Hacks
Page 14
Although these cybersecurity task force calls were all about solving the problems ahead and not looking back to assign blame, I could hear the incredulity in the voices of these experts. They were appalled by how easy it was to break into the DNC. One member used the warm-knife-through-butter analogy. Another described the network as “wide open,” and all of them were alarmed that the party did not have an employee whose sole job it was to protect our information. I remember one task force member comparing the DNC to a small business whose only asset was information, and yet we had no resources devoted to protecting the one thing of value that we had.
If the DNC was a small business, it was like no small business I’ve ever seen. We change bosses and objectives with each election cycle and our goal is to spend every dime we raise to get people elected. Long-term planning for things like investment in cybersecurity is hard to do in this environment. And in this cycle it sometimes seemed like Brooklyn wanted to strip it of its functionality nearly as much as the Russians had.
We had a few information technology people in the building who were employees of the IT firm we contracted, but we did not have a chief information security officer, or CISO, a job title I’d never heard of before. This is a person whose whole job it is to keep your data safe. Instead we had The MIS Department, that Chicago-based IT firm that we’d inherited from the Obama campaign. Despite the fact that Obama’s 2008 campaign had been hacked, the company had become the IT contractor for Democratic party operations all around the country, including the DNC. If we’d had a CISO who was savvy in the ways of Washington, DC, when the FBI called to say we had been hacked by the Russians, that person would have run to the chair’s office with hair on fire.
Another person on those calls who was educating me was Michael Sussmann, the former cybercrimes prosecutor for the Justice Department. He was the one who recommended Shawn Henry and CrowdStrike. As an executive assistant director at the FBI, Henry had overseen cybercrime investigations all around the world. He had been working there when the Chinese hacked the Obama campaign. The DNC had hired CrowdStrike in May to help us get a handle on our hacking.
These two men were more than that to me, though. When you enter this world of cybercrime, suddenly everything you touch and see seems not to be what you thought it was. Are people listening to you? Are you safe in your car driving down the street? If I called Shawn or Michael, they would answer my anxiety with steady voices. They would explain the situation carefully and, whenever I spoke to either of them, I would come away thinking we had a handle on this. Caution was necessary, but panic and paranoia were a choice, and one I could not make because it would cloud my thinking. We might not have this thing solved, they would assure me, but we were making progress.
Initially the progress came from the program called Falcon that CrowdStrike placed on the DNC servers. I imagined our Falcon watching the activity in the system like a predator, looking for anyone who started to meddle. Falcon was like a window into the system with a video camera that recorded everything that went on inside. Through it, we were able to see Russian actors who were logging on to the system and how they were talking to the computers inside our network. The CrowdStrike analysts showed us how the Russians were reaching out from thousands of miles away to control our system. They had installed software that could send the information they were interested in back to their own servers and issue commands for the malware to take specific actions. As soon as CrowdStrike installed Falcon, it detected an intrusion underway with two Russian state actors digging deeper and deeper into the DNC.
In May, when CrowdStrike recommended that we take down our system and rebuild it, the DNC told them to wait a month, because the state primaries for the presidential election were still underway, and the party and the staff needed to be at their computers to manage these efforts. For a whole month, CrowdStrike watched Cozy Bear and Fancy Bear operating. Cozy Bear was the hacking force that had been in the DNC system for nearly a year. That Bear was clever, using a number of maneuvers so that it remained undetected. Cozy Bear would have been happy to stay inside our system for as long as possible, quietly vacuuming up information as the campaign continued to the general election. Fancy Bear showed up in April 2016. Fancy Bear, the one our IT department detected, was loud and did not seem concerned about being found out. As our technology director Andrew Brown said, it was like Fancy Bear smashed in the front window and raged around grabbing whatever was at hand, less concerned about being detected than Cozy Bear had been.
My task force was appalled at the idea that CrowdStrike had to wait a full month before they took down and rebuilt the system because this was not what a business would do. I also had sympathy for the choices made amid the chaos of the primary season. After CrowdStrike rebuilt the system, all of our staff had to learn new computers, new log-ins, new procedures, at the moment when their personal lives were being destroyed by these leaks. Then their bosses resigned because of the emails that were distributed by WikiLeaks, creating even more chaos and insecurity. All of this was on top of a contentious campaign. Our regular task force conference calls gave me a new appreciation of the dedication of our staff, who endured this incredibly stressful time.
The purpose of these weekly calls was not to look backward, though, but to look forward to what we needed to do to survive the election and beyond.
