Inside Democrats' efforts to fight election security threats

2

Four years after playing an embarrassing starring role in the hack-plagued 2016 presidential election, the Democratic National Committee is staring down its highest-stakes test yet — cyberattacks or disinformation campaigns on Election Day.

“I think we’re going to be ready,” said Bob Lord, the party’s chief security officer, in a recent interview. “We have the right plan and the right people.”

Lord joined the DNC in January 2018 from Yahoo, where he helped executives recover from two of the world’s largest data breaches. He has spent the past two years rebuilding the DNC’s digital defenses, training its staff to spot cyber threats and offering security guidance to the DNC’s many partners. His efforts paid off during the 2018 midterms, which featured no repeat of the Russian government’s major intrusions two years earlier.

Still, Lord and his team face significant challenges. “Given how impermanent campaigns and party committees are, creating an effective long-lasting institutional cyber regime was always going to be a very tough assignment,” said Simon Rosenberg, who was a senior strategist focused on disinformation and election security at the Democratic Congressional Campaign Committee from 2017-2018.

“Most people working at the DNC won’t be there in a few months, and campaigns disappear after two years,” said Rosenberg, the founder and president of NDN, a center-left think tank. “So what Bob has been trying to do, while so incredibly important, is also incredibly hard as it goes against the grain of the fly-by-night culture of modern American politics.”

While this year has seen state government intrusions by the Russians and an Iranian voter-intimidation campaign, election-specific hacks have not been widespread. But Election Day marks a fraught moment for the DNC. Any breach could disrupt the contentious presidential election or close races in the U.S. Senate and state legislatures

Lord said the DNC has put in tremendous effort to prepare for such events. Now it’s just a matter of seeing if it’s enough.

Getting people to think of security first

The DNC has worked to make sure its employees are following security guidelines, built its technology platforms with cybersecurity in mind and put security concerns at the center of its decision-making processes. Lord and his colleagues regularly conduct simulated phishing campaigns to test employees’ vigilance. Other improvements required years of unsexy bureaucratic work, according to Lord, including modernizing technology to reduce the “attack surface” — the range of targets available to hackers.

“It’s kind of that long slog to make sure that people, processes and technologies are aligned for good security practices,” Lord said.

For obvious reasons, the DNC is intensively secretive about the specific security upgrades it has made, and Lord declined to discuss such details.

Exhorting DNC employees to keep security top of mind hasn’t been easy, but Lord arrived with valuable experience, having previously overseen cybersecurity for both Yahoo and Twitter.

In both the private and public sectors, he said, people want to “build things quickly,” and it’s the security chief’s job to “make sure that somebody is curating and managing those systems for the long haul,” especially as they age and vulnerabilities appear.

Even so, it’s a battle that never ends, as Nellwyn Thomas, the DNC’s chief technology officer and Lord’s boss, recently acknowledged.

“We can never fully prevent any sort of intrusion or attack,” Thomas said at an Institute for Security and Technology event in early October. “All we can do is constantly reduce our surface area for attacks and constantly improve our ability to monitor and detect intrusions.”

Getting buy-in from those outside DNC control

The DNC may be the operational hub of the Democratic Party, but when it comes to the party’s digital vulnerabilities, the DNC is only one cog in the system. A sprawling network of sister committees, campaigns, state parties, consultants, strategists and contractors presents an almost unimaginably vast range of targets — and Lord doesn’t control how any of those organizations protect themselves.

In this sense, the DNC is vastly different from the Silicon Valley companies that Lord used to protect. A security breach at Twitter could spread to Yahoo if the hackers exploited informal ties between the two companies’ employees, but there is no real parallel in the tech industry to a political party’s many disparate limbs.

The fact that state parties and sister committees are entirely separate organizations helps them act nimbly, Lord said, but “you’ll immediately recognize the challenges that that presents for cybersecurity.”

When Lord took the job, DNC Chair Tom Perez warned him that he would face this problem. “I don’t think I understood the significance of what he was asking me to do until I joined and then was sort of faced with this daunting task,” Lord said.

Over time, he’s found ways to coordinate. DNC security staffers now meet monthly with their counterparts from the Democrats’ House and Senate campaign committees and chat informally every week. “We stay in lockstep with them,” Lord said.

Lord’s team also works closely with the Biden campaign’s security and IT experts. “Luckily, we don’t have to triage all the things that they have,” he said.

The DNC has fewer direct interactions with state Democratic parties. In most cases, the DNC has simply provided security advice, but Lord said, without elaborating, that “in a few cases [we] have done some additional due diligence to cross some t’s and dot some i’s.”

Without the ability to control these organizations, the DNC’s security team adopted the same strategy that DHS’ Cybersecurity and Infrastructure Security Agency has used to improve the defenses of state and local election officials: providing a friendly center of expertise that others can go to for help. Over the past two years, the DNC has fed other Democratic organizations a steady stream of documents, newsletters, webinars and alerts.

The DNC also routinely asks its partners to report suspicious activity so the national committee can develop a better understanding of what threats are out there.

“Not only are we interested in what problems they’re having, but we may be able to spot a pattern. So, for example, if two or three state parties report the same one-off thing, it might actually be something that we need to take a look at more holistically,” Lord said.

Although he declined to share specific examples, Lord said that many Democratic organizations have reported useful information. “We have a good communications pathway.”

One of Lord’s best-known creations is a brief security checklist that the DNC has distributed to its partners. It describes a handful of basic protections — including two-factor authentication, which requires a temporary code in addition to a user’s password — that experts agree would prevent the vast majority of breaches.

“We’ve been able to move the needle in a bunch of those areas,” Lord said.

His team performs “occasional spot checks” of Democrats’ cybersecurity practices as well. As of early October, he said there had been “no major flags yet.”

Dependent on Silicon Valley, and frustrated by it

Like every organization fighting election security threats, the DNC depends on the big tech companies to prevent bad actors from abusing social media platforms. It hasn’t always been an easy relationship.

When it comes to analyzing and taking down disinformation or foreign influence campaigns, the DNC’s security team has “a good relationship” with its contacts at Facebook, Twitter and other social media companies, Lord said.

But they’ve had less luck getting the companies to make systemic changes to their content moderation rules.

On its website, the DNC grades major social media firms on their adherence to certain best practices and explains how they can do better. For example, the committee credits disappearing-messages platform Snap for creating a “political disinformation policy” and notes that Twitter and YouTube lack them. Facebook, it notes, “has not publicly established a policy restricting the distribution of hacked materials on its platform.”

“While we get along well with the folks in the field,” Lord said, “we still feel that the larger problems just haven’t been addressed.”

In July, the DNC privately assailed Facebook for not living up to the election integrity ideals that it promised to take seriously after Russia exploited its site in 2016. “Facebook failed to keep its promises,” the committee said in a memo obtained by The Washington Post, arguing that the company let President Donald Trump routinely violate its election disinformation rules and failed to fix algorithms that incentivized hateful messages.

Lord’s concerns extend beyond social media content moderation. Years of encouraging Democrats to activate basic security features have shown him how difficult the tech industry makes it to be a responsible user.

Tech companies don’t have any agreed-upon standard for how security features work on their platforms. That means users have to go through completely different steps on each site to activate the features.

During a talk at one tech company, Lord told employees, “Your goal shouldn’t be to make two-factor easier for your users. It should be to make two-factor easier for your competitors’ users.”

Recalling that talk, he lamented, “That’s not the way that the tech companies think about this stuff.”

View original post