In the good old days, we used to worry about organizations failing to report online intrusions or attempted breaches for fear of attracting unwanted negative publicity, lawsuits, and copycat hackers. So it’s hard to know what to make of the Democratic National Committee’s announcement Thursday morning that, far from concealing cybersecurity incidents, it has in fact been over-reporting them: It disclosed to the FBI an attempted breach that the it later determined to be merely a “false alarm.”
The DNC initially told the FBI on Tuesday that it had detected someone trying to access the committee’s voter database using a phishing page that would capture login credentials. That story was reported earlier this week, attributed to a “Democratic source,” after cybersecurity firm Lookout alerted the DNC to the existence of a fraudulent website designed to look like the page DNC officials use to log in to database service Votebuilder. At the time, the phishing site was removed by its host, cloud computing platform DigitalOcean, and DNC chief security officer Bob Lord reportedly briefed party officials on the attack on Wednesday at a meeting of the Association of State Democratic Committees in Chicago.
But the DNC later recharacterized the incident as a “test.” It’s not clear exactly what the DNC means by that, though, since Lord later told the New York Times that the DNC had not authorized the test itself. In other words, someone without the DNC’s permission tried (and apparently failed) to access sensitive voter records to “test” the Committee’s cybersecurity. But rather than a hacking attempt, it’s being rebranded as a false alarm. What exactly is going on here?
Certainly, it’s a common (and recommended) practice to hire professional penetration testers to test out an organization’s computer security and identify vulnerabilities. That happens within very clear, pre-defined parameters, however—the organization works out a clear contract with the pen-testers in advance detailing what they’ll be doing and when they’ll be doing it.
Whatever happened at the DNC, it was clearly somewhere in a grayer area between pen-testing and malicious hacking, given Lord’s assertion that the tests were not authorized by the Committee. After all, who’s to say when an unsolicited attempt to access an organization’s computers morphs from being a generous donation of testing services by an unknown hacker to a malicious intrusion attempt?
The most generous interpretation of what happened here is that the DNC is overcorrecting to some extent for not cooperating more with the FBI in the months leading up to and following the 2016 election. Perhaps someone at the DNC saw the logs recording this intrusion and, out of an abundance of caution given recent stories about Russian hacking attempts directed at political targets, immediately called it in to the FBI, in an attempt to forge a stronger partnership with the agency and work more closely with its investigators. Then, later on, when people realized what had happened—or how trivial the incident actually was—they decided to dial back that rhetoric and rename it with the reassuring “test” label.
I’m sympathetic to—and generally enthusiastic about—the DNC and other political organizations erring on the side of over-reporting security incidents to the FBI rather than under-reporting them. It’s understandable that the DNC wants to be sure that every possible red flag is investigated and nothing is being withheld from the FBI. Certainly, it seems less deliberately self-serving than the Federal Communications Commission’s false report of a denial-of-service attack back in 2017 when its website’s online commenting system crashed in the midst the rollback of net neutrality regulations.
But even so, the DNC is apparently confused about what is happening in its networks and whether the incidents it’s witnessing are malicious intrusion attempts, or merely unsolicited security tests about which it had no prior knowledge. That does not inspire great confidence. If the DNC is as all over cybersecurity as one would hope (and expect) it to be after the 2016 elections, it should have a comprehensive network monitoring system in place and enough trained security professionals to be able to use that system to distinguish between routine online noise and more concerning incidents requiring further investigation. Moreover, it should know exactly what is being done to test its networks at any given moment and who is doing the testing.
What happened this week makes it sound like the DNC doesn’t know how to tell the difference between serious and less serious intrusion attempts and possibly also doesn’t understand that security testing should, in fact, be both authorized and solicited by an organization. A random outsider trying to access your voter database without your prior knowledge or consent is not a test or a false alarm—it’s a reason for concern. As is the DNC’s continued incompetence when it comes to cybersecurity.