Connect with us


The Curious Case of a Kentucky Cybersecurity Contract

Kentucky Secretary of State Alison Lundergan Grimes at the convention of state secretaries on July 14, 2018, in Philadelphia. Photo: Mel Evans/AP Photo

When Secretary of State Alison Lundergan Grimes hired a firm called CyberScout to address the state’s election security, she was putting her faith in a company that had never tackled such a challenge and had drawn opposition from her staff. They questioned both the hiring process — and the results.

This story, the third in a three-part series, was co-published by ProPublica and the Lexington Herald-Leader.

In the months after the 2016 elections, state election administrators spent millions of dollars investigating and addressing the cyber intrusions that had penetrated voting systems in dozens of states. Kentucky Secretary of State Alison Lundergan Grimes emerged as one of the loudest voices calling for improvements.

In February 2017, at an elections conference dominated by talk of cybersecurity, Grimes claimed to have found the perfect answer to the threat: A small company called CyberScout, which she said would comb through Kentucky’s voting systems, identify its vulnerabilities to hacking and propose solutions.

Three days later, Assistant Secretary of State Lindsay Hughes Thurston submitted paperwork to give the company a no-bid two-year contract with the State Board of Elections, or SBE, for $150,000 a year. She did not inform the SBE — the agency that oversees the state’s voting systems — that she was doing so.

At the time, CyberScout was new to voting-related cybersecurity. The company acknowledges that it had never had an election-systems client before.

CyberScout’s CEO and his wife had given Grimes a total of $12,400 in contributions over several elections, along with $4,000 to state Democratic groups. (All of the donations fell within state limits.) Ultimately, the contract went through — Grimes denies the contributions had any influence — and CyberScout delivered little in the way of results, according to 15 election officials interviewed for this article. CyberScout’s contract was not renewed after the first stage expired in June.

The story of the CyberScout contract, told here in detail for the first time, suggests a consequence of the unprecedented power that Grimes has amassed as chief elections officer. (The first two articles in this series explored how she expanded her power as well as some of the voter-privacy concerns raised by her actions.) It shows what can happen when one person consolidates decision-making authority that has historically been divided, by design, among different entities.

Grimes has been criticized for overstepping her role as secretary of state by taking day-to-day control of the SBE, a nonpartisan agency that is constitutionally separated from the secretary of state’s office (albeit chaired by the secretary of state). Grimes’ expansion of power, and the ways in which she has used that power, are the focus of three ongoing investigations by state agencies. The investigators have also asked questions about the CyberScout contract, according to people who have been interviewed.

“These allegations demonstrate exactly why Kentucky law is set up to have separation between the secretary of state and the State Board of Elections,” said Joshua Douglas, an election law professor at the University of Kentucky College of Law. “The point is to ensure transparency, oversight and checks on each entity. That may have broken down in this instance.”

Grimes has called the complaints against her “unfounded” and “political,” though they have come from members of both political parties. “I urge all Kentucky agencies to realize partisanship has no role in safeguarding Kentucky against cyber threats,” she said in a statement in September addressing an episode in which some state government email accounts were hacked. “I want to reiterate to all Kentuckians, I won’t back down from doing everything I can to protect you and our elections.”

CyberScout delivered for Kentucky, Grimes said in an interview for this article. The company, she asserted, uncovered “huge weaknesses” in the state’s voting systems. (She declined to detail those deficiencies, citing security reasons.) Grimes called CyberScout “an industry leader in security” with a focus on elections. As she put it, “We wanted to make sure we got the best of the best and no one could make any claims otherwise.”

But that’s not how the state’s own experts viewed CyberScout at the time. “I want to be perfectly clear that contracting with them in no way [fulfills] the actual security needs of our systems and in no way will mitigate our risk of intrusion,” wrote Steve Spisak, a software developer for the Secretary of State’s office who built Kentucky’s voter-registration system, and Tom Watson, a software engineer for the SBE, in a March 30, 2017, email to an executive at the board. “In fact, they don’t offer any security devices or real-world experience of any type.”

The origin of the connection between CyberScout and Grimes is murky. Adam Levin, the founder and CEO, said he and Grimes had been in contact long before the secretary of state tapped his company. “I had spoken to her for years about cybersecurity,” he said before abruptly ending an interview when pressed about their relationship. For her part, Grimes said she was “unaware” whether or not she had met Levin.

What seems clear from interviews with multiple people involved in the state’s election security is that Grimes’ team did not divulge the political contributions when the state was considering a contract for CyberScout. It was not legally required to do so. More specifically, the contributions were not disclosed to the SBE. Don Blevins Sr., a board member at the time the contract was processed (and, like Grimes, a Democrat), said he would have opposed a contract with CyberScout if he’d known about the donations. “In no way would I have ever gone along with that,” he said. “I find that outrageous.”

