The DNC didn’t get hacked in 2020. Here’s why.



National

Bob Lord, the Democratic National Committee’s chief information security officer, at home in San Francisco, May 26, 2021. “If adding security technologies could fix our cybersecurity problems, we would have fixed things 25 years ago,” Lord said. (Christie Hemm Klok/The New York Times)..

As the country learns more about a broad Russian hijacking of American federal agencies and private companies and now another Russian hack, which was revealed Thursday, it can look to the Democratic National Committee for a more positive development in the effort to prevent cyberattacks: Unlike four years ago, the committee did not get hacked in 2020.

It’s worth remembering the DNC’s outsized role in Russia’s interference in the 2016 election, when a spearphishing email roiled the Democratic Party in the final months of the campaign.

In March 2016, Russian hackers broke into the personal email account of John Podesta, Hillary Clinton’s campaign chairman, unlocking a decade’s worth of emails, before dribbling them out to the public with glee. The DNC chairwoman, Rep. Debbie Wasserman Schultz of Florida, resigned after emails appeared to show her favoring Clinton over Sen. Bernie Sanders of Vermont.

A simultaneous Russian hack of the DNC’s sister organization, the Democratic Congressional Campaign Committee, tainted congressional candidates with accusations of scandal in a dozen other races.

By the time Donald Trump was in the White House in January 2017, “The DNC’s house was ablaze,” Sam Cornale, the committee’s executive director, said in an interview this past week.

That month, Bob Lord, an unassuming, bespectacled chief security officer at Yahoo, was still mopping up the largest Russian hacks in history: a 2013 breach of more than 3 billion Yahoo accounts and a second breach in 2014 of 500 million Yahoo accounts. Lord, who discovered the breaches when he took over the job, helped the FBI identify the assailants. A courtroom sketch of Alexsey Belan, one of the hackers in the Yahoo case, still hangs on his wall.

Lord left the team that Yahoo affectionately calls “The Paranoids,” took a six-figure pay cut and headed to Washington in January 2017 to become the DNC’s first chief information security officer.

The way he saw it, the DNC’s 2016 breach wasn’t so much a cybersecurity issue as it was a problem of workflow and corporate culture.

Podesta’s aide, for instance, had asked a staff member to vet whether the infamous Russian spearphishing email was safe, and the aide responded that the email was “legitimate.” It was a typo; he later said he had meant to write “illegitimate.” By the time anyone realized what was happening, Podesta’s risotto recipes and excerpts from Clinton’s Wall Street speeches were being dissected online by the news media and conspiracy theorists.

“After that, few would even pick up a flyer, let alone a hose to help in 2017,” Cornale said. “Bob showed up with five firetrucks while putting on his suspenders, and ran in to the house.”

Lord on Friday told his staff that he was leaving, clearing the way for the DNC to get a replacement to get ahead of whatever adversaries may have planned for the midterms.

Over the past four years, Lord has been a persistent and pervasive presence, speaking at every all-hands meeting, reminding employees that staving off the next cyberthreat would come down to individual accountability: not reusing passwords, turning on two-factor authentication and running software updates. He urged them to use Signal, an encrypted messaging app, to lock down their Venmo accounts; he also advised them to avoid clicking on suspicious links.

A “Bobmoji”— a digital caricature of Lord — hangs above the men’s urinal and adorns the walls of the women’s restroom, reminding staff members of the checklist.

Lord has had significantly smaller security budgets than he did at Yahoo, or that of any government agency and technology companies that Russia breached over the past year. And so he became something of a digital version of Japanese tidying expert Marie Kondo, decluttering the DNC’s networks, excising old software and canceling extraneous vendor contracts, then took those extra discretionary funds and put them toward cybersecurity.

But he knew cybersecurity technologies can go only so far. “If adding security technologies could fix our cybersecurity problems, we would have fixed things 25 years ago,” he said in an interview.

His real legacy, DNC staff members said, is that he single-handedly changed a culture.

“To survive in Bob’s role, you have to drive people a little crazy,” said Nellwyn Thomas, DNC’s chief technology officer.

When the committee sent out an innocuous email asking staff members to enter their T-shirt size and address for some free swag, not a single employee complied, employees said.

Lord had proudly turned them paranoid.