Advertisement

To prepare for 2020, DNC security chief tries to make hackers’ lives harder

Former Yahoo CISO Bob Lord has the challenge of broadening adoption of good security practices at campaigns and state parties scattered across the country.

The Democratic National Committee is striving to “make it more expensive for attackers to do their work” as it prepares for the 2020 election, Bob Lord, the committee’s chief security officer, told CyberScoop.

It is a simple but proven principle of cybersecurity: Make it harder for hackers to succeed by implementing time-tested basics like two-factor authentication. The question for the DNC is: How do you aggressively broaden adoption of such practices for campaigns and state parties scattered across the country, many which have very limited budgets?

That far-flung apparatus is not the chain of command that Lord was used to when he was a cybersecurity executive at companies like Yahoo and Rapid7.

“Because we’re a decentralized ecosystem, it presents a number of interesting challenges,” he said in an interview. “I don’t have the ability to order people to do things. Nor can I practically manage all of their systems. But what I can do is try to be a voice that they might not have heard before.”

Advertisement

That means using his private-sector contacts to connect party officials with tech experts to offer frontline experiences about defending their networks. For example, to prepare for the 2018 midterm elections, the DNC hosted executives from social media companies to share security best practices and discuss the threat of influence operations on their platforms.

The DNC hired Lord to overhaul its security after Russian intelligence officers breached the committee’s networks to devastating effect in 2016. Since then, Lord and others have clamped down on shoddy security practices among Democrats, studied attacks seen in the wild and issued a “checklist” of measures that officials can do to better defend themselves. U.S. officials say foreign adversaries are probably already planning to intervene in the 2020 presidential elections.

Lord compared himself to a personal trainer trying to ween pupils off of bad health habits.

“What we started to do was build a feedback loop so we could spot these patterns” in security incidents seen in various industries — and learn from them, Lord said.

Although nation-state hackers were still probing the networks of candidates ahead of the vote, the midterms passed without a big breach of Democratic data. Lord is trying to build on that momentum to ingrain strong security practices in more field operatives and state officials ahead of 2020. “What we’re really trying to do now is supersize the playbook to reach the most number of people,” he said.

Advertisement

Like tens of thousands of other cybersecurity professionals, Lord traveled to the RSA Conference in San Francisco this week. A key message he planned to deliver was that tech giants like Apple, Google, and Microsoft, should consider enabling some form of automatic software updates for users of their products.

The DNC security chief credited those companies for making “huge strides” in their patching practices, but said there is still more to do. Now is the time to tackle the “last mile” of that challenge by taking humans out of the equation with automatic updates, Lord added.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts