A Cybersecurity Expert Told Us What the DNC Hack Means for the Future of Democracy
Are elections about to be the battlegrounds in a new kind of cyberwar?
Thanks in part to the publication of 19,000 internal emails from behind the scenes at the Democratic National Committee (DNC), that party's convention this week in Philadelphia got off to a rocky start. DNC chair Debbie Wasserman-Schultz has resigned, and Bernie Sanders fans on the convention floor are voicing angry opposition to Hillary Clinton, even going so far as to boo Sanders himself on Monday when he reiterated his endorsement of the candidate-to-be.
The DNC emails, which showed up on Wikileaks last week, revealed what's being perceived as bias toward Hillary Clinton, or at the very least nastiness toward the Bernie Sanders campaign. An anonymous hacker named Guccifer 2.0 had already claimed responsibility for infiltrating DNC mail servers and publishing strategy documents on June 25, and was now taking responsibility for the emails.
On Monday in a detailed opinion piece on Motherboard, security and technology scholar Tomas Rid laid out the claim that the Russian state, not just one lone wolf, was responsible for the DNC hack.
Partisans on the American left seem ready to believe that Russian President Vladimir Putin is a cloak-and-dagger operative for the campaign of Hillary Clinton's opponent Donald Trump—a guy who has, to be fair, called Putin "a very strong leader." Putin is already the source material for actors researching villain roles, but masterminding a massive hack that could shift the course of the US presidential election seems like a big step forward in terms of overall villainy.
To find how this allegation could possibly be seen as plausible, and to get a sense of what it means for security, I got in touch with cybersecurity pundit and New York University computer science assistant professor Justin Cappos. He said the whole thing has him legitimately frightened.
The following conversation has been edited for length and clarity.
How does one go about figuring out who's responsible for a hack?
In countries that have invested a lot in these types of programs, they spend money building up their own tools and techniques, and they all leave these kinds of different little marks when they're used. They'll all result in hacks that look a little bit different. There's things they'll do to try and mask this.
If the hackers are investing so much, why don't they go to equally great lengths to hide their tracks?
You can imagine that occasionally people screw up. Occasionally there's a few slip-ups here and there, or a few fingerprints here and there that get left, and then from this, you can kinda piece together what's happened.
So far, everyone has concluded that it was Russia. How are they so sure?
The initial security company, Crowdstrike did the first analysis, and then Fireeye and Mandiant went through and effectively confirmed this. To me as someone who, yes, hasn't yet seen all the detailed information, it just seems exceedingly implausible that someone would be able to so expertly fake this without leaving their own fingerprints, or having their own issues, given how complicated all this is [and] given the state of the world, it just seems extremely unlikely.
One of the pieces of evidence was a "dropper" previously used by the Russian government. What does it mean that they found a "dropper" previously used by the Russian government?
Let's say US agents had observed someone leaving a soda can someplace, and then someone else comes by to collect it, and through other means, we know this is the Russian government [collecting] it. Then someone else leaves the soda can there, and someone comes to pick it up.
What other evidence was there?
In another case, they found that someone had modified a document in the [leaks], and had done it using a computer that had Russian language settings, and they didn't realize that when they did this inside of [Microsoft] Word, it would leave a trace. They kinda slipped up. So when you see that someone happens to have edited a document, and it just so happens that someone used Russian language settings and so on, these sort of slip-ups are very common. You just have to make one little mistake in one little place, and people can trace it back.
What should we make of a hack this serious?
It's frightening that this sort of thing might be used for political reasons, especially against countries that are democracies, because, since it's influenced so much by what the voters think, and what's reported in the media, then it seems entirely possible for countries that have these capabilities to influence elections in democratic countries. That frightens me.
Is the DNC culpable for leaving themselves open to this?
It's extremely hard to protect against something like this. Had equal focus been put into getting into the RNC's servers and the RNC's systems, I see no reason to expect that they wouldn't have been successful there, or really in any other similarly protected organization. It's exceedingly hard and requires an enormous amount of effort, and some of the top tech and financial companies are really leading the way on this, but it's exceedingly hard for anyone to resist state-level actors like this. So it's not just like they didn't have antivirus software, or they didn't have a firewall or something, and somebody got in.
Are political parties harder to protect?
You have people coming and going all over the US, exchanging information, sending things to each other. It's just very hard to imagine how to design an effective security system for such a dynamic and distributed system like that, which people really need to use to get work done.
What's the cybersecurity community expecting to happen next?
Attack capabilities in this space are likely to increase as more and more governments put more resources into developing them. And I think that increasingly we will see groups use this to try and further aims that they might otherwise try to do through other means. We'll see countries continue to use this to influence elections, especially if it's effective in this case.
Should I just avoid email altogether?
I have multiple conversations per week with people in person or on the phone intentionally. When I'm going to say something that I don't want put in an email, I will not put it in an email. It's wise to consider what you write down, and what you stick in emails.
Follow Mike Pearl on Twitter.