Democratic National Committee Creates A 'Cybersecurity Board' Without A Single Cybersecurity Expert
from the this-is-not-good dept
The Democratic National Committee, still reeling from the hack on its computer system that resulted in a bunch of leaked emails and the resignation of basically all of its top people, has now created a “cybersecurity advisory board” to improve its cybersecurity and to “prevent future attacks.”
?To prevent future attacks and ensure that the DNC?s cybersecurity capabilities are best-in-class, I am creating a Cybersecurity Advisory Board composed of distinguished experts in the field,? interim DNC Chairwoman Donna Brazile wrote in a memo. ?The Advisory Board will work closely with me and the entire DNC to ensure that the party is prepared for the grave threats it faces?today and in the future.?
Sure. That sounds like a good idea. But, then there’s this:
Members include Rand Beers, former Department of Homeland Security acting secretary; Nicole Wong, former deputy chief technology officer of the U.S. and a former technology lawyer for Google and Twitter; Aneesh Copra, co-founder of Hunch Analytics and former chief technology officer of the U.S.; and Michael Sussmann, a partner in privacy and data security at the law firm Perkins Coie and a former Justice Department cybercrime prosecutor.
I’ve met and/or dealt with Chopra (misspelled Copra in the article) and Wong — and both are very smart and good policy people. The other two seem to have good policy chops as well. But none of them are actual cybersecurity experts. I have no problem with these people being on this advisory board, but it’s insane to put together a cybersecurity advisory board that doesn’t include at least a single (and probably more) actual technologist with experience in cybersecurity. And that’s doubly true when the goal of the board is to help the DNC with its own cybersecurity.
If the goal of the board was to advise on cybersecurity policy, then the makeup of it is at least slightly more understandable, but that’s not the goal. It’s to actually improve the cybersecurity of the DNC. Even if the goal were just policy, having someone with actual technology experience with cybersecurity would be sensible. Again, I don’t think there’s anything wrong with these four people on the board if they also included some actual technologists who understood this stuff at a core level. Instead, they’re just asking for more problems.
Filed Under: advisory board, aneesh chopra, cybersecurity, democratic national committee, dnc, michael sussmann, nicole wong, rand beers
Comments on “Democratic National Committee Creates A 'Cybersecurity Board' Without A Single Cybersecurity Expert”
Politicos appoint politicians, politics ensue. News at 11.
Re: politicians
Probably the actual problem there – they don’t know anyone else, and if you add in the usual management “you don’t need to understand something to manage it” attitude you end up with an advisory board full of chiefs, who will probably direct that an external company (that they have a financial interest in, naturally) be directed to generate a report, which they will then pass on….
2016 Write-In Campaign
Snowden/Manning for President/Vice President
Re: 2016 Write-In Campaign
one step ahead of you, citizen, wrote them in last election cycle…
I'm sure they can do it.
The politicians just need to politician harder!
They probably didn't have a choice.
I mean seriously. Would YOU work these fucks?
Re: They probably didn't have a choice.
I mean seriously. Would YOU work these fucks?
I can assure you there are plenty of cybersecurity experts who would be happy to work for the DNC (RNC too, for that matter).
Re: Re: They probably didn't have a choice.
Yes, there are. I’m one of them. (30+ years experience at multiple Fortune 500 companies and several major universities. Spent the last eight years building and defending a medical database system that grew from 10’s of gigabytes to half a petabyte. And so on.) I applied for the open security expert position at the DNC and heard nothing back. Not even a “no thank you”. Nothing.
And with all due respect to these folks: now is not the time to craft policy. That’s a lengthy and careful debate. Now is the time to deploy systems that are as secure as possible given time constraints — noting that there’s an election in three months and that something that solves 90% of the problems for 90 days is better than something that solves 99% of the problems but won’t be operational until 2018.
Re: Re: Re: They probably didn't have a choice.
If you’ve been in the business 30 years and your close enough to the metal to know WTF is going on your not doing it right. Not to mention that 30 years predates Internet security as a concept. (oops)
Which is quite the point. Yeah, there are plenty of people willing to pad their resumes with a “I worked for the DNC YAY, I met etc. etc.”. But no, these are not the people who are going to fix these problems.
You cannot hitch your wagon to a star here. There is no star. Just a big black hole sucking in talent and converting into misery. These guys are looking for scape goats. People with NPD don’t have advisors. They have minions. And if you’ve been in the industry for 30 years, one would think you’d have read that from a mile away.
Lamachus: Ah! the Generals! they are numerous, but not good for much!
Re: Re: Re:2 They probably didn't have a choice.
“30+ years experience at multiple Fortune 500 companies and several major universities.”