The task force felt good about what the DNC and CrowdStrike had done to kick the Russians out of the system in the six weeks after Falcon was deployed. Falcon also put up some barriers against the Russians returning, but no barrier they could erect was fail-safe. Part of what Falcon offered us was forensics. The program burrowed into the activities that had taken place in the last few years to uncover Cozy Bear’s goals, but we still were not sure that we knew everything that it had accomplished. One of the task force members compared it to coming home to find out that the front door was broken open. You walk through the house trying to find out what was stolen. Did the intruder eat from the fridge? Use the bathroom? Rifle through your drawers? We didn’t know the extent of what they had taken. They are very good at covering their tracks.
Call by call, as the task force analyzed every detail of the DNC hack and response, the consensus was that we needed to buy a robust cyberdefense software program and to contract a team that could make these defenses even stronger and train the staff to respond quickly to incidents as they were uncovered. Ideally this team could stay with us up until the election. The problem, as always, was money.
By the beginning of September our cyberdefense already had cost us $300,000, and the bills were still coming in. When then FBI Director James Comey testified before Congress in January 2017 about our hacking, he said that the DNC had denied the FBI access to our servers when they wanted to investigate. I was not sure what he was talking about. Maybe he was referring to that period of time before we took the hacking seriously, when the IT department believed that the calls from the FBI were a prank. We never handed over the physical servers, though, because the FBI never requested them once we were working together. If you unplug the server to bring it to the FBI, disconnecting it erases part of the server’s memory. What was much more useful to the FBI was for us to create an exact copy of the contents of the relevant servers, laptops and other devices. This was much like when the police investigate a robbery. They don’t need to take the surveillance cameras back to the office with them; they need what was recorded on them. The FBI sent us an itemized list of the things they wanted us to provide for their investigation and Crowdstrike helped us check off every item on that list.
Making those clones so that the FBI could conduct a thorough investigation was expensive. The software we needed was expensive, too. Even more expensive was the suggestion to bring on what they call an incident response team. These are the computer whizzes employed by every big company. They are the ones who respond when an outsider breaks into the system. They have decades of experience blocking these intruders, and that kind of knowledge does not
come cheap.
Late in August Nicole Wong, a member of our cybersecurity task force, had a great idea. Why didn’t the DNC recruit volunteers?
When she first suggested this I thought it would never happen. I mean, these antihackers are much in demand, make huge salaries, and likely were not at all interested in politics. Maybe I was betraying my bias here, but I could not imagine a world in which these top professionals would want to leave the comfort of their California homes and come to DC to live in some rented house so that they could help out the DNC. Why would people want to invite that stress into their lives?
Nicole knows this world better than almost anyone, having served as a deputy U.S. technology officer in the Obama administration and also as a vice president and deputy counsel at Google and the legal director for products at Twitter. She assured me that my bias was just that. What would appeal to them, she said, is that this was a hard problem, just the kind of thing that they enjoy. She assured me that they liked few things better than being dropped into the middle of a high-stakes crisis. This is when they feel the most alive and on their game. The aspect of our problem that would attract them was that they would be going after the Russians, an adversary few of them had faced before. Plus, Nicole said, the limited nature of the job—only until the election—was something else they’d like. They could come in, do their best, and go home knowing they had done something great for the country.
Well, all right then, Nicole. A big part of me still did not believe her. I mean, living in this fearful atmosphere every day since I became interim chair made me think that no one in their right mind would say hell yeah to this mess. As with all things cyber, my instincts were off by a wide margin. Nicole knew all the people we needed to tap on the shoulder. Her first calls were to three senior-level engineers who, in turn, reached out to their friends and got recommendations for others whom Nicole might want to talk to about this opportunity.
One of her first calls was to Heather Adkins, with whom she had worked at Google. Nicole described Heather as “the best of the best,” someone everyone talked reverently about. Heather kept a low profile but was well-known in the world of cybersecurity. Nicole also called Ryan McGeehan, who led the incident response team for Facebook for many years and has a great reputation in the industry. When I heard he was from Facebook I was impressed. Imagine how many different evil forces, domestic and international, are trying to wiggle their way into Facebook every minute of the day, as well as the scams and the fake identities he would have to deal with in that job. Our little DNC hack was nothing compared to that, except for the global consequences.
Ryan, in turn, recommended Rob Witoff, who was in charge of infrastructure and security at Coinbase, the largest crypto-currency firm in the world and who had previously worked at Jet Propulsion Laboratory on lasers for the International Space Station. Robb was well known for his skills as an engineer as well as his effectiveness at leading teams.
All of these top professionals she called were excited about the assignment. “It just goes to show how passionate people were about protecting the vote,” Heather said. I couldn’t argue with that! Nicole said she was looking for two things in members of this team: engineers who were the best in the business and also knew how to get along as a team.
The assignment was short—at most a month but she thought it might be much shorter—and any ego clashes or individuals who were using this as a way to advance their careers might slow progress. By the end of September Ryan and Rob agreed to relocate to DC for the first two weeks of October.
