<div dir="ltr"><a href="https://www.bloomberg.com/news/articles/2016-07-27/democrats-said-to-ignore-cybersecurity-red-flags-before-theft">https://www.bloomberg.com/news/articles/2016-07-27/democrats-said-to-ignore-cybersecurity-red-flags-before-theft</a><br><br>The Democratic National Committee was warned last fall that its
computer network was susceptible to attacks but didn’t follow the
security advice it was given, according to three people familiar with
the matter.<p>The missed opportunity is another blow to party
officials already embarrassed by the theft and public disclosure of
e-mails that have disrupted their presidential nominating convention in
Philadelphia and led their chairwoman to resign.</p><p>Computer security
consultants hired by the DNC made dozens of recommendations after a
two-month review, the people said. Following the advice, which would
typically include having specialists hunt for intruders on the network,
might have alerted party officials that hackers had been lurking in
their network for weeks -- hackers who would stay for nearly a year. </p><p>Instead, officials didn’t discover the breach until April. The theft ultimately led to the <a title="Sanders Demands DNC Chief Quit After Damaging E-Mail Leak (1)" href="http://www.bloomberg.com/politics/articles/2016-07-24/sanders-calls-on-dnc-chief-to-resign-while-still-backing-clinton">release</a> of almost 20,000 internal e-mails through WikiLeaks last week on the eve of the convention.</p><p>The
e-mails have devastated party leaders. Representative Debbie Wasserman
Schultz, the DNC chairwoman, has agreed to resign at the end of this
week’s convention. She was booed off the stage on opening day after the
leaked e-mails showed that party officials tried to undermine the
presidential campaign of Senator Bernie Sanders in favor of Hillary
Clinton, who was formally nominated on Tuesday evening. Party officials
are supposed to remain neutral on presidential nominations.</p><h3>Russia Suspected</h3><p>The
Federal Bureau of Investigation is examining the attack, which law
enforcement officials and private security experts say may be linked to
the Russian government. President Barack Obama suggested on Tuesday that
Russia might be trying to interfere with the presidential race. Russian
officials deny any involvement in the hacking and <a title="Russia Denies Trying to Influence U.S. Presidential Election" href="http://www.bloomberg.com/news/articles/2016-07-27/russia-denies-trying-to-influence-u-s-presidential-election">say</a> they’re not trying to influence the election.</p><p>Donald Trump, the Republican presidential nominee, <a title="Trump Denies Ties to Russia, Says He Hopes It Finds Dirt on Clinton" href="http://www.bloomberg.com/politics/articles/2016-07-27/trump-denies-ties-to-russia-says-he-hopes-it-finds-dirt-on-clinton">said</a>
Wednesday that he didn’t think Russia was behind the attack. But he
also said he hoped the Russians would get their hands on e-mails that
Clinton exchanged using a private server while she was secretary of
state, to expose any e-mails she might have deleted.</p><div><div class="gmail-inline-newsletter__main gmail-theme__dotted-background"><div class="gmail-inline-newsletter__content"><div class="gmail-inline-newsletter__subscribe"><div class="gmail-inline-newsletter__message"> </div> </div> </div> </div> </div>The
consultants briefed senior DNC leaders on the security problems they
found, the people familiar with the matter said. It’s unclear whether
Wasserman Schultz was present. Now, she is likely to face criticism over
not only the content of the e-mails -- including one in which a party
official proposes pushing stories in the news media questioning
Sanders’s Jewish faith -- but also the failure to take steps to stop the
theft in the first place.<p>“Shame on them. It looks like they just
did the review to check a box but didn’t do anything with it,” said Ann
Barron-DiCamillo, who was director of US-Cert, the primary agency
protecting U.S. government networks, until last February. “If they had
acted last fall, instead of those thousands of e-mails exposed it might
have been much less.”</p><p>The assessment by Good Harbor Security Risk
Management, headed by the former Clinton and Bush administration
official Richard Clarke, occurred over two months beginning in September
2015, the people said. It included interviews with key staff members
and a detailed review of the security measures in place on the
organization’s network, they said.</p><h3>Security Flaws</h3><p>The
review found problems ranging from an out-of-date firewall to a lack of
advanced malware detection technology on individual computers, according
to two of the people familiar with the matter. The firm recommended
taking special precautions to protect any financial information related
to donors and internal communications including e-mails, these people
said.</p><p>The DNC paid $60,000 for the assessment, according to federal filings.</p><p>Mark
Paustenbach, a spokesman for the DNC, declined to comment on the Good
Harbor report. Emilian Papadopoulos, president of Washington-based Good
Harbor, said he couldn’t comment on work done for a specific client.</p><h3>Missed Warnings</h3><p>The
security review commissioned by the DNC was perhaps the most detailed
of a series of missed warnings. Officials at both the Republican
National Committee and the DNC received government briefings on
espionage and hacking threats beginning last year, and then received a
more specific briefing this spring, according to another person familiar
with the matter.</p><p>Cyber-security assessments can be a mixed
blessing. Legal experts say some general counsels advise organizations
against doing such assessments if they don’t have the ability to quickly
fix any problems the auditors find, because customers and shareholders
could have cause to sue if an organization knowingly disregards such
warnings.</p><p>Papadopoulos said a risk analysis by his firm is
designed to “help an organization’s senior leadership answer the
questions, ‘What are our unique and most significant cyber security
risks, how are we doing managing them, and what should we improve?’ ”</p><p>The
firm typically recommends that clients conduct a so-called breach
assessment to determine whether hackers are already lurking in the
network, Papadopoulos said. He wouldn’t confirm whether such a
recommendation was among those delivered to the DNC.</p><p>“We give
recommendations on governance, policies, technologies and crisis
management,” he said. “For organizations that have not had a compromise
assessment done, that is one of the things we often recommend.”</p><p>It
isn’t certain a breach assessment would have spotted the hackers,
according to Barron-DiCamillo, but it would have increased the chances.
“Why spend the money to have Good Harbor come in and do the
recommendations and then not act on them?,” she asked.</p></div>