Not only did Grimes fail to disclose the financial links, her team misrepresented how far negotiations with CyberScout had progressed, according to members of the SBE. On Feb. 21, 2017, the day after Thurston sent the initial proposal for the contract “on behalf of the State Board of Elections,” CyberScout gave the board an overview of the company and its offerings.

Blevins called the presentation “vague,” and he said it provided little guidance as to how CyberScout and its subcontractor, Nordic Innovation Labs, would proceed and what work product they would provide. “I asked a bunch of questions, but then just shut up because I wasn’t getting anywhere,” he said.

Board members unanimously voted that day to “allow the State Board of Elections to engage with CyberScout in the future.” They said they believed they were opening the negotiation process. But in the following months, documents show the secretary of state’s office represented this vote to government agencies and the public as having approved a contract with CyberScout.

Shortly after the meeting, the contract proposal was rejected by the Kentucky Finance and Administration Cabinet. It cited a lack of evidence that CyberScout was uniquely qualified for the project, a state requirement for a no-bid contract. Without consulting the SBE, Thurston and CyberScout resubmitted the proposal with a more detailed justification letter on March 7. That submission was approved by March 24.

Grimes maintains that any issues with the contract should be blamed on the Finance Cabinet, which she said is run by “Republican Gov. Matt Bevin.” The Finance Cabinet responded that it “relies on the integrity” of statements made by constitutional officers.

Board members remained unaware that the proposal had been submitted or approved. They continued to raise questions about CyberScout during this time. “I know we had previously voted on approving to allow the Secretary and staff to further engage in discussion,” wrote Josh Branscum, a Republican board member on April 18, 2017. “Have we received any proposal fee or scope of services to look at as a board before we vote to enter into any type of official contract?” Michael Adams, another Republican board member, asked when the board could expect to receive a more detailed proposal.

Thurston responded by asserting that the board had already approved the CyberScout contract. “You will recall on February 21, 2017, the Board unanimously voted to engage CyberScout,” she wrote.

Confusion swirled inside the SBE. The agency’s staff also was unaware that a contract with CyberScout had already been submitted and approved. They were actively researching other cybersecurity contractors. Matt Selph, the assistant executive director of the SBE at the time, said he and then-Executive Director Maryellen Allen appealed to Thurston in a meeting that month, telling her they were not interested in working with CyberScout.

Despite these recommendations, Thurston repeatedly represented to the Finance Cabinet that, as she put it in one letter, CyberScout had “expertise in elections cyber security that is unmatched by any other cyber security firm.” Grimes did not respond when asked what research she or Thurston had done to substantiate this assertion, and Thurston did not respond to calls for comment.

In interviews with ProPublica and the Herald-Leader, multiple cybersecurity experts disagreed that CyberScout was uniquely qualified. Most had never heard of the company. Numerous firms provide near identical services, and several of the services listed in the contract were redundant to those offered by the U.S. Department of Homeland Security for free. (According to its website, CyberScout was founded in 2003 as a consumer-oriented operation called Identity Theft 911 and adopted its current name in 2017. CyberScout spokeswoman Lelani Clark said, “As of today, we believe that no other firms offer the spectrum of election security services we do.”)

Kentucky would have been well aware of these services and other qualified vendors in February 2017, according to Jennifer Morrell, an elections consultant heading up the Democracy Fund’s Election Validation Project. Election officials, she said, were “almost exclusively focused on cybersecurity resources and information” at the time.

Morrell previously ran elections in Arapahoe County, Colorado, and briefly retained Nordic Innovation Labs, CyberScout’s subcontractor, to pilot a new auditing technique. She called Nordic’s work “a complete failure and waste of money.” CyberScout cited this Colorado project in the letter that stated the firm was uniquely qualified for the Kentucky assignment. Morrell said nobody called her for a reference. (Nordic referred a request for comment to CyberScout.)

In the same letter and various reports produced for the state, Eric Hodge, the director of consulting for CyberScout, also claimed “the team” had done similar work in Ohio, Massachusetts and California. When contacted, all three states denied working with CyberScout or Nordic Innovation Labs. Asked about the discrepancy, Hodge said Harri Hursti, a recognized voting-machine security expert and the founding partner of Nordic, had been part of a cybersecurity report commissioned by the Ohio secretary of state in 2007. Hursti was one of 23 named experts in the report. Hodge did not respond to claims regarding the other states.

