The Washington PostDemocracy Dies in Darkness

The Cybersecurity 202: DNC security chief preaches basic security for 2020 campaigns

with Bastien Inzaurralde


SAN FRANCISCO — The head of security for the Democratic National Committee says that cybersecurity is far too complicated right now, posing a big risk to the bevy of candidates headed into 2020 who are trying to secure their campaigns.

The DNC's chief security officer, Bob Lord — a tech industry veteran who the DNC hired after a Russian-backed hack of its networks upended the 2016 election — wants big tech companies to see campaigns as a model for why basic security needs to be simpler. It's a new job the political committee created after the Russian hacking scandal that the intelligence community says was undertaken by the Kremlin to help Donald Trump get elected.

During a keynote presentation on the closing day of the RSA cybersecurity conference here, Lord plans to urge companies to spend less time building fancy protections against next-generation digital threats and more time making basic security protections — such as strong passwords and encrypted communications — either extremely easy to implement or automatic.

“People ask: ‘Aren’t you going to install some neural net artificial intelligence? And that doesn’t help if people are reusing passwords,” Lord told me. “People ask about which firewall or VPN to use. I say: ‘We can talk about that, but if you haven’t done the basics, you haven’t solved your problems.’ ”

Lord previously held top cybersecurity posts at Twitter and Yahoo — the latter where he was hired after the company suffered two massive data breaches and tasked him with fixing the damage and rebuilding Yahoo’s core security. 

When Lord was hired in early 2018, DNC Chair Tom Perez touted him as someone whose “skills and hard work will help protect us against the sort of cyberattacks and intrusions that are unfortunately all too common in today’s age.”

Since then, Lord has made the rounds of campaigns before the 2018 midterms and has been briefing Democratic presidential candidates for the past two months.

One big conclusion, Lord said, is that campaigns’ biggest cybersecurity vulnerabilities are the basic ones that bedevil most organizations and lead to the vast majority of data breaches. They include fundamental security red lights such as employing weak or reused passwords and not using a second factor, such as an SMS pin number, to verify people’s identities on email and social media sites.   

Lord also believes that the solution lies with tech companies, who could institute automatic protocols, rather than by encouraging organizations such as campaigns to harangue individual staffers to choose the right password or make sure they have installed the right security measures.

“Campaigns exaggerate the natural deficiencies in products,” he said. “Part of what I’m trying to do is raise awareness that this is an important thing, to give product managers ammunition to go back and rebalance their portfolios, to focus on security by design.”

Campaigns are especially difficult to secure because they organize quickly and are made up of an ever-changing roster of paid staff and volunteers who run the gamut from tech savvy to barely tech literate. Those staffers also often use a mix of personal and campaign-provided computers and smartphones — any one of which can be an entry point for a hacker who ends up compromising large swaths of campaign data.

As if that wasn’t enough of a challenge, campaigns also are prime targets for everyone from hacktivists to Russian and Chinese intelligence agencies.

Lord released a checklist in September detailing how campaigns can do everything from securely using Facebook and Twitter to encrypting laptops so their data can’t be accessed if they’re lost or stolen.

Implementing that checklist is still far more difficult, however, than if tech companies applied those security provisions automatically, he said.

“The checklist is basically a road map of failure by tech vendors to make products that are secure by design and default,” Lord told me.

Readers: Sadly, this will be the last Cybersecurity 202 newsletter produced with the assistance of researcher Bastien Inzaurralde, who has been writing items for this newsletter since its inception. Bastien is moving on to Agence France-Presse. We're grateful for Bastien's work and wish him luck in his future endeavors.


PINGED: Senators from both parties scolded top executives at Equifax and Marriott for not preventing huge data breaches that exposed consumers' personal information and put people at risk of identity theft, The Washington Post's Tony Romm reported

“I understand you’re doing things, but you’re doing things after a major breach,” Sen. Maggie Hassan (D-N.H.) said during a hearing of the Senate Permanent Subcommittee on Investigations. “And what I want to make sure that Americans — whose information is in the custody of an entity they may not even know anything about — don’t have to wait for there to be a breach before companies start doing what they should responsibly do.”

report from the subcommittee concluded that Equifax's response to a vulnerability that ultimately caused the 2017 data breach “was inadequate and hampered by [its] neglect of cybersecurity.” Even before the 2017 breach, the company found in a 2015 audit that it had a backlog of more than “8,500 known vulnerabilities that had not been patched,” according to the report, which was released a day before the subcommittee hearing.

