Cybersecurity

Revamping cyber at the DNC

The Democratic National Committee's (DNC) new chief security officer is no stranger to serious breaches.

But Bob Lord, who journeyed from Silicon Valley to the Beltway, is facing a far different landscape than his previous workplaces, which include technology giants Yahoo, Twitter and AOL. At his most recent job as Yahoo's chief of information security, Lord was tasked with detecting two massive data breaches that had unfolded before he began working there.

While he used to have a large team of security officials handling matters out of a centralized headquarters, he is now tasked with defending the scattered political ecosystems of remote state party offices and campaigns against cyberattacks.

"The challenges that we had in just a regular company are amplified by diverse missions, staffing, you know the whole nine yards," Lord told The Hill in a sit-down interview last week.

"I didn't have to deal with training individual people when I repped large organizations. All of the DNC is on the order of the size of the security team that I left," he said.

Lord's arrival at the committee came after the group was left reeling from the aftermath of its unprecedented and highly disruptive hack in 2016, in which Russian intelligence operatives targeted the DNC's servers.

Russian hackers sent a reported 30 phishing emails that looked like a notification from Google encouraging staffers to change their passwords. All but one of those phishing attempts failed, but one click was enough for hackers to penetrate the system and gain access to the DNC's internal emails, which were published by WikiLeaks.

The DNC leak caused a major embarrassment for the party as internal discussions were released to the public and weaponized by political opponents amid the heated presidential campaign.

At Yahoo, Lord worked with federal investigators seeking to determine who was behind attacks against the company, which came under the scrutiny of the Securities and Exchange Commission (SEC) after failing to properly notify customers and investors that hackers had compromised approximately 500 million user accounts in 2014. The public was not notified until two years later, according to an SEC order last April, which hit Yahoo with a $35 million penalty.

In September 2016, Lord disclosed to the public that hundreds of millions of accounts had been exposed and hackers made off with sensitive information such as names, passwords, email addresses, telephone numbers and dates of birth.

Just a few months later, Lord disclosed an even greater breach from 2013 that affected 3 billion accounts.

The Department of Justice later praised Yahoo and Google in 2017 for their cooperation with investigators, who ended up charging two Russian intelligence officers with computer hacking, economic

espionage and other criminal offenses related to the 2014 hack.

This experience of dealing with major breaches, Lord says, has given him a unique perspective.

"Seeing battle up close can make you a little bit more aware of what you need to focus on," Lord said. "I think a lot of security professionals, if they haven't seen battle, they may have their own sensibilities about what should be prioritized and what should not be - and sometimes those need a little bit of adjustment."

At the DNC, Lord says state parties and campaigns are locally based so that they can quickly make decisions during an election, but their decentralized nature poses challenges from a security standpoint.

To address the matter, Lord rolled out an updated checklist in February for staffers to follow in order to safeguard their accounts. The checklist encourages staffers to keep their devices up to date to prevent hackers from exploiting any exposed vulnerabilities, to have long and random passwords for their accounts, to use password managers to track those unique passwords and to set up multifactor authentication for their DNC accounts so that their identities are confirmed before they can access their data.

Ahead of the 2018 midterm elections, Lord says he also urged state offices and campaigns to share feedback about any email or spam that they deemed fishy, a feedback loop he says helped inform his checklist.

"When they started to send that telemetry back, I sort of understand a little bit more about what was happening in the field, and I think that's really what started to sharpen the checklist was hearing how the bad guys were doing their job and understanding that standard phishing applies," he said.

Lord also says he conducts tabletop exercises, scenarios in which his security team practices responding to a hypothetical cyberattack so that they can see how they would likely react should an actual one occur.

Looking ahead to the 2020 elections, Lord says he wants to find what worked well in 2018 and "supersize that for the next cycle."

The task ahead of him now is detecting the campaigns and offices that are lagging behind on security and then helping them to improve.

"How can I find the outliers? I know about some of the good ones, [but] how do I figure out how to move the needle? Part of that's going to be a function of getting more telemetry," Lord said, noting that he wants to be "a coach" to those local offices.

He said his approach for addressing concerns is to tailor his cyber solutions to their problems.

"There's going to be a certain base set of recommendations, and we're going to be pushing those very hard, but we also have to be sensitive to how they want to go about getting from point A to point B, and not every journey necessarily has to be the same," Lord told The Hill.

Lord described it in terms of being a physical trainer - if someone is ordered to strengthen their abdominal muscles, but situps hurt their back, they should be taught to target that muscle group in other ways.

Lord, who also occasionally pressed a reporter from The Hill on whether her cyber hygiene was up to speed, emphasized repeatedly that his checklist, while basic, builds the foundation for a safer device, arguing that additional cyber defenses like a firewall and a virtual private network are things that should be secondary.

"It feels funny talking about this checklist because it seems so old school, seems so primitive. But it's eating right, exercising and not smoking or drinking too much. It's the basics, really just the basics," Lord told The Hill.

Lord recounted a story about a Twitter executive who had his account compromised on his first day as a vice president at the company, which was likely a product of him creating an account with poor security, for example an easy password reused on multiple accounts.

"That probably happened because he had created a Twitter account a long time before when it wasn't important to him. And as it became more important to him, he didn't notice the inflection point" as he rose in the ranks and became a prime target, Lord said.

The need to meticulously track staffers' cyber practices far and wide, he says, is also a product of technology companies failing to design products that are inherently safe - a gap in security that he says very much concerns him.

"Because so many campaigns in other parts of the ecosystem are [bring your own devices], it's very hard to ask that everyone have perfect security hygiene all the time. It only takes one person who hasn't applied the software updates or is using passwords with the campaign," Lord notes.

His plea, he said, would be for CEOs in charge of these major tech firms to prioritize keeping their customers safer by programming security features into their devices and platforms that are employed automatically.

"We need to flip the paradigm. We don't need to make a small change. We need to completely invert the models so that people aren't hurt when they buy a product. It's going to be safe," Lord said.

Updated 10:11 a.m.

Outbrain