“Spent the last eight years building and defending a medical database”
“Not to mention that 30 years predates Internet security as a concept. (oops)”
Um… didnt see where AC said he was in Internet security or claimed to have been for 30+ years. (oops)
Re: Re: Re:2 They probably didn't have a choice.
If you’ve been in the business 30 years and your close enough to the metal to know WTF is going on your not doing it right. Not to mention that 30 years predates Internet security as a concept. (oops)
You are so very wrong that it’s difficult to know where to begin. Let me just hit a couple of high points.
First, I am doing it right, by doing exactly what I wish to do. I’ve repeatedly refused promotion because I want to be close to the metal. That refusal is exactly why I’m very, VERY good at what I do.
Second, you are clearly ignorant of history. Not only does Internet (ARPAnet, BITnet, Usenet, CSnet) security as a concept go back more than 30 years, it’s been nearly 30 years since one of the significant milestones: Morris worm, 1988. I’m sure that a mere ignorant newbie like you doesn’t know any of this because you weren’t there and you’re too lazy to read, but everyone who was around at the time and everyone who’s taken the time to do two minutes’ worth of perfunctory research knows that you are dead wrong.
There’s more, but I’ll stop there. The bottom line is that you are completely, hopelessly wrong and clearly require remedial education — that is, IF you’re capable of learning.
Well, perhaps its better this way. It leads to a more transparent government body…
Re: Re:
That IS one natural consequence of not hiring any security experts when planning your security systems, yes.
This was the only way they could be reasonably certain that the Advisory Board would give the advice they want to hear.
Unless the Cybersecurity expert’s resume looks like a check with 5 or 6 zeros, don’t expect one on any DNC board.
These are EXPERTS!!
You clearly don’t understand.
Why are you disrespecting these fine policy experts?
POLICY is what’s important. Mere technical expertise is never as important (or as valuable) as that. I’m sure these geniuses will take a few minutes to research the technical issues. That should be more than sufficient, right?
All problems are solvable with just the right policy, right?
/s
Re: These are EXPERTS!!
What? You mean they’re not really cybersecurity experts? You mean the party of Clinton lied, again?
Re: These are EXPERTS!!
Well, all they really need to do is type “Activate security systems” on their computer and then they’ll be totally secue. Surely Hollywood didn’t LIE to them!
Re: Re: These are EXPERTS!!
#. 6. #. 5
They may not really want actual security
If they got actual cybersecurity, then they would only be ripping it out again once Comey and others get their way of removing all encryption and cybersecurity from the US part of the internet.
Adding real cybersecurity to the DNC now might undermine both parties’ objective of taking away everyone else’s cybersecurity.
Maybe the price, maybe mostly already paid in loss of top people, is not so high as to warrant getting actual cybersecurity. Just look like you’re outraged and trying to do something about it. Appoint a board full of know nothing politicians.
Re: They may not really want actual security
Or maybe it’s because if elections were truly secure, it would be MUCH harder, perhaps even impossible, to rig them?
Given the parties wanton disrespect for digital privacy rights,
I don’t see a lot of people coming out of the woodwork to offer them help. And even if they did, they’d probably be moles.
HRC is to digital privacy as John Kerry was to “binders full of women”, or racists are to: “I’m not racist, I have black friends!”. Bigots blinded by narcissism.
I think this election cycle your going to see some honeypot logs disclosed which are going to say quite a few disturbing things about the state of politically motivated hacking in this country. My guess is the DNC will be one of the bigger beneficiaries.
Personally I think the Trump “2nd Amendment” gaff and the HRC “coward” comment were coordinated between the parties.
It was basically the same move as the broken fresh condenser message at the battle of midway. The purpose of it was to increase chatter for a planned broad spectrum attack against nonconformist forums. Techdirt probably being among them.
Congrats Techdirt! You’ve now joined the ranks of other terrorist organizations like the ACLU and Greenpeace.
Johnson/Weld:
Because Trump would push the button for fun, and HRC would push it to be prom queen.
Re: Given the parties wanton disrespect for digital privacy rights,
HRC is to digital privacy as John Kerry was to “binders full of women”, or racists are to: “I’m not racist, I have black friends!”. Bigots blinded by narcissism.
— Please forgive the nitpicking, but I think you mean “Willard ‘Mitt’ Romney” and his “binders full of women.” Secretary Kerry has his problems (which has nothing to do with Swift Boats, despite what the political hitmen told us), but his flaws don’t amount to a flea on that back of that spoiled, oblivious, self-entitled, religious fanatic.
Just one question:-
Who is going to implement the policy these people come up with.
Re: Re:
Implement? Does not compute.
All they have to do is pat themselves on the back hard enough and all the good things happen. Yup. Now move along.