The deal with CyberScout worked out as the SBE staff feared. No one in Kentucky could point to a specific change spurred by CyberScout, and SBE employees indicated all changes made in the last two years came as a result of recommendations by the Department of Homeland Security. The company’s contract ended in June, ultimately costing the state about $150,000.

CyberScout “did absolutely zero work and got paid a bunch of money,” Selph said.

Selph was fired in late 2017, after he submitted a complaint about Grimes, including his objections to the CyberScout contract, to the Executive Branch Ethics Commission. Grimes said Selph was fired after harassing employees of the SBE. He has denied that allegation and has filed a whistleblower lawsuit against the state.

Current SBE employees have also expressed confusion as to CyberScout’s work product. As late as August, emails show SBE staffers expressing confusion about the work CyberScout had performed and the bills the company sent.

In his own complaint, which he submitted to multiple state agencies and the SBE, Jared Dearing — a Democrat picked by Grimes as executive director of the SBE — recommended an audit of vendors used by the SBE despite internal objections. He recommended that vendors who provided campaign donations be investigated.

Hodge said it didn’t matter if the SBE was unhappy. “Our client is the secretary of state,” he said. All that matters, he said, was that Grimes was satisfied. In fact, CyberScout’s contract is with SBE. (Clark defended the company’s work and maintained that Kentucky’s IT staff was “hostile” to being audited and dismissive of security concerns.)

County clerks also remain unclear as to what services CyberScout provided. As part of its contract, the company visited a handful of counties to offer guidance on shoring up their wireless connections and on the security of elections systems.

Hodge rejected criticism of the company’s county visits. For example, he asserted that the Crittenden County clerk was “overjoyed” at the company’s recommendations. In an interview, Carolyn Byford, the clerk in the county, said people from CyberScout followed her around during a special election held in September 2017 but issued no report or recommendations. “All it did was make me anxious that day,” she said. “Elections are tough enough as it is.”

In late December, more than six months after the contract expired, CyberScout published a 20-page public report summarizing its work in Kentucky. The report is missing elements generally seen in reports released by cybersecurity contractors. Most, for example, explain the methodology used for security tests. CyberScout did not do so.

The remainder of the report contained rehashed recommendations made to the SBE over the year the contract was active. Some were pasted verbatim from the notes section of a PowerPoint presentation given to the board months before. There were multiple typographical and grammatical errors and inconsistencies: On one page, CyberScout recommended that Kentucky join a multistate group on cybersecurity. On the next page it congratulated the state for having joined the group.

Hodge declined to answer questions about the report’s inconsistencies.

Herald-Leader reporter Bill Estep contributed to this story.


A High-Speed Internet Boondoggle is Now a Campaign Issue in Kentucky



Gov. Matt Bevin is pictured in 2015. Photo: Jacob Ryan

Candidates for governor of both parties are using Kentucky’s long-delayed and over-budget statewide internet project to bash Gov. Matt Bevin, following a jointly published report by the Courier Journal and ProPublica.

KentuckyWired — a bipartisan plan pushed by former Democratic Gov. Steve Beshear and Republican Rep. Hal Rogers — promised to bring improved broadband internet connectivity to the state’s farthest corners. But it is years behind schedule and more than $100 million over budget.

Bevin’s Democratic opponents in the governor’s race laid blame with the current administration.

“The governor has damaged the project with his lack of commitment to keep it on schedule,” House Minority Leader Rocky Adkins, D-Sandy Hook, said in an emailed statement. “In fact, it will cost the state more to get out of the contract than if we continue. In order to go the last mile and complete this project, we need to look at successful models in other states and bring new partners to the table.”

Representatives for Bevin and his technology chief, Chuck Grindle, did not respond to multiple requests for comment on the report, which highlighted dissent in the Republican administration’s approach to salvaging the troubled KentuckyWired project.

Democratic candidate and former state Auditor Adam Edelen, who has made improved broadband connectivity part of his platform in the governor’s race, said in an emailed statement that Bevin “doesn’t care” enough to fix the project.

“As governor, I will prioritize building a real system to provide broadband to the hundreds of thousands of Kentuckians who still lack access, whether in the hills of eastern Kentucky or Southern and Western Jefferson County,” Edelen said. “It must be done through partnership between the public and private sector, but that doesn’t mean pushing a half-baked plan that leaves taxpayers holding the bag.”

The campaign manager for Attorney General Andy Beshear, the son of the former governor, called for “working together across party lines.”

“As governor, Andy’s first step will be evaluating the KentuckyWired program in a nonpartisan way focused on both its costs and potential benefits for our families,” campaign manager Eric Hyers said in an emailed statement. “From there, he can keep what’s working and change what isn’t.”

