Advertisement

SKIP ADVERTISEMENT

The D.N.C. Didn’t Get Hacked in 2020. Here’s Why.

A devastating email breach of the D.N.C. roiled Democrats in the final months of 2016. An unassuming security official made it his mission to prevent a recurrence.

Bob Lord took a six-figure pay cut in January 2017 and headed to Washington to become the D.N.C.’s first chief information security officer.Credit...Christie Hemm Klok for The New York Times

As the country learns more about a broad Russian hijacking of American federal agencies and private companies and now another Russian hack, which was revealed on Thursday, it can look to the Democratic National Committee for a more positive development in the effort to prevent cyberattacks: Unlike four years ago, the committee did not get hacked in 2020.

It’s worth remembering the D.N.C.’s outsize role in Russia’s interference in the 2016 election, when a spearphishing email roiled the Democratic Party in the final months of the campaign.

That March, Russian hackers broke into the personal email account of John Podesta, Hillary Clinton’s campaign chairman, unlocking a decade’s worth of emails, before dribbling them out to the public with glee. The D.N.C. chairwoman, Representative Debbie Wasserman Schultz of Florida, resigned after emails appeared to show her favoring Mrs. Clinton over Senator Bernie Sanders of Vermont.

A simultaneous Russian hack of the D.N.C.’s sister organization, the Democratic Congressional Campaign Committee, tainted congressional candidates with accusations of scandal in a dozen other races.

By the time Donald J. Trump was in the White House in January 2017, “the D.N.C.’s house was ablaze,” Sam Cornale, the committee’s executive director, said in an interview this week.

That month, Bob Lord, an unassuming, bespectacled chief security officer at Yahoo, was still mopping up the largest Russian hacks in history: a 2013 breach of more than three billion Yahoo accounts and a second breach in 2014 of 500 million Yahoo accounts. Mr. Lord, who discovered the breaches when he took over the job, helped the Federal Bureau of Investigation identify the assailants. A courtroom sketch of Karim Baratov, one of the hackers in the Yahoo case, still hangs on his wall.

Mr. Lord left the team Yahoo affectionately calls “The Paranoids,” took a six-figure pay cut and headed to Washington in January 2017 to become the D.N.C.’s first chief information security officer.

The way he saw it, the D.N.C.’s 2016 breach wasn’t so much a cybersecurity issue as it was a problem of workflow and corporate culture.

Mr. Podesta’s aide, for instance, had asked a staff member to vet whether the infamous Russian spearphishing email was safe, and the aide responded that the email was “legitimate.” It was a typo; he later said he had meant to write “illegitimate.” By the time anyone realized what was happening, Mr. Podesta’s risotto recipes, and excerpts from Mrs. Clinton’s Wall Street speeches, were being dissected online by the news media and conspiracy theorists.

“After that, few would even pick up a flier, let alone a hose to help in 2017,” Mr. Cornale said. “Bob showed up with five fire trucks while putting on his suspenders, and ran into the house.”

Mr. Lord told his staff on Friday that he was leaving, clearing the way for the D.N.C. to get a replacement to get ahead of whatever adversaries may have planned for the midterms.

Over the past four years, Mr. Lord has been a persistent and pervasive presence, speaking at every all-hands meeting, reminding employees that staving off the next cyber threat would come down to individual accountability: not reusing passwords, turning on two-factor authentication, running software updates. He urged them to use Signal, an encrypted messaging app, to lock down their Venmo accounts; he also advised them to avoid clicking on suspicious links.

A “Bobmoji”— a digital caricature of Mr. Lord — hangs above the men’s urinal and adorns the walls of the women’s restroom, reminding staff members of the checklist.

Mr. Lord has had significantly smaller security budgets than he did at Yahoo, or that of any government agency or technology companies that Russia breached over the past year. And so he became something of a digital Marie Kondo — the Japanese tidying expert — decluttering the D.N.C.’s networks, excising old software and canceling extraneous vendor contracts, then took those extra discretionary funds and put them toward cybersecurity.

But he knew cybersecurity technologies can go only so far. “If adding security technologies could fix our cybersecurity problems, we would have fixed things 25 years ago,” he said in an interview.

His real legacy, D.N.C. staff members said, is that he single-handedly changed a culture.

“To survive in Bob’s role, you have to drive people a little crazy,” Nellwyn Thomas, chief technology officer at the D.N.C., said.

When the committee sent out an innocuous email asking staff members to enter their T-shirt sizes and addresses for some free swag, not a single employee complied, employees said.

Mr. Lord had proudly turned them paranoid.

Nicole Perlroth is a cybersecurity and digital espionage reporter. She is the bestselling author of the book “This Is How They Tell Me The World Ends,” about the global cyber arms race. More about Nicole Perlroth

A version of this article appears in print on  , Section A, Page 27 of the New York edition with the headline: How D.N.C. Warded Off Hacks in 2020. Order Reprints | Today’s Paper | Subscribe

Advertisement

SKIP ADVERTISEMENT