First, the backstory…

I was in a bad mood before it even started.

A get-together with a handful of information security veterans. People I respect. People who’ve been in this industry for decades. And within the first ten minutes, we were doing one of the things I hate most about this industry — posturing. Trading stories about how important we are. Who we’ve advised. What we’ve built. Who knows us.

I sat there getting progressively more annoyed, because this kind of thing does real damage. It’s intimidating to people who are new. It reinforces the idea that security is a club for people with impressive résumés. And it accomplishes exactly nothing for the people we’re supposed to be protecting.

Then someone at the table said they had “consulted the past three presidential administrations on how to protect critical infrastructure.”

The table responded the way they were supposed to. Impressed looks. Nods.

I couldn’t do it.

I said: “That’s awesome! Has the security of critical infrastructure actually gotten any better since you started consulting presidents?”

Silence. Awkward looks. The kind that say you just broke the rules.

Here’s the thing — I wasn’t trying to embarrass anyone. I was genuinely pissed. Because that’s a massive opportunity. Three administrations. Real access. Real influence. And the security of critical infrastructure in this country has not meaningfully improved. That’s not an opinion. That’s a result.

Ego got in the way of an opportunity to actually help people. That bothers me. A lot.

What Would You Do?

Someone at the table finally asked me directly: “Okay, what would you do?”

Fair.

Here’s what I know. Fixing this isn’t primarily a technology problem. It’s a people problem. A visibility problem. The manager of a water treatment facility is focused on water treatment — as they should be. They’re not going to implement an enterprise information security framework. That’s not a personal failure on their part. That’s just reality. Handing them the NIST CSF and walking away isn’t help. It’s abdication.

So what’s the highest-impact thing we could actually ask people to do?

Find every system accessible from the internet that has no authentication or only a single password protecting it. Then lock them down.

Take them off the internet. Shut them down. Add multi-factor authentication. Pick one.

That’s it. Not a framework. Not a 200-page document. One ask.

The problem is you can’t fix what you don’t see. And right now, most people responsible for these systems don’t see them. They don’t know what’s exposed. They don’t have the tools, the time, or the support to find out.

Our adversaries do. State-sponsored hackers, criminal organizations, opportunistic attackers — they’ve already mapped what we look like. They know which systems are reachable. They know which ones have nothing protecting them.

We don’t.

That asymmetry — they can see us, we can’t see ourselves — is dangerous and unnecessary. Because all of that information is already publicly visible. They’re not doing anything magical. They’re just looking. And we’re not.

Project Broken Mirror

Thus, Project Broken Mirror (or “PBM” for short) was born.

PBM is a free, open-source platform where volunteers run a client that performs active but fully lawful scans of publicly facing systems across the United States. No hacking. No bypassing controls. No disruption to any services. We collect what’s already visible — the same information anyone determined enough already has — and we aggregate it into something useful.

The results go on a color-coded map. Risk scores for federal agencies, states, counties, cities, school districts, special districts. Plain language. No technical expertise required to read it.

Something happened in testing that I didn’t fully anticipate. People look at the map, find their city or county, and immediately ask: “Why is my county red?”

That question — simple, curious, completely non-technical — is the start of a conversation that hasn’t been happening at scale before. A mayor asking their IT person why they scored worse than the county next door. A school board member suddenly interested in something they’d never thought about. A citizen asking their representative what’s actually being done.

That conversation is the whole point.

What PBM is NOT

I want to be direct about what PBM is not.

It’s not a shaming exercise. Most of the people running these systems are doing their best with limited resources, minimal support, and nobody from the security industry bothering to show up and actually help them. They deserve allies, not critics.

It’s not designed to cause alarm. Informed communities make better decisions than frightened ones. The goal is always to help.

When an entity shows up on our map, we want to be the team that helps them improve — not the team that exposed them. Macro-level scores are public. Detailed findings go only to authorized representatives of that entity. We’re not blasting anyone’s dirty laundry. We’re handing them a flashlight.

Where We’re At

Seth Bowling and I have been building this. Just the two of us. Two information security veterans who got tired of watching this industry be impressive instead of effective.

The pilot is almost ready. We’re inviting a small group of people to put it through its paces before we go public. The goal is a broader public launch this fall.

We need people. Not just security professionals — though I absolutely want those. We need educators, civic-minded citizens, public officials, people who run small businesses, parents who give a damn about the systems their communities depend on. Anyone who has ever looked at the state of critical infrastructure in this country and thought someone should do something about this.

Someone is.

If any part of this resonates — reach out. Email us at admin@projectbrokenmirror.org. We’d love to have you.

The simplest answer to “why does this exist” is also the truest one: we must do everything we can to protect the people we serve.

That’s it. That’s the whole thing.

MUCH more to follow…