Data Security Lessons from the DNC Hack

    Did the hack of Democratic National Committee (DNC) emails and their subsequent publication on Wikileaks change the trajectory of the 2016 presidential election?

    We’ll probably never have a definitive answer on that, but, according to Christy Wyatt, CEO of Dtex, and Robby Mook, former campaign manager for Hillary Clinton, the hack showed the real-life consequences that come with a data breach.

    Wyatt and Mook are working together to get the word out about the damage that can be done when hacked information is made public. Mook is using his vantage point as someone who experienced such a hack from the organization’s point of view. The pair talked to me at RSA about the hack and what business can learn from it.

    Don’t Be Afraid to Talk About Threats and Breaches

    As Wyatt pointed out, the majority of hacks are enabled by an insider, with various degrees of severity. There’s been a lot of talk about malicious insiders like Edward Snowden, but Wyatt added that we can’t discount the actions of the negligent insider, especially when that information is propagated by a bad actor on the outside. “Those are some of the most devastating breaches, and that’s what happened to the DNC.”

    Because of the nature and timing of the hacks and email dump on Wikileaks, the DNC story brought the political implications and security concerns of data breaches to the forefront. But in many breaches, there are national security and political consequences that most people don’t understand, Mook said, yet too many victims of breaches are hesitant to speak out, for whatever reason.

    “I can speak out,” Mook said, “and I’m committed to sending the message loud and clear. This is a common problem, and one that everyone needs to plan to face. It’s the responsibility of executives to lean into the problem and understand the data they have, make sure they’ve done a responsible risk assessment and then have a strategy in place that’s consistent with the risk assessment. Then they need a culture within the organization that’s sensitive to security.”

    Insider Threats and Outsider Threats, or Both

    The problem, Wyatt said, is that most companies have no way of seeing what their employees are doing due to privacy concerns. “They shy away from the Big Brother,” she said. IT spending is expected to reach more than $3 trillion this year and security spending is supposed to hit $1 trillion in the next five years, yet little is being done to watch the people who are actually touching your data. Wyatt thinks the shift to behavioral analytics may be the only way to detect what people are doing on the inside, especially when it comes to credential protection. When credentials are stolen, bad actors have access to everything.

    The DNC hack was caused by someone clicking on a phishing email, and Mook quickly added that, to their knowledge, the Clinton campaign was never breached. The DNC breach occurred before the two entities joined forces, post primary season. People’s private accounts were also hacked. Although John Podesta’s email account was the most high-profile of these hacks, Mook said there were many others, and this leads to the heart of the problem that he wants people talking about.

    It’s Not Just Your Data that Can Hurt You

    “It’s not just the data that you may think you are accountable for. There’s a wider universe of data out there that could have a real impact on your business.”

    In part, it is a problem of organizational data mingling with personal data, and users are joining multiple accounts and systems.

    “It’s important for executives to wake up to this problem and not just push it off to their IT staffs,” said Mook. He does understand why it is easy to “just let IT deal with it.” “For those of us – and I’m a great example — who don’t understand the technology very well, you don’t think you are qualified to worry about it.” But it is the responsibility of executives and leadership to step up and really understand the strategy that’s in place and why it is there.

    Then, there is the realization that you will get hacked, or, at the very least, there will be multiple attempts to hack the system. There has to be a plan in place to deal with the post-breach fallout that includes legal, human relations and public relations. “The whole team should be brought together to do simulations and practice what you’ll do,” Mook added.

    You also have to look at the supply chain and recognize that you are only as secure as your vendors, Wyatt pointed out. While the DNC was the entity that was hacked in this case, the Clinton campaign was the DNC’s biggest client, if you will, and it was the campaign that took the brunt of the damage. “Even if you are asking all the right questions and doing the right things, if you aren’t propagating that through the people you are sourcing data from, the vulnerability is still there,” she said.

    “That’s why you have to take responsibility for the whole picture,” said Mook. “It’s not fair, but it’s your reputation, your brand, your company that will take the reputational hit. In our case, we had donors that we had directed to the DNC who had their PII stolen. That was our problem because the donors were looking back to us.”

    Hackers understand they are dealing with humans, Wyatt said, and with humans, there is a lot of information to be mined. You think that they are after just the intelligence they can gather, but the truth is, any data – on emails, stored in the cloud, or on a device – can be used against you in some way.

    Finally, Wyatt and Mook agreed that it is time for data breaches and all cybercrime to be treated for what it is – a crime. If the Russians had physically broken into the DNC headquarters and stolen paper files from filing cabinets and then gone back to their building in Maryland, there would have been an international outcry over the theft, Wyatt stated. But we aren’t culturally at a point where we have the same reaction over cybercrime, and that’s another change the pair would like to see.

    “If I’m a CIO and I had any significant customer base or employee base and I’m not looking for vulnerabilities from the inside, then later on, somebody is going to ask me how I missed it,” Wyatt said.

    “You have to plan for the worst-case scenario,” Mook added. “Someone will want to hack in, steal your information, and use it in the worst possible way against you. That’s why planning is so essential.”

    Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom’s Guide. You can reach Sue via Twitter: @sueporemba


    Sue Poremba
    Sue Poremba
    Sue Poremba is freelance writer based on Central PA. She's been writing about cybersecurity and technology trends since 2008.

    Latest Articles