A spokeswoman for Rogers, however, issued an emailed statement last week defending Bevin’s stewardship.

“With any public-private project of this magnitude, delays and challenges are to be expected,” the statement said. “Since Gov. Bevin inherited this project, he has worked diligently to comb through the unexpected problems and carefully balanced rising expenses with future benefits.”

Wednesday’s Courier Journal-ProPublica report underscored warnings that Beshear administration officials received about likely roadblocks.

Despite these, KentuckyWired moved ahead with what experts have said is an unrealistic three-year construction schedule for the project that saw the state accept most of the risk for the public-private partnership.

In his statement, Rogers described KentuckyWired as the “only path” to affordable, high-speed internet for his constituents in eastern Kentucky.

But state Rep. Robert Goforth, R-East Bernstadt, a challenger to Bevin for the Republican Party’s nomination for governor, disagreed.

In an interview with the Courier Journal, Goforth said Bevin should have killed the project years ago. He said Bevin has much to learn from a broadband project in Jackson County, which Goforth represents.

The Kentucky-based nonprofit Peoples Rural Telephone Cooperative used federal stimulus money to bring high-speed fiber-optic lines within reach of every home and business in Jackson and Owsley counties, the Courier Journal and ProPublica reported.

“If Jackson County can do it, the rest of Kentucky should be able to follow their example and be able to duplicate what they have done to be able to provide the fastest internet service to one of the most rural communities in Kentucky,” Goforth said. “We can do this.”

State Rep. Lynn Bechler, R-Marion, described as “marvelous” the job Peoples Rural and other similar cooperatives and rural providers have done.

He said he wished the Peoples Rural model could be followed in his area of western Kentucky, where residents such as Christy Hardison say they pay upward of $120 a month for unreliable satellite internet service, the only available option.

Bechler, co-chairman of the Program Review and Investigations Committee, which is investigating KentuckyWired, reiterated his call for a halt to the project.

To solve the problem of poor rural broadband access, Bechler proposed the creation of a state incentive program to encourage more projects like the one in Jackson County.

Keith Gabbard, head of Peoples Rural, told the Courier Journal that a state-level program, similar to Tennessee’s new Broadband Accessibility Grants, would encourage rural providers like his to expand service.

“The state doesn’t have to build their own network that way,” Gabbard said. “People that have already been doing that work can do a little more of it and would have an incentive to expand into areas that, it appears, the bigger companies are not going to build fiber to.”

Meanwhile, a longtime KentuckyWired skeptic, state Sen. Chris McDaniel, R-Taylor Mill, said he’s still waiting for the first section of the state-owned network to operate.

The project’s overseers said in December that the first loop, an area that includes Frankfort, Lexington, Louisville and northern Kentucky, was nearly ready to be turned on.

Phillip Brown, then head of the state authority in charge of KentuckyWired, promised “very good news” in the first quarter of 2019.

“I’m still waiting to see the press release on that happening,” McDaniel told the Courier Journal. “This thing is a mess and it’s going to continue to be a mess. I don’t know where it ends.”

This article was produced in partnership with the Louisville Courier Journal, which is a member of the ProPublica Local Reporting Network. It was originally published by ProPublica.

This story is part of an ongoing investigation into what went wrong with KentuckyWired. Sign up for the Miswired newsletter to receive updates in this series as soon as they publish.

Reach reporter Alfred Miller at or 502-582-7142. Follow him on Twitter. Support strong local journalism by subscribing today:

Continue Reading


DOJ Files Suit Against W.Va. Governor’s Family Companies Over Mine Violation Debts



West Virginia Governor Jim Justice at a bill signing ceremony in 2019. Photo: Jesse Wright/West Virginia Public Broadcasting

This article was originally published by the Ohio Valley ReSource.

The U.S. Department of Justice has filed a civil lawsuit against 23 coal companies owned by the family of West Virginia Gov. Jim Justice, seeking more than $4.7 million in unpaid fines and fees for mine safety and health violations.

The delinquent fines were brought to light by investigations by NPR and the Ohio Valley ReSource as the Justice companies’ overdue debts ballooned from just under $2 million in 2014 to more than $4 million in 2018.

The lawsuit was announced Tuesday by U.S. Attorney Thomas Cullen of the Western District of Virginia and David Zatezalo, the head of the Mine Safety and Health Administration, or MSHA.

In a news release, the DOJ said the 23 companies named in the lawsuit incurred nearly 2,300 mine safety and health violations over the last five years. According to a 2019 financial disclosure filed with the West Virginia Ethics Commission, all 23 companies are owned by the Justice family.

