Staffers at the Democratic National Committee are getting better at spotting phishing emails, a skill that became a top priority after Russian-linked hackers breached the DNC during the 2016 U.S. presidential campaign, according to Chief Technology Officer Raffi Krikorian.
Krikorian and his team have been challenging their colleagues to spot fake malicious emails. Since September of last year — primarily through a phishing simulation platform named Wombat — the DNC’s tech team has been targeting co-workers as part of a broad effort to evaluate internal cybersecurity risks. Staffers are graded on their ability to spot, report and avoid emails that in a real-world scenario might carry malware.
The ongoing exercise is helping Krikorian and DNC Chief Information Security Officer Bob Lord learn how often any person in the organization is likely to click a suspicious email attachment.
“People have such PTSD about what happened in 2016 that there’s a real desire to improve [security] here,” Krikorian said in a phone interview with CyberScoop. “We’re at a point now where recently when our CFO sent a staff email it included the line ‘this is not a phishing email.’ That’s how aware people are of the threat, today.”
For now, the program extends to DNC headquarters staff, state parties and campaigns officially backed by the DNC. Over the next few months, the plan is to expand the phishing tests to other Democratic campaigns vying for a congressional seat in the 2018 midterms.
The overall goal is improve the baseline security practices of a wide group of users that includes in-house staffers, candidates and volunteers spread across the country.
“Nearly 80 percent of our users are now either not clicking or at least asking questions about it beforehand,” Krikorian explained. “Being realistic we’ll probably never get to 100 percent compliance but we’re working on it … it’s important that people flag something, anything that seems suspicious … A lot of that happens through Signal to Bob [Lord] or to our help desk, so that we’re informed.”
Signal is an encrypted communications app that’s now widely used inside the DNC as a substitute to traditional email.
The DNC wants to get Democrats to follow a five-point checklist of best security practices that Krikorian recently distributed.
The recommendations include directions to adopt two-factor authentication (2FA) where applicable for account logins and downloading a password manager. For example, the DNC has been pushing all its staff to configure 2FA for both their professional and personal email accounts.
In a recent “data bootcamp” event held last week, Lord and others called on all campaign organizers with administrator access to NGPVan, a privately owned voter database and web hosting service provide, to immediately set up 2FA.
“If we get hacked again it won’t happen like how it happened in 2016,” Krikorian said. “If we can just raise the baseline security of most people and the campaigns, if we can do the simple things right, than it will have a disproportionally positive effect.”
Krikorian declined to comment on any specific, possibly nation state-linked hacking attempts made against the DNC in recent months.
The DNC provided CyberScoop with its list of security recommendations. It had not been previously made public: