Inside The Race To Hack-proof The Democratic Party
Source: Politico, Eric Geller
Photo: The party faces an enormous challenge in recovering from the damage inflicted by the hacking of DNC emails, strategy documents and other internal records in 2016. (Saul Loeb/AFP/Getty Images)
The DNC’s chief technology officer has led a massive cybersecurity overhaul at the committee and its sister organizations.
The Democratic National Committee has spent 14 months staffing up with tech talent from Silicon Valley, training staff to spot suspicious emails and giving the FBI someone to talk to if it spots signs of hackers targeting the party.
The first concrete sign of success may come in a few weeks, if the Democrats make it through the November midterm elections unscathed. But Raffi Krikorian, the DNC’s chief technology officer, is already pointing to one significant accomplishment — what he calls a massive overhaul of digital security at the committee and its sister organizations.
That would be a big leap from September 2015, when the FBI’s first attempt to alert the party to a suspected Russian cyberattack reached a DNC IT contractor who thought it was a prank. Such a major flub would not happen now, said Krikorian, whose résumé includes senior roles at Uber and Twitter.
“It would be surprising if a week went by and I didn’t hear from one of the three-letter agencies in my inbox,” Krikorian told POLITICO during an interview at the committee’s headquarters. Representatives of the bureau and other federal agencies have “been in our building to ask how they can help or what information we might be able to coordinate on in the future.”
Krikorian and his team have been trying to instill that same mindset throughout the party, including among Democratic campaigns and state parties. The party’s entire apparatus is “aware that security’s something they should be concerned about,” he said. “We’re actually moving up this curve at a fairly good clip.”
Still, the party faces an enormous challenge in recovering from the damage inflicted by the hacking of DNC emails, strategy documents and other internal records in 2016, which U.S. intelligence agencies have said was part of a Moscow-backed effort to help President Donald Trump win the White House. Officials including Director of National Intelligence Dan Coats have warned that this year’s midterm elections remain a potential Russian target, and some Democratic senators have reported malicious email attacks on their offices this year — both indications that the threat from foreign and domestic hackers has far from vanished.
The new focus on security has led to some high-profile misfires, too, including an August mishap in which the DNC said it had thwarted an attempt to hack into its massive voter database — which it called “further proof that there are constant threats as we head into midterm elections.” Hours later, the party announced that the hack was just a security test by a state party.
DNC chief security officer Bob Lord told POLITICO at the time that the real takeaway from the flub was how quickly the massive organization recognized its mistake. “I don’t know that that would have happened two or three years ago,” he said.
Lord, a former Yahoo and Twitter security executive, was one of Krikorian’s most significant hires. He worked closely with the FBI when it investigated two massive data breaches at Yahoo, and he is now one of the DNC’s key ambassadors to the bureau.
But better communication and organizational changes will go only so far in helping the DNC defend itself and help the myriad campaigns and Democratic Party organizations that rely on its leadership. Weaknesses in those other organizations — outside Krikorian’s control — can also threaten the DNC. That happened in 2016, when suspected Russian hackers broke into the DNC’s network using credentials stolen from the Democratic Congressional Campaign Committee.
Joseph Lorenzo Hall, chief technologist at the Center for Democracy and Technology, said he still has questions about how the DNC would deal with far-flung threats to Democratic candidates. One example would be a barrage of crippling internet traffic attacks that shut down a candidate’s fundraising site at a key moment.
“I would love to hear how confident they are that they can deal with particular threats and techniques,” Hall said. “What if they get hit by a ransomware attack locking up some or all of their devices on a specific campaign?”
Krikorian says he is doing everything he can to prepare the organization for unexpected cyberattacks, as well as the more common threats that have already hurt the organization.
In a small conference room overlooking Capitol Hill, Krikorian explained how the 2016 election prompted a sea change at the committee. Since he arrived, his team of 35 people launched regular meetings — initially monthly and now every two weeks — with their counterparts at the other party committees like the DCCC. The DNC also created an email list, staffed by three people on call around the clock, where campaigns can report cyber incidents. (The email list receives multiple reports every day, Krikorian said.)
Krikorian’s team regularly discusses emerging threats with experts at Microsoft, Facebook, Google and other tech firms. They chat via the encrypted messaging apps Signal and Wickr with cyber experts from the DNC’s sister committees and third-party vendors, discussing suspicious incidents and other information.
The DNC also works with Facebook and Twitter to ensure the committee learns when candidates contact social media firms about possible account takeovers. “Not because we can necessarily do anything about it,” Krikorian said, “but just to help us get a bigger view of what’s going on nationwide.”
