Still, Lord and his team face major challenges. “Given the volatility of campaigns and party committees, creating an effective, long-lasting institutional cyber regime has always been a very difficult task,” said Simon Rosenberg, a senior strategist who focused on disinformation and electoral security in the Democratic Congress campaign 2017-2018.
“Most of the people who work at DNC won’t be there in a few months, and campaigns go away after two years,” said Rosenberg, the founder and president of NDN, a center-left think tank. “What Bob was trying to do is incredibly important, but it’s also incredibly difficult because it goes against the grain of the nightly culture of modern American politics.”
While the Russians have invaded the state government this year and an election campaign to intimidate Iranian voters has been conducted, election-specific hacks have not been widespread. But election day is a full moment for the DNC. Any violation could disrupt the controversial presidential election or shut down races in the US Senate and state legislatures
Lord said the DNC went to a tremendous effort to prepare for such events. Now it’s just a matter of seeing if it’s enough.
Getting people to think about safety first
DNC has worked to ensure its employees adhere to security guidelines, built their technology platforms with cybersecurity in mind, and placed security concerns at the center of their decision-making processes. Mr. and his colleagues Run simulated phishing campaigns regularly to test employee vigilance. Other improvements required years of unsexy bureaucratic work, Lord said, including upgrading technology to reduce the “attack surface” – the range of targets available to hackers.
“It’s kind of a long slog to make sure people, processes and technology are aligned with good safety practices,” said Lord.
For obvious reasons, the DNC is very secretive about the specific security upgrades it has made and Lord declined to discuss such details.
Admonishing DNC employees to keep an eye on security wasn’t easy, but Lord came with valuable experience having previously overseen cybersecurity for both Yahoo and Twitter.
In both the private and public sectors, he said, people want to “get things up quickly,” and it is the security chief’s job to “make sure someone curates and manages these systems for the long term,” especially as they get older and Appear to have weak points.
Even so, it’s a fight that never ends, as Nellwyn Thomas, the DNC’s Chief Technology Officer and Lord’s Boss, recently confirmed.
“We can never completely prevent any kind of intrusion or attacks,” said Thomas at an event organized by the Institute for Security and Technology in early October. “All we can do is keep shrinking our attack surface and constantly improving our ability to monitor and detect intruders.”
Buy-in from people outside of DNC’s control
The DNC may be the operational center of the Democratic Party, but when it comes to the party’s digital vulnerabilities, the DNC is just a cog in the system. An extensive network of sister committees, campaigns, States parties, advisors, strategists and contractors offers an almost unimaginably wide range of goals – and Lord does not control how any of these organizations protect themselves.
In this sense, DNC is very different from the Silicon Valley companies Lord previously protected. A security breach on Twitter could spread to Yahoo if the hackers exploited informal relationships between the two companies’ employees, but there is no real parallel in the tech industry with the many different limbs of a political party.
The fact that States parties and sister committees are completely separate organizations helps them act quickly, Lord said, but “you will immediately see the challenges that arise for cybersecurity.”
When Lord accepted the job, DNC chairman Tom Perez warned him that he was going to face this problem. “I don’t think I understood the meaning of what he was asking of me until I got around to it and then somehow faced this daunting task,” said Lord.
Over time, he has found ways to coordinate. The DNC security forces now meet monthly with their colleagues on the House and Senate election committees and talk informally every week. “We stay in step with them,” said Lord.
Lord’s team also works closely with the security and IT experts from the Biden campaign. “Fortunately, we don’t have to examine all of the things they have,” he said.
The DNC has fewer direct interactions with state democratic parties. In most cases the DNC has only given precautionary statements, but Lord said, without elaborating, that “in some cases [we] did additional due diligence to cross some T’s and puncture some I’s. “
Without the ability to control these organizations, the DNC’s security team followed the same strategy the DHS’s Cybersecurity and Infrastructure Security Agency used to improve the defense of state and local electoral officials: provide a friendly center of expertise that others can turn to Getting help. Over the past two years, the DNC has brought a steady stream of documents, newsletters, webinars, and alerts to other democratic organizations.
The DNC also routinely encourages its partners to report suspicious activity so that the national committee can develop a better understanding of the threats.
“We’re not just interested in what problems they’re having, we may be able to spot a pattern. For example, if two or three States parties report the same one-off issue, it might actually be something we need to look at more holistically, ”Lord said.
Although he refused to give specific examples, Lord said that many democratic organizations have reported useful information. “We have a good line of communication.”
One of the most famous creations by Lord is a short safety checklist that the DNC has distributed to its partners. It outlines a handful of basic protections – including two-factor authentication that requires a temporary passcode in addition to a user’s password – that experts agree would prevent the vast majority of violations.
“We were able to move the needle in some of these areas,” said Lord.
His team also “occasionally checks” the Democrats’ cybersecurity practices. In early October, he said there had been “no big flags yet”.
Dependent on Silicon Valley and frustrated by it
Like any organization fighting security threats in elections, the DNC relies on the big tech companies to prevent bad actors from abusing social media platforms. It wasn’t always an easy relationship.
When it comes to analyzing and eliminating disinformation or campaigns with foreign influence, the DNC security team “has a good relationship” with its contacts on Facebook, Twitter and other social media companies, Lord said.
However, they have been less fortunate in getting companies to make systematic changes to their rules for moderating content.
On his website the DNC evaluates large social media companies about following certain best practices and explaining how you can do better. For example, the committee credits the News Disappearance Platform Snap for creating a “Policy of Political Disinformation” and notes that Twitter and YouTube do not have it. Facebook has “not set a public policy that restricts the distribution of hacked material on its platform”.
“While we get along well with the people in the field,” said Lord, “we still feel that the bigger issues just haven’t been addressed.”
In July, DNC attacked Facebook privately for failing to uphold the ideals of electoral integrity it promised to take seriously after Russia exploited its website in 2016. “Facebook has not kept its promises,” said the committee in a memo from the Washington Poston the grounds that President Donald Trump routinely violated his election disinformation rules and failed to set algorithms to incentivize hateful messages.
Lord’s concerns go beyond moderating social media content. Years of encouraging the Democrats to enable basic security features has shown him just how difficult it is for the tech industry to be a responsible user.
Tech companies do not have an agreed standard for how security features work on their platforms. This means that users on each site have to take completely different steps to activate the features.
During a conversation at a technology company, Lord said to the staff, “Your goal shouldn’t be to make two things easier for your users. It should be to facilitate two factors for the users of your competitors. “
He remembered that conversation and complained, “That’s not how tech companies think of this stuff.”