Heather and Nicole flew to DC on September 26 to assess the situation so that they could describe it to the volunteers before they arrived. What they found was a system they saw as functional, but not very well maintained. The analogy Heather used was driving an old car from the 1970s. “It’s barely running and you keep duct-taping it together,” she said. “It will get you from point A to point B, but it does not have many safety mechanisms.” Still, the situation was familiar to them. As Nicole said, “It was not something we hadn’t seen before.”
Perhaps this was why Rob thought that he would be in DC only for a week or two. “Everyone I spoke to said that things were not that bad,” Rob recalled. “They just needed a little help to make sure that things did not get worse.” He and his girlfriend had planned a trip to Paris for the end of October. His assumption was he’d spend a few weeks helping the DNC get its system ready for Election Day, and then he’d meet up with his girlfriend in France.
Ryan McGeehan and Rob arrived in DC on the same day and the next morning made their way to the DNC to take a look at our system. The computer space at the DNC is a thin room on the first floor that wraps around the side of the building. Rob and Ryan arrived there on October 5, only five days after they’d spoken with Nicole, carrying brand-new laptops they bought especially for this task. These machines had never been connected to the Internet before they arrived with them in DC, and Rob and Ryan used fresh email addresses and user names because they assumed that any computers connected to the DNC network would be compromised. That morning they met first with Andrew Brown, our CTO, to discuss the challenges they needed to address, and then Andrew took them into the belly of the cyberbeast.
Andrew, Ryan, and Rob had just stepped foot into the computer room when someone popped up from his cubicle.
“Guys, I think we have a problem here,” the technician said. “I just got a call from MIS and they say we’re under attack.”
“This is a pretty shitty welcoming gift,” said Ryan. He opened up his laptop and signed into the system. Rob pulled over a whiteboard and started to work on the incident timeline. They had been in the DNC less than a minute and they were already in the middle of our crisis.
FOURTEEN
October Surprise
We were one month away from the election and I was worried about an October Surprise. Campaigns are always jittery in October. They suspect their opponents have saved something to leak to the press that will disrupt the campaign without leaving enough time to recover. Often these fears prove to be unfounded. But after the surreal campaign of 2016, an October Surprise felt almost inevitable.
Lauren Dillon, the research director of the DNC, thought the surprise would come from WikiLeaks. She was in charge of monitoring the WikiLeaks dumps and analyzing their contents. Whoever at WikiLeaks was deciding what to drop and when had a sophisticated understanding of American politics. The emails they dumped right before the Democratic convention were cherry-picked to create the maximum disruption inside the Democratic Party. As October opened, Lauren cautioned that something bigger than all that had come before was likely to hit us soon, and I tried not to imagine what that could be. My experiences with October Surprises seemed irrelevant to a campaign that suffered three or four surprises each day.
I couldn’t spend much time thinking about what might come, because in the front of my mind was the hacking and Brandon. I was making progress on both. Hacker House was up and running. And Brandon was out of my hair! As the month of September drew to a close, the tension between Brandon and me had gone from subtle to visible. When I described my goals and strategies at staff meetings, Brandon often rolled his eyes as if I was the stupidest woman he’d ever had to endure on his climb to the top. He openly scoffed at me, snorting sometimes when I made an observation. He and his buddy Doug Thornell sat together at the end of the table exchanging knowing looks whenever I opened my mouth. I bet they talked about me often. I wondered what my nickname was. This condescension infuriated my assistant, Anne, who saw this behavior as outright sexism, but I didn’t have time for that. I just wanted him to go away. Every time I saw him in the office my stomach flipped. I sent an email to Brooklyn saying that I was done with him. I wanted him out of the DNC but Brooklyn objected to firing him. Then suddenly God sent me a miracle: the Forward Together Bus Tour.
Someone in Brooklyn, maybe Brandon, came up with the idea of getting two big buses and painting them bright blue with FORWA
RD TOGETHER and slogans about voting and registering to vote on their sides. Brandon took charge of this effort. One bus would start in St. Louis, then circle the Midwest before heading west toward California. The other would head east and south from Ohio, focusing on the Rust Belt, Mid-Atlantic, and South. Brandon was working nonstop on the locations for the visits and arranging for local celebrities and politicians to meet them at the stops. I told Brandon I thought this was a great idea and that he should really devote a lot of time to making sure that it was a success. He was too busy going FORWARD TOGETHER to get all up in my business. Plus he seemed to be enjoying making this contribution to the campaign, so it was good for all.
After I taught my class at Georgetown October 5, I flew to Boston the next day for an event and a little fun with Mary Matalin at a forum on women and politics at Boston College. The next morning Ray Buckley picked me up at 9 a.m. for a full day in New Hampshire that would include some time that afternoon campaigning with Bernie and Maggie Hassan, who was running for Senate. I was looking forward to seeing both of them.