PATCHED: Facebook chief executive Mark Zuckerberg pledged  the company would embrace privacy and encryption in a Wednesday post, but similar vows from Facebook in the past have yielded mixed results, The Post's Hamza Shaban reported. For instance, Zuckerberg said last year the company would roll out a “Clear History” feature but the option still isn't available to users. “Facebook’s avowed turn toward privacy also is striking because of the company’s litany of privacy scandals,” Hamza wrote. “What Zuckerberg describes as a lack of ‘a strong reputation for building privacy protective services,’ critics view as a lengthy record of mishaps, apologies and sustained disregard for people’s privacy.”

Moreover, the use of encryption could make it harder for Facebook to identify misinformation operations or other malicious activity. “The framing is new for Facebook, talking about everything being private,” Justin Brookman, director of consumer privacy and technology policy for Consumer Reports, told my colleague. “What it's actually going to mean in practice . . . I have a lot of questions.”

PWNED: Experts say the hackers who carried out a cyberattack against a refinery in Saudi Arabia in 2017 are also probing companies in the energy sector in the United StatesE&E News's Blake Sobczak reported. Cyberattacks against U.S. refineries or petrochemical facilities could potentially result in human deaths, Sobczak noted. An analysis from the cybersecurity company FireEye last year traced the 2017 attack against the Saudi refinery back to a Moscow research institute — based partly on the Triton malware the hackers used.

“The intrusion in Saudi Arabia stands as the most brazen use of the Triton tool to hijack safety systems and to clear the way for what could have been a lethal attack on a vast industrial complex,” Sobczak wrote. “If taken to its extreme, the prospect of losing control of a major industrial plant echoes the 2005 BP PLC refinery explosion in Texas City, Texas, which killed 15 people.”


— Rob Joyce, senior cybersecurity adviser at the National Security Agency, said U.S. officials don't plan to reveal a “smoking gun” to bolster their case against Chinese telecommunications giant Huawei, CyberScoop's Sean Lyngaas reported. U.S. officials charged that Huawei could be a platform for Chinese spying and urged allies to bar the company from their next-generation 5G wireless networks. “Everybody is anxious for that smoking gun,” Joyce told CyberScoop. “It is not the case that you’re going to see people bring out and drop that smoking gun on the table … for all sorts of reasons about the way we understand the threat, the way we deal with the Chinese, the way we have to protect the ability to see and maybe defeat or deny that capability going forward.”

— Lawmakers should be wary of “unnecessary isolationist” positions that could result in arbitrarily banning foreign companies in the name of supply-chain security, according to the software trade association BSA. The group made several recommendations in a letter to the leaders of the Senate and House Armed Services committees as lawmakers are set to start working on the fiscal 2020 defense authorization bill. “We are aware of some efforts to advocate for solutions to technology development that would seek to deny foreign adversaries influence by adopting indiscriminate prohibitions against the acquisition or integration of software components developed in certain foreign nations or by certain foreign nationals,” the group said in the letter. “Such approaches, without any grounding in risk management, are deeply flawed,” BSA added.

— More cybersecurity news from the public sector:

Pentagon’s Cyber Mission Force Needs Better Training Plan (Nextgov)

Cyber group calls for coordinated vulnerability disclosure policies (FCW)

Denver to test blockchain voting in mayoral election (StateScoop)


— The previously unknown computer bugs — known as zero days — that governments buy from security researchers are getting harder to find and more expensive, Motherboard’s Joseph Cox reported. One company, Crowdfense, which buys those bugs from researchers and resells them to government, is paying up to $3 million for some high-value bugs that target iPhones and Android devices, Cox reported. The government sometimes alerts industry about those vulnerabilities and sometimes saves them to spy on adversaries. Crowdfense has also begun buying zero days that target Internet routers, Cox reported. “We are trying to target a broader attack surface, and [ . . .] the reason is that the attack surface of the typical products that we used to exploit is substantially reduced,” Andrea Zapparoli Manzoni, chief executive of Crowdfense, told Motherboard.


An Email Marketing Company Left 809 Million Records Exposed Online (Wired)


Facebook finds UK-based fake news network (BBC News)



Coming soon:

  • The Brookings Institution holds a discussion on “How to improve cybersecurity career and technical education” on March 13.

What's next for U.S.-North Korea talks after no deal in Hanoi?

Here is what to expect after the collapse of the planned March 2019 summit in Hanoi between North Korean leader Kim Jong Un and President Trump. (Video: Jason Aldag/The Washington Post)

Representatives argue over Nickelback on the House floor:

Rep. Mark Pocan (D-Wis.) joked March 7 about the “pretty low” number of Nickelback fans while discussing an election measure. (Video: U.S. House)

Watch Mike Daum shoot hoops with his parents:

South Dakota State forward Mike Daum shoots baskets with his parents before each home game. (Video: Chuck Culpepper/The Washington Post)