for script-writing and hosting the PBS documentary based on his book, “Mine Eyes Have Seen the Glory.

Balmer said that right-wing evangelical leaders often rely on a “rhetoric of victimization” to make themselves seem persecuted in the face of changing social norms.

“That, by the way, is one of the reasons that they embrace Trump…he’s very good at this rhetoric of victimization,” Balmer said. “What this guy in West Virginia is saying is just a variant on this. ‘We’re the ones who are under siege, we’re the ones who have some sort of grievance that needs to be redressed.’”

But even given this context, Porterfield’s comparison of LGBT people with the KKK is a strange one, given the religious right’s origins. Although many believe abortion had a central role in pushing evangelical leaders toward politics, pro-life rhetoric did not become important in those circles until well past the 1970s.

In a Politico Magazine piece, Balmer traces the beginnings of the evangelical right’s political efforts to a court case in the late 1960s, when a group of Black parents in Holmes, Mississippi, filed a lawsuit against the U.S. Treasury Department in hopes of preventing segregated private K-12 schools from receiving full tax-exempt status. As the Internal Revenue Status targeted the tax exempt status of private, segregated primary and secondary schools, leaders like the late Jerry Falwell became involved in the fight. “In some states it’s easier to open a massage parlor than to open a Christian school,” Falwell is quoted as saying at the time in an article in The Nation exploring the preacher’s racist roots.

The racism exhibited by leaders of the evangelical right at the time was not limited to their efforts to preserve whites-only Christian academies. Tony Perkins, the aforementioned president of the Family Research Council, had no problem associating with the KKK when he served in Louisiana’s House of Representatives. He even spent time with David Duke, a former grand wizard for the white supremacist hate group.

“The religious right has its roots in racism, I’m sorry to say,” Balmer said. “So for this guy to kind of call on that trope is both ironic, but also fully compatible with the history of this movement.”

Heather Warren, a University of Virginia religion professor who studies American religious history, agreed with Balmer, adding that racism and Christianity were intertwined not just in evangelical movements, but in “hardcore KKK ideology.” Warren, who is also an Episcopal priest, said that in the 1950s and ‘60s, leaders in the religious right were fighting not to make America great again, but “to keep America Christian.”

“And Christian and white and democracy all went together,” she said. “They were all interchangeable. There was this way that it all added up to a white supremacy.”

So laws and ordinances banning discrimination based on sexual orientation and gender identity are a direct affront to democracy, Warren said, and an attack on democracy is synonymous with an attack on white Christianity and America, under this belief system.

“When Falwell was alive and writing, usually in his catalogue of phenomena and types of people who were eroding America and eroding American democracy, he’d often start off with homosexuals at the top of his list,” Warren said. “Feminists were close behind.”

It’s a convenient leap to make if you want to demonize the continued push for increased LGBT rights, which Porterfield seems to think are somehow wholly separate from the gay community. He clarified in his interview with Anderson that his original statement was an “anti-LGBTQ sentiment,” not an “anti-gay sentiment.”

Even before taking office, Porterfield made his positions on issues that directly impact the LGBT community clear. In a December interview, Porter condemned efforts to outlaw conversion therapy in West Virginia, a practice opposed by every major credible psychology or psychiatry organization. Porterfield called efforts to ban the practice “bigoted and discriminatory” and that the counseling practice should be protected as free speech.

Historically, conversion therapy methods have relied on tactics like castration, induced vomiting and electroshock therapy to “cure” LGBT people. While the unscientific and unethical therapeutic method has been banned or condemned in a number of states, including California and Washington State, New York is the only Appalachian state so far to outlaw it.

Porterfield’s comments, both before taking office and since, make it clear that he believes being criticized for bigotry is on par with a legacy of racist, sexist, homophobic and transphobic violence rooted in white supremacy and white Christianity. By making this comparison, he’s dismissing that Black and LGBT Americans have faced far worse than a few mean comments online.

The KKK was infamous for carrying out lynchings against Black Americans, a hate crime that often involves hanging but often also can include being burned alive or shot multiple times. The 1998 murder of Matthew Shepard’s, a gay college student from Wyoming who was beaten and left to die tied to a fencepost,is sometimes considered a lynching, and the history of lynching was painfully brought up for many Black LGBT Americans recently when Jussie Smollett, a Black gay actor, was assaulted by two men in Chicago who put a noose around his neck.

There’s hope, however, for Balmer in the form of younger white evangelicals who might not share Porterfield’s extreme beliefs.

“Not that his views are unique, and not that his vitriol is unique,” Balmer said. “But I think it’s changing, and much of it is generational.”

Balmer says young evangelicals are already showing they’re more concerned about issues like ending widespread hunger and poverty than whether someone is trans or attracted to a person of the same gender. Hopefully, he says, one day these young people will refuse to back other politicians like Porterfield and focus their efforts on finding solutions for struggling communities.

Tiffany Stevens (@tiffanymstevens) is an independent journalist living in Southwest Virginia. Their work focuses on the media, the LGBT community and Appalachia.