When DNC Chairman Tom Perez was campaigning for his current role, he told POLITICO that one of his first priorities would be to hire an in-house cybersecurity officer who would work “with all of our state partners,” explaining that while he was “confident we can fortify the front door and prevent breaches,” it was also “critically important all the windows are closed as well.”
The current arrangement is still imperfect, but it’s a far cry from how things were when Krikorian arrived in late July 2017, according to a Democratic source familiar with the security situation at the time. The relationships between the committees were informal then, said this person, who requested anonymity to speak candidly. “It was just based on friendships and who’s been here for a really long time,” the person said, and the committee had no formal plan for reporting cyber incidents.
The experience surprised Krikorian, who was used to Silicon Valley’s more rigorous planning. His goal in formalizing these processes at the DNC was not just to prepare it for imminent attacks, he said, but to ensure that his successor inherited a more orderly structure.
Krikorian’s hiring process also reflects a strong tech industry influence: One-third of his employees hail from Silicon Valley, a DNC spokesman said.
As he formed new partnerships and formalized existing ones, Krikorian recognized that the DNC’s tech team couldn’t be everywhere. Instead, he focused on pushing the DNC’s security guidance out through as many channels as possible. “We want to lead by example,” he said. Today, the DNC hosts webinars — designed for state parties but also open to campaigns — where staffers run through how to train workers and close security gaps.
Krikorian’s team is also discussing setting up a broader chat room in the lead-up to Election Day, with party committee staffers and possibly representatives from the DNC’s vendors and major tech partners.
Other new steps include cybersecurity training sessions at every meeting of the DNC or the Association of State Democratic Committees, some of which are mandatory, and biweekly meetings where Krikorian and Lord compare notes with their counterparts at the House, Senate, gubernatorial, state attorneys general and state legislative campaign committees.
Each of the committees has designated a lead cybersecurity employee, and “in almost every single case” — except for the smaller committees — cybersecurity is that person’s only job, Krikorian said.
The DNC is famous at this point for regularly peppering its workers with simulated “spearphishing” attacks — spoofed emails that try to entice people into clicking on malicious links. Now some state parties have asked the DNC if they can add their staffers to the list of simulated targets.
In other cases, the DNC tech team will try to “augment” state parties’ IT resources, including when responding to cyber incidents. “We’re … very mindful that a lot of state parties don’t have the resources that the national party might have,” Krikorian said, “because the technology team at the DNC is a fairly large group.”
Meanwhile, campaigns present their own challenges. Krikorian told POLITICO that on smaller campaigns with tiny or nonexistent tech teams, staffers sometimes aren’t sure how to “take awareness and turn it into action.” So when it comes to the basics of cyber hygiene, the DNC has been “trying to simplify this as far as we can, literally just making it a five-step checklist that gets through all the low-hanging fruit,” like enabling so-called two-factor authentication that requires a step beyond passwords to protect work and personal accounts.
Hall, the CDT expert, said that based on what Krikorian told POLITICO, “in terms of information sharing and operational awareness, they have a good structure for learning, response and preparation.”
Ben Buchanan, a Georgetown University professor who has studied election security, said, “The devil is in the details, but it seems like the DNC is doing what it needs to do to operate in such a high-threat environment.”
Still, Krikorian acknowledged room for improvement, such as a lack of knowledge about how effectively campaigns are using DNC security guidance. That void is “one of the things that keeps me up at night,” he said, though he cited “anecdotal evidence that it’s being well-received.”
Krikorian also wants to standardize technology and training across all the Democratic committees, each of which buys its own products and designs its own training programs. And he thinks the federal government needs to expand funding for the FBI, Department of Homeland Security and other agencies to help protect and inform state and local officials, state parties and campaign committees.
It was “crazy,” he said, to think the DNC could defend itself from nation-state hackers.
“We’re in a completely disadvantaged state, which is why the government should be stepping in,” he said. He added: “I’m worried about these … small state legislature races, where an entire campaign’s 1½ people. What are they supposed to do?”
Still, he said he is confident that the DNC’s partners hear its cybersecurity warnings loud and clear.
“These organizations don’t report to me. So, all I can do is lay guidance down and try to infer what’s going on,” he said. “But of course, at the same time … if any one of us has an issue, it reflects badly on all of us.”
https://www.politico.com/story/2018/10/17/democrats-hacking-cybersecurity-dnc