Bringing cybersecurity to the DNC

Bringing cybersecurity to the DNC
© Josie Lepe

When Raffi Krikorian joined the Democratic National Committee (DNC) as chief technology officer, the party was still reeling from its devastating loss in 2016 — and the stunning cyberattacks that resulted in high-level officials’ emails being embarrassingly leaked online.

Tom PerezThomas Edward PerezClinton’s top five vice presidential picks Government social programs: Triumph of hope over evidence Labor’s 'wasteful spending and mismanagement” at Workers’ Comp MORE, the party’s chairman, brought Krikorian on to overhaul the DNC’s technology tools and cybersecurity efforts. His resume is starkly different than the average political hire, including high-level tech positions at Uber and Twitter.

ADVERTISEMENT

In his first year at the DNC, Krikorian has brought his Silicon Valley skills to bear in the political world, laser-focused on beefing up the security know-how of the party’s staff. 

“A lot of what we are trying to do is institute a culture change,” Krikorian told The Hill in a recent interview. “How do you get people to report things, how do you get people to be questioning.”

The move to politics from an engineering role at Uber’s self-driving car arm was something Krikorian had been mulling for a while. He says he was approached about leadership positions at the U.S. Digital Service during the Obama administration and on former Democratic presidential nominee Hillary ClintonHillary Diane Rodham ClintonForget the spin: Five unrefuted Mueller Report revelations Former senators launching effort to help Dems win rural votes Biden's announcement was a general election message, says political analyst MORE’s campaign tech team.

But he said the trigger was the 2016 election.

“When the election was over, I was just like, crap,” Krikorian said. “Maybe I could have been part of it earlier, I don’t know.”

Weeks before President TrumpDonald John TrumpForget the spin: Five unrefuted Mueller Report revelations Lara Trump: Merkel admitting migrants 'one of the worst things that ever happened to Germany' Financial satisfaction hits record high: survey MORE’s inauguration, the U.S. intelligence community linked the hack of the DNC to a much broader effort by Russia to interfere in the presidential election using cyberattacks and disinformation. The aim, they said, was sowing discord, damaging Clinton and helping Trump win.

The ensuing federal investigation into Russia’s election meddling has captivated the media and officials in Washington. 

On Friday, special counsel Robert MuellerRobert (Bob) Swan MuellerSasse: US should applaud choice of Mueller to lead Russia probe MORE indicted 12 Russian intelligence officers in the hacking of the DNC and state election systems.

At the DNC, the cyberattack served as a wake-up call.

“If you’ve been here for a while, you probably still have PTSD from 2016,” Krikorian said. “But anyone who has joined the DNC [since], you come in eyes wide open that this is an organization that was hacked in the past. You are pretty open and pretty mindful of the fact that when the security team comes to talk to you about it, you listen.”

Cybersecurity is just one facet of Krikorian’s job. He runs a team of 35 staffers, split between smaller subsets handling engineering, data and information technology.

He says the security aspect is the biggest challenge and the one that keeps him up at night.

“Our adversaries are continually upping their game,” Krikorian said.

When he started last summer, Krikorian immediately implemented simulated “phishing drills” to put employees on notice for potential malicious emails, like the one the Russians used to gain access to the personal emails of former Clinton campaign chairman John Podesta.

He instructed all employees to begin using Signal, a secure messaging app, instead of text messages, and requires staff to use two-factor authentication to log into DNC systems.

Now, with the 2018 midterm elections around the corner, Krikorian and his team are focused on gaining greater visibility of the networks used by the DNC and state parties to analyze potential malicious traffic. He is also interested in figuring out what the tech team can do to better understand or counter disinformation campaigns — particularly any that could somehow trick employees into giving malicious actors access to their systems.

The Democratic Party has also been sending recommendations to state parties on specific security tools and steps to help them stay safe from potential hacks. 

But Krikorian acknowledged that he is restricted in what he can do to implement security controls at the state level.

The smaller parties and campaigns, which have far fewer resources, could be the most vulnerable. CyberScoop reported this month that hackers had launched distributed denial-of-service (DDoS) attacks against websites run by two municipal-level Democratic campaigns this year.

Krikorian said the national party is hamstrung to gain more information about alleged attacks because of a lack of visibility.

“We might get a report in the field saying, we feel like we may be under some kind of DDoS attack or something like that,” Krikorian said. “When we show up, we may or may not see any evidence of it, which is not a useful thing.”

“We have no direct control over campaigns or state parties,” he added.

A graduate of MIT, Krikorian rose through the ranks at Twitter to run a 500-person engineering team.

In 2014, he joined Uber’s Advanced Technologies Center, helping to shepherd the ride-hailing company’s self-driving car apparatus.

Krikorian and his team launched a fleet of self-driving Uber cars in Pittsburgh in 2016. The project, however, has encountered major hurdles since his departure after a self-driving vehicle operated by the company hit and killed an Arizona woman in March.

Krikorian says he left Uber last year over mounting clashes with then-CEO Travis Kalanick — a controversial figure who ultimately resigned after months of scrutiny over his leadership.

“There was controversy between me and Travis of how aggressive the program needed to be and where the safety line should be drawn,” Krikorian said. After Uber, he says he was ready to “do something completely new.”

“While we want to win back the White House in 2020, we also think about how we leave behind a technical legacy at the party that will be continued,” Krikorian said. “My plan is to be around as long as I feel like I can make a difference and my team is making a difference.”

Krikorian’s hiring was part of a broader push by the DNC to overhaul its tech infrastructure following the 2016 loss. 

Krikorian says that his team has made major strides in overhauling the DNC’s security practices, teaching employees to be more vigilant about threats and making IT decisions to reduce the overall attack surface.

Still, Krikorian won’t say that he is entirely confident in the DNC’s security.

“It’s an arms race,” Krikorian said. “Even if I were to say that I’m confident today, that doesn’t mean that I’m confident tomorrow.”

“I don’t think we are ever going to say that we feel confident. I’m always going to say that we feel better than yesterday,” he said.