Written by Sean Lyngaas
The Democratic National Committee is striving to “make it more expensive for attackers to do their work” as it prepares for a 2020 election, Bob Lord, the committee’s chief security officer, told CyberScoop.
It is a simple but proven principle of cybersecurity: Make it harder for hackers to succeed by implementing time-tested basics like two-factor authentication. The question for the DNC is: How do you aggressively broaden adoption of such practices for campaigns and state parties scattered across the country, many which have very limited budgets?
That far-flung apparatus is not the chain of command that Lord was used to when he was a cybersecurity executive at companies like Yahoo and Rapid7.
“Because we’re a decentralized ecosystem, it presents a number of interesting challenges,” he said in an interview. “I don’t have the ability to order people to do things. Nor can I practically manage all of their systems. But what I can do is try to be a voice that they might not have heard before.”
That means using his private-sector contacts to connect party officials with tech experts to offer frontline experiences about defending their networks. For example, to prepare for the 2018 midterm elections, the DNC hosted executives from social media companies to share security best practices and discuss the threat of influence operations on their platforms.
The DNC hired Lord to overhaul its security after Russian intelligence officers breached the committee’s networks to devastating effect in 2016. Since then, Lord and others have clamped down on shoddy security practices among Democrats, studied attacks seen in the wild and issued a “checklist” of measures that officials can do to better defend themselves. U.S. officials say foreign adversaries are probably already planning to intervene in the 2020 presidential elections.
Lord compared himself to a personal trainer trying to ween pupils off of bad health habits.
“What we started to do was build a feedback loop so we could spot these patterns” in security incidents seen in various industries — and learn from them, Lord said.
Although nation-state hackers were still probing the networks of candidates ahead of the vote, the midterms passed without a big breach of Democratic data. Lord is trying to build on that momentum to ingrain strong security practices in more field operatives and state officials ahead of 2020. “What we’re really trying to do now is supersize the playbook to reach the most number of people,” he said.
Like tens of thousands of other cybersecurity professionals, Lord traveled to the RSA Conference in San Francisco this week. A key message he planned to deliver was that tech giants like Apple, Google, and Microsoft, should consider enabling some form of automatic software updates for users of their products.
The DNC security chief credited those companies for making “huge strides” in their patching practices, but said there is still more to do. Now is the time to tackle the “last mile” of that challenge by taking humans out of the equation with automatic updates, Lord added.