The civil complaint says the companies failed to pay nearly $4 million in penalties associated with those violations.

The DOJ said the Justice-owned companies ignored multiple demands by MSHA, the Department of Treasury, and the U.S. Attorney’s Office to pay the delinquent debts.

“As alleged in the complaint, the defendants racked up over 2,000 safety violations over a five-year period and have, to date, refused to comply with their legal obligations to pay the resulting financial penalties,” Cullen stated in the news release. “This is unacceptable, and, as indicated by this suit, we will hold them accountable.”  

“MSHA stands with the Department of Justice in seeking to hold mine operators responsible for the penalties they owe,” Zatezalo said in the same release. “Failure to pay penalties is unfair to miners who deserve safe workplaces, and to mine operators who play by the rules.”

Representatives for the Justice companies and the governor’s office did not immediately respond to a request for comment.

ReSource Investigation

Last month, an Ohio Valley ReSource analysis of federal mine safety data found that the Justice family companies owed $4.3 million in delinquent debt for mine safety violations. That meant the Justice companies had by far the highest delinquent mine safety debt in the U.S. mining industry. And it was also far more than the companies owed when Justice ran for governor in 2016, when he pledged to make good on such debts.

In 2016, an investigation by NPR, the ReSource and partner station West Virginia Public Broadcasting found that Justice’s mines owed $2.6 million in overdue mines safety fines, as well as millions more in unpaid tax debt.

Then-candidate Justice said those debts would be paid.

“When it all really boils right down to it we’re taking care of them,” Justice said at a rally announcing his gubernatorial bid. “We’ll absolutely y’know, take, make sure that every one of them is taken care of.”

This story was updated on May 8 at 4:30 p.m. to include additional information.

Continue Reading


Kentucky Aluminum Plant Investor Is Russian Company Formerly Under US Sanctions



Craig Bouchard speaks at a Braidy Industries launch event as KY Gov. Matt Bevin (right) looks on.

This article was originally published by the Ohio Valley ReSource.

Russian aluminum company Rusal announced Monday it plans to invest in a new Kentucky aluminum mill to be built near Ashland in eastern Kentucky. The $200 million investment in Braidy Industries is Rusal’s first U.S. project since the Trump administration lifted U.S. sanctions placed against the company.

Rusal had been sanctioned by the U.S. government because its major controller, Russian oligarch Oleg Deripaska, who has close ties to Russian President Vladimir Putin, faces accusations of “a range of malign activity around the globe” by Russia, according to the U.S. Treasury Department. Those actions include interference in the 2016 U.S. presidential election and meddling in neighboring Ukraine.

Deripaska also has close business ties to former Trump campaign chair Paul Manafort, who has been convicted of tax evasion and money laundering. Deripaska is suing the U.S. to have sanctions against him removed.

The Trump administration released Rusal from sanctions in January after the company reduced the ownership stake held by Deripaska. Congressional Democrats attempted to block the White House decision and passed legislation in the House that would keep sanctions in place. However, the bill fell short in the Republican-controlled Senate, where Majority Leader Mitch McConnell of Kentucky accused Democrats of trying to “politicize” the sanctions.

Braidy Bunch

According to a press release, RUSAL will earn a 40 percent share in the factory’s profits, and Braidy will keep the remaining 60 percent. The plant has also received $15 million in direct investment from the state of Kentucky. Gov. Matt Bevin cut a deal to attract Braidy to the state with that public money and additional tax incentives totaling more than $10 million.

As part of his reelection bid, Bevin has pointed to the Braidy development as evidence of job creation in an economically struggling part of the state.

“This is a seed that has been in the ground, the germination so often seems invisible to people,” Bevin said at an event over the weekend in Martin County, Kentucky. “But good things have been happening.”

The project is expected to cost more than $1 billion and employ over 500 people.

The Ashland project will produce rolled aluminum for the American auto and aircraft markets, and is the type of project President Donald Trump hoped to support with his tariffs on aluminum imports.

Braidy Industries CEO Craig T. Bouchard discussed the partnership at the New York Stock Exchange Monday morning.

“We’re really lucky and honored to have them as our partner in Kentucky,” Bouchard said of Rusal, adding that his company had chosen to partner with Rusal for its record of environmentalism.

We are going to lead the world in highest quality, lowest cost, and the least use of carbon from start to finish in the manufacturing process, and we’re changing the world,” he said.

The Ashland aluminum mill would be the first such plant to be built in the U.S. in 37 years, according to industry sources. Final agreements among the partners are expected to be signed later this year.

Continue Reading


100 Days