The Democratic National Committee told the press its voter database was hacked on Monday, then Wednesday the DNC’s Chief Information Security Officer Bob Lord issued a statement clarifying the hack was actually a cybersecurity test run by the Michigan Democratic Party.
As this particular attack was a false alarm, it is unclear why the DNC rushed to declare the incident a cyber attack in a scenario similar to the Federal Communications Commission’s (FCC), which was unraveled a few weeks ago.
In fact, the DNC’s rush to judgment suggests it may not be prepared for the upcoming midterm elections despite aggressive efforts to beef up its cybersecurity following the Russian hacks in 2016.
The DNC test, which mimicked a phishing attack, impersonated the DNC’s VoteBuilder login page in an attempt to steal voter and potential voter data. VoteBuilder is the software the DNC uses to store voter data and track interactions with potential voters.
According to a July POLITICO report, the DNC was apparently getting better at catching phishing attacks via tests. POLITICO reported that 80 percent of DNC staffers didn’t click the links in phishing emails, but also pointed out that the DNC has struggled to improve its security and technology culture.
Stuart Madnick, a professor of information technology and engineering systems at MIT’s Sloan School of Management, told InsideSources that he thinks the DNC incident is very similar to the FCC’s. In May 2017, the FCC’s public comment system crashed and the FCC called it a cyber attack, but an Office of the Inspector General investigation recently found it was very unlikely a cyber attack had occurred.
“The thing that’s so odd about all this is how early it was reported,” Madnick said. “Almost any organization nowadays experiences attacks on a daily basis. These things happen all the time. Why this is something they wanted to go and publicize, that’s the mystery. Right now there’s the Russian hacking boogeyman out there so everywhere you turn you see it.”
Madnick also said it doesn’t make sense why the DNC would report the suspected attack to the press so quickly simply because authorities generally advise against it.
“One of the things that’s interesting is, the authorities like the police or FBI will say it’s not a cyber attack so they can investigate it further,” he said. “They saw them get hit before, and this time they guessed it was another cyber attack.”
The DNC could have gone to the press immediately for political purposes to appear as a victimized target (alluding to Republican or Russian interference), but Madnick — and the Center for Strategic and International Studies’ Vice President James Lewis — think the DNC is just “gun-shy.”
“People are jumpy, especially the DNC, about being hacked,” Lewis told InsideSources. “It’s no surprise to anyone that the Russians might try something like this. It’s the flavor of the year to say cybersecurity. People don’t have a lot of experience and it’s very exciting when it’s happening to them and they rush out and say it.”
Madnick said that despite an organization’s best efforts to run tests and prepare for a potential cyber attack, it is often difficult for an organization to truly know when it is being attacked. There’s really “no guarantee,” he said.
Furthermore, the DNC’s rush to call the incident a cyber attack reveals hyper-awareness regarding cybersecurity, which is more a good thing than a bad thing.
“The good news is, what Michigan was doing is exactly what the DNC should have been doing, to see how good their protection is and how alert they are,” Madnick said. “A lot of times they’re trying to see if someone is on alert.”
But even if an organization like the DNC is on high-alert, it could still lose critical, sensitive information to hackers.
Lewis thinks the DNC’s move to report the incident to the press was the right one, even though the DNC ended up being wrong.
“You get punished if you’re caught being attacked and not announcing it publicly,” he said. “Trying to conceal it and then it comes out, and then you look bad. And you think I don’t want that to happen to me, so then you come out and say it’s a cyber attack. It’s complicated. I think they say better to come out and say we were hacked than be caught trying to conceal it.”
Furthermore, he continued, “There’s been a lot of indicators that the Russians are up to their old tricks, so you can see why people came to this conclusion, it was just too early. My thought is people thought better safe than sorry.”
Given all the press coverage regarding election security and the upcoming midterms — with several stalled election security bills in Congress and various states struggling to foolproof their systems — the DNC incident doesn’t exactly instill confidence in midterm elections’ security.
If it’s so difficult for the DNC to tell the difference between a test and a real attack, then it’s unlikely others will know the difference either on Election Day, potentially compromising thousands or millions of voters’ data or votes.
But Madnick thinks midterm concerns may be overblown.
“I think there is a heightened sense of awareness and concern [about] election manipulation, almost to the point of overreacting,” he said. “I would have thought it was in the DNC’s best interest not to report it to the press, by alerting the press, it makes it look more like a real attack, and makes it counterproductive.”
Ultimately, he added, there’s really no guarantee.