Cyber Firm Defends DNC Hacking Alert That Turned Out to be a False Alarm

The public should applaud the Democratic National Committee’s efforts to thwart an apparent attempt to hack its voter database—even though that hack turned out to be a false alarm, a researcher who helped uncover the operation told Nextgov Thursday.

The DNC alerted the FBI about the attempted breach on Tuesday after being tipped off by the cybersecurity firm Lookout and the cloud company DigitalOcean, according to media reports.

The companies had spotted a phony log-in page designed to con DNC staff into giving up their usernames, passwords and other credentials.

By Thursday, however, the DNC had learned the phony log-in page was actually friendly fire: a test set up by a state Democratic party to gauge employees’ ability to withstand phishing attempts.

In the wake of the news, DNC Chief Security Officer Bob Lord told Politico the party organization would implement new safeguards to ensure the national party is in the loop about any anti-phishing work beyond basic training for employees and volunteers.

The DNC should not be embarrassed about the alert, however, said Mike Murray, Lookout’s vice president for security research, who called the alert a model for successful information security operations.

“I’ve seen a few categorizations of this as a mistake and, to me, the process worked perfectly,” Murray told Nextgov. “The alarm rang with our [artificial intelligence] for phishing, everyone got on the phone exactly right. We did the investigation and took the [phishing] site down before anything could have happened. That’s exactly how we’d want to act if it turned out to be someone really bad.”

Murray compared the scenario to a fire alarm going off: You want the firetrucks and hoses to show up even if it does turn out to be a false alarm.  

“From an information security perspective, this is the way it’s supposed to look when it works well,” he said.

That position was echoed by information security professionals on Twitter.

Thomas Rid, a Johns Hopkins University security studies professor, tweeted that “a mock red-team attack that is closely held and quickly discovered is exactly what you want to happen.” Google information security lead Heather Adkins tweeted that organizations should be “bias[ed] towards action when hacked” and should perform “blameless post mortems” afterward.

While the information security outcome may have been all positive, things were a little more complicated in the realm of strategic communications.

A substantial percentage of Americans are skeptical about the U.S. intelligence community conclusion that Russian government hackers meddled in the 2016 election, including by hacking DNC emails. A false alarm about DNC hacking in 2018 might breed more skepticism.

That’s a complex problem without an easy answer, Murray said.

“I’m not a communications person. I’m not a policy person, so I don’t have answers for those questions,” he said, adding “I don’t envy people who have to solve those problems.”

The problem is made more complex because the organizations that do the most effective phishing testing are also going to be the toughest to distinguish from actual threat actors, Murray said.

Those are also the testers that an organization like the DNC, which is a very juicy target for sophisticated nation-state hackers, ought to be hiring, he said.

The process of attributing who is behind an attack—versus merely discovering the attack and mitigating or neutralizing its effects—is also devilishly complicated.

It wasn’t until 2013 that the cybersecurity firm Mandiant, which was later acquired by FireEye, released its first report attributing a hacking campaign to a nation-state hacking group. It was a year later that the Justice Department brought charges against those hackers, from China’s People’s Liberation Army, in what amounted to the first U.S. government attribution of a nation-state hacking campaign.

The result is that cyber firms and their customers typically move very fast on thwarting attacks and only begin to worry about attribution later.

“Some people in the public want early warning and some people want perfect correctness and those aren’t always aligned outcomes,” Murray said.

Those factors may not make mix-ups like the DNC alert inevitable, they do show why it might be more likely, he said.

“The good guys coordinating and winning is the good part,” he said. “Even though it turned out to not be serious after the fact, you don’t know that until you’re there and you’ve done the work. I’ve worked with very few responses that were coordinated this effectively and moved this fast in my entire career.”