The American intelligence community is convinced beyond a reasonable doubt that the Russians breached DNC computers in an attempt to influence the American election. The Russian authorities say they didn’t perpetrate the cyber attack and deny any attempt to influence a US Presidential election. Meanwhile, the press continues to play the too familiar “blame game” focused on who was responsible for the 2016 DNC data breach.
However, while the coverage and contention on the perpetrators of the DNC data breach continues, there has been little attention placed on the failed security practices of the DNC and other government groups.
Here’s the facts surrounding the DNC breach:
- FBI Special Agents warned the DNC of a potential network intrusion in September 2015!
- Approximately seven (7) months later, in April 2016, the DNC took action by calling in a leading cybersecurity firm to investigate.
- In June of 2016, nine (9) months after the federal warnings of an intrusion, the attackers were finally removed from the DNC network.
- In addition, the contracted cybersecurity firm determined that the cyber intruders had been inside the network for approximately 1 year - about 3 months before the U.S. Federal authorities first warned the DNC of a potential breach.
Adding to the DNC’s IT security woes, John Podesta, Hillary Clinton’s campaign chairman and White House Counselor to President Barack Obama, was the victim of a successful phishing attack that resulted in the release of nearly 50,000 e-mails (about 10 years worth), revealing the inner workings of the Clinton campaign. Still worse, the DNC breach occurred around the same time as additional, little discussed breaches of U.S. Government systems at the State Department and the White House.
These events illustrate the facts that cybersecurity practices and attitudes about protecting data remain as significant vulnerabilities and probable causes for successful data breaches within multiple government systems. That said, the blame game and focus on determining the perpetrators of recent government cyber hacking should also include the actions (or in the case of the DNC, the lack of action) of the targeted parties. Had the DNC reacted when first warned, and had cybersecurity measures been taken more seriously in the DNC and elsewhere, these breaches may have been avoided and/or their effects mitigated.
State-sponsored cyber attacks intended to influence elections should also be put into perspective. During the recent Senate cybersecurity hearings, CIA Director James Clapper was asked about Russian activities to influence elections. Director Clapper responded, “I will say there's a history here for the Soviet Union, Russia, interfering in elections, both theirs and other people's. There's a history of this where they've influenced the outcome of our elections before.” When Clapper was asked about Vladimir Putin’s claim that the United States has engaged in the same activity Clapper replied, “People live in glass houses, I guess. It applies here.” Bottomline: Cyber espionage and election influencing is conducted by many nations… including the United States.
Despite the controversy over Russian hacking, one thing is certain: cyber espionage, cyber attacks, and cyber crime perpetrated against US companies and government entities will continue to expand in volume and veracity in 2017 and beyond. While we tend to focus on the perpetrators of these attacks and what retaliatory steps should be taken, we should also hold the attacked party responsible for the state of their cyber preparedness.
Cybersecurity measures are already mandated across several industry segments and in the next few years the U.S. Government will likely take a hard look at the possibility of imposing mandates on many other business segments as well. Despite these measures, it is imperative that every business re-evaluates its cybersecurity measures including: traditional perimeter and layered defenses, real-time threat detection capabilities, employee-based cybersecurity training, response policies… and more.
The too common cybersecurity blame game always takes a hard look at the perpetrators. It should also include a long and careful preemptive look in the mirror.