The DNC’s Technology Chief is Phishing His Staff. Good.

Credit to Author: Issie Lapowsky| Date: Thu, 07 Sep 2017 10:00:00 +0000

If you are among the millions of Americans concerned about cybersecurity at the Democratic National Committee—and how could you not be?—then the home of the party’s tech braintrust might not give you much hope. The tiny, charmless office, with "DNC Tech" scribbled in dry-erase marker on the door, contains one desk and two computer monitors. Nearby, an overturned couch pokes out from an elevator shaft, a leftover from the widespread departures that followed Hillary Clinton's defeat. And that, of course, came after intruders, believed to be tied to Russia, hacked into the DNC's computers.

If the office itself seems lacking, the resume of its newish occupant is anything but. Raffi Krikorian, the Massachusetts Institute of Technology grad who joined the DNC as chief technology officer this summer, most recently led Uber’s Advanced Technologies Center, meaning he was responsible for getting Uber’s self-driving cars on the road in Pittsburgh. Before that, he rose through the ranks at Twitter to vice president of engineering, where he managed the infrastructure that runs the platform.

Following six years of CTOs steeped in political campaigns, Krikorian brings a uniquely hardcore technical pedigