As the country learns more about a broad Russian hijacking of American federal agencies and private companies and now another Russian hack, which was revealed on Thursday, it can look to the Democratic National Committee for a more positive development in the effort to prevent cyberattacks: Unlike four years ago, the committee did not get hacked in 2020.
It’s worth remembering the D.N.C.’s outsized role in Russia’s interference in the 2016 election, when a spearphishing email roiled the Democratic Party in the final months of the campaign.
That March, Russian hackers broke into the personal email account of John Podesta, Hillary Clinton’s campaign chairman, unlocking a decade’s worth of emails, before dribbling them out to the public with glee. The D.N.C. chairwoman, Representative Debbie Wasserman Schultz of Florida, resigned after emails appeared to show her favoring Mrs. Clinton over Senator Bernie Sanders of Vermont.
A simultaneous Russian hack of the D.N.C.’s sister organization, the Democratic Congressional Campaign Committee, tainted congressional candidates with accusations of scandal in a dozen other races.
By the time Donald J. Trump was in the White House in January 2017, “The D.N.C.’s house was ablaze,” Sam Cornale, the committee’s executive director, said in an interview this week.
That month, Bob Lord, an unassuming, bespectacled chief security officer at Yahoo, was still mopping up the largest Russian hacks in history: a 2013 breach of more than three billion Yahoo accounts and a second breach in 2014 of 500 million Yahoo accounts. Mr. Lord, who discovered the breaches when he took over the job, helped the Federal Bureau of Investigation identify the assailants. A courtroom sketch of Karim Baratov, one of the hackers in the Yahoo case, still hangs on his wall.
Mr. Lord left the team Yahoo affectionately calls “The Paranoids,” took a six-figure pay cut and headed to Washington in January 2017 to become the D.N.C.’s first chief information security officer.
The way he saw it, the D.N.C.’s 2016 breach wasn’t so much a cybersecurity issue as it was a problem of workflow and corporate culture.
Mr. Podesta’s aide, for instance, had asked a staff member to vet whether the infamous Russian spearphishing email was safe, and the aide responded that the email was “legitimate.” It was a typo; he later said he had meant to write “illegitimate.” By the time anyone realized what was happening, Mr. Podesta’s risotto recipes, and excerpts from Mrs. Clinton’s Wall Street speeches, were being dissected online by the news media and conspiracy theorists.
“After that, few would even pick up a flier, let alone a hose to help in 2017,” Mr. Cornale said. “Bob showed up with five fire trucks while putting on his suspenders, and ran in to the house.”
Let Us Help You Protect Your Digital Life
- With Apple’s latest mobile software update, we can decide whether apps monitor and share our activities with others. Here’s what to know.
- A little maintenance on your devices and accounts can go a long way in maintaining your security against outside parties’ unwanted attempts to access your data. Here’s a guide to the few simple changes you can make to protect yourself and your information online.
- Ever considered a password manager? You should.
- There are also many ways to brush away the tracks you leave on the internet.
Mr. Lord told his staff on Friday that he was leaving, clearing the way for the D.N.C. to get a replacement to get ahead of whatever adversaries may have planned for the midterms.
Over the past four years, Mr. Lord has been a persistent and pervasive presence, speaking at every all-hands meeting, reminding employees that staving off the next cyber threat would come down to individual accountability: not reusing passwords, turning on two-factor authentication, running software updates. He urged them to use Signal, an encrypted messaging app, to lock down their Venmo accounts; he also advised them to avoid clicking on suspicious links.
A “Bobmoji”— a digital caricature of Mr. Lord — hangs above the men’s urinal and adorns the walls of the women’s restroom, reminding staff members of the checklist.
Mr. Lord has had significantly smaller security budgets than he did at Yahoo, or that of any government agency and technology companies that Russia breached over the past year. And so he became something of a digital Marie Kondo — the Japanese tidying expert — decluttering the D.N.C.’s networks, excising old software and canceling extraneous vendor contracts, then took those extra discretionary funds and put them towards cybersecurity.
But he knew cybersecurity technologies can go only so far. “If adding security technologies could fix our cybersecurity problems, we would have fixed things 25 years ago,” he said in an interview.
His real legacy, D.N.C. staff members said, is that he single-handedly changed a culture.
“To survive in Bob’s role, you have to drive people a little crazy,” Nellwyn Thomas, chief technology officer at the D.N.C., said.
When the committee sent out an innocuous email asking staff members to enter their T-shirt size and address for some free swag, not a single employee complied, employees said.
Mr. Lord had proudly turned them paranoid.
Source: Read Full Article