Continue Reading


West Virginia Lawmaker Faces Calls To Resign After Likening LGBTQ People To KKK, ‘Terrorist Group’



West Virginia House of Delegates member Eric Porterfield during a recent floor session. Photo: Perry Bennett/West Virginia Legislative Photography

This story was originally published by the Huffington Post and is used here  with permission.

West Virginia lawmaker Eric Porterfield is facing calls to resign after a string of homophobic remarks, such as likening the LGBTQ community to the Ku Klux Klan and saying he would “see if [his kids] can swim” if they came out as gay.

Porterfield (R-Mercer), who is a born-again Baptist missionary and is blind, was elected to the state’s House of Delegates in November. He has continued to stand by his bigoted views, accusing the LGBTQ community of being a “terrorist group” that has “no care for diversity of thought.”

“The LGBTQ is a modern-day version of the Ku Klux Klan, without wearing hoods with their antics of hate,” Porterfield told a reporter with the Charleston Gazette-Mail on Friday. 

West Virginia House of Delegates member Eric Porterfield during a recent floor session. Photo: Perry Bennett/West Virginia Legislative Photography

He reportedly used the slur “faggot” in a committee meeting on Wednesday amid discussions over a proposed amendment that would restrict anti-discrimination protections for LGBTQ people. That amendment failed to pass, the Gazette-Mail reported.

Porterfield, responding to backlash against his comments on Saturday, repeated his views to Bluefield station WVVA, adding that if his young son or daughter came out to him as gay, he would “see if she can swim … then I’d see if he can swim.”

The West Virginia Democratic Party on Friday called for Porterfield’s resignation.

“West Virginia has no room for someone who expresses such hate. Let alone room for him to hold a public office where he is supposed to represent the people of West Virginia,” WVDP Chairwoman Belinda Biafore said in a statement.

“His hate-filled remarks and actions speak volumes and so does the Republican Party’s silence. The Republican majority’s leadership needs to condemn these actions. Their silence is complicit and the people of West Virginia deserve better,” she added.

Among the Republicans publicly condemning Porterfield’s words was Mercer County Commissioner Greg Puckett, who characterized the homophobic comments as contrary to what the Bible teaches.

“As a Commissioner within Mercer County, I do not condone, nor accept this behavior of anyone, let alone an elected official. Likewise, this form of antics in representation of my county is not inclusive to the people within,” Puckett said in a Facebook post.

Delegate John Shott (R-Mercer) also distanced himself from Porterfield’s views, calling them “much too extreme.” 

“I don’t accept his categorization of that group nor do I think it’s productive to call anyone names when you are trying to advance the goals of the party. It’s not a productive approach to solving problems,” he told the Bluefield Daily Telegraph. He added that Porterfield should learn to be “[discreet] with his words.”

Porterfield did not immediately respond to a request for comment on Monday.

This story was originally published by the Huffington Post and is used here  with permission.

Continue Reading


Fact-check: Has Unemployment in W.Va. Fallen Under GOP Governor?



West Virginia Gov. Jim Justice holds a service dog onstage after announcing Monday, Jan. 7, 2019, in White Sulphur Springs, W.Va., that he will seek re-election in 2020. Photo: John Raby, AP Photo.

Unemployment has fallen across the country in recent years. But the West Virginia Democratic Party said in a recent tweet that it hasn’t fallen on Republican Gov. Jim Justice’s watch.

In a Jan. 9 tweet, the state party wrote, “FACT: Unemployment rate has not decreased since @WVGovernor took office. #wvpol #WVSOTS19″

Is that correct? We decided to check it out. (We reached out to a party representative but did not receive a response.)

Justice, elected as a Democrat in 2016, took office on Jan. 16, 2017. That month, the unemployment rate in West Virginia was 5.3 percent.

Justice became a Republican on Aug. 3, 2017. That month, the state unemployment rate stood at 5.2 percent.

And today? In the most recent month available, December 2018, the unemployment rate in West Virginia was 5.1 percent.

Is that a dramatic drop? No. But unlike what the tweet says, it is a decline.

It’s worth noting a limitation in the data, said Brian Lego, a research assistant professor at West Virginia University. Because West Virginia’s population is small, he said, the margin of error for the survey used to track the unemployment rate is big enough to produce uncertainty about small changes in the data, like those seen during Justice’s tenure.

“The change is statistically insignificant,” Lego said.

He added that regular revisions by the Bureau of Labor Statistics, which collects the data, could produce small changes that affect the comparison.Our ruling

The West Virginia Democratic Party tweeted, “FACT: Unemployment rate has not decreased since @WVGovernor took office.”

The state unemployment rate did, in fact, decline from 5.3 percent to 5.1 percent on Justice’s watch. That said, it was an exceedingly narrow decline — in fact, economists say that the margin of error for the survey in question leaves in doubt how big the decline was.

We rate the statement Mostly False.

This article was originally published by PolitiFact.

Continue Reading


100 Days