Re: Re: Re:
haven’t you ever heard that ideas are what is important and not execution?
Re: Re:
“Who is going to implement the policy these people come up with.”
No, no, no, you’re doing it wrong.
Remember, all committees, oversight and advisory boards, managers and bureaucrats must first plan how to have a plan. Always.
The aim here is to create a plan to have a plan. That plan will probably call for a committee to be set up to consider how to implement the plan to have a plan. They’ll need a plan to do that.
national security
i find it odd, that the nsa and other agencies aren’t obliged by law to protect the 2 parties involved. non-partisan support of professionals instead of the work of well meaning amateurs, because there is to much at stake. its getting harder each day to take the usa seriously, with news like this every other day. nothing more than a shiny empty shell.
Re: national security
Political parties are no different than any other organization and not entitled to any special treatment. They are not legitimized by the Constitution and many of the founding fathers warned of the dangers of political parties.
If they are as dishonest as the leaked emails show, they should be locked up, not protected.
It's not about cybersecurity
If it is a Clinton involved scheme it only means that appearances of seriousness is all that matters.
With so many non-experts, their talking points will be best-in-class.
And this was unexpected?
Sadly, not. DNC is a political entity, politics is mostly about policy. So they addressed the issue with the only hammer in their toolbox. A committee of policy politicos.
Doomed to failure.
It’s not whither you lose your data, it’s how you play the blame.
DNC Cybersecurity
I don’t understand why Bryan Pagliano and Rajiv Fernando weren’t appointed.
brought to you by the same folks that paid for seat fillers to pretend they were delegates.
Has everything to do with looking good and nothing to do with doing what is right or appropriate
Time will tell
First, those people will probably find and ask for help for experts. They will design policies, which is their job, by using their input and trying a best)fit with political objectives.
Now, the risk is they do their stuff without asking the best experts in the field.
We will see. If they do not bring around them experts, the next time they will get owned again, and it will hurt even more.
Hackers will exploit the weakest link. As the venerable security expert Bruce Schneier explained : security is a link. It is not stronger than the weakest of its links.
They are all Legends in their own Minds
“Okay, where do we start? I want some ideas people”
“We could update Abode’s Flash Flyer. They got that McCafee thingy that downloads with the update and it’s FREE! Oh, you also get a new search engine… FREE!”
Right then. Let’s do it. OK people. Great day! See all next week.
but isn’t that the whole aim of the starting of these sorts of boards? what’s the point of having one that consists of people who know exactly what they are talking about and can vote to stop things that are good for the people? that would never do!!
Failure from the onset
Job description:
“To prevent future attacks and ensure that the DNC’s cybersecurity capabilities are best-in-class, I am creating a Cybersecurity Advisory Board composed of distinguished experts in the field,” interim DNC Chairwoman Donna Brazile wrote in a memo. “The Advisory Board will work closely with me and the entire DNC to ensure that the party is prepared for the grave threats it faces—today and in the future.”
Yet picked not a single person with a technical background. I guess they can always just shut down the servers for a little while. 😉
Day 1:
Encryption is bad m’kay…
Day 23:
Encryption, not so bad after all – can someone google my emails.
Get with the times, man (DNC).
In every conference room,
in every ISP, and in every major software vendor, there has been a conversation repeating for years.
Invariably it is a bunch of marketing people and execs asking technicians to do things that violate fundamental principles of civil liberty.
In most cases there are at least one or two guys who have been saying “this is going to bite us in the ass”, the whole time.
The DNC has aligned itself with lobbyists from every organization where these abusive practices have been most active, and where political means have been brought to bear to make the situation progressively worse.
So some chickens have come home to roost for the DNC. Must be a bitch. Good luck with that. Wonder if they want to borrow a book?
Yeah. Thought not.
And they want my vote? At what point have they shown any respect for the electoral process itself? They regard my vote with contempt. They regard the sovereignty of the individual mind with contempt.
If they want my vote they’re going to have to do what Bush did, and hire somebody who used to work for Diebold, and steal it. And my guess, based on their history, is that that is exactly what they will do.
Politics in the 21st Century
Democratic National Committee Creates A ‘Cybersecurity Board’ Without A Single Cybersecurity Expert
This is exactly how politics works!
It seems we've completely forgotten the Enlightenment.
Nothing about us without us… ?
I suppose it means whatever policies they implement will be unenforcable and entirely circumventable.
see no firewall, hear no antivirus, speak no VPN
Well of course they didn’t want any security experts around. They are so annoyingly know-it-all.
Real information might get in the way of their plans to quash that pesky encryption thingy in the bill their name is on.
Aneesh Chopra's bro Rajeev
See Rajeev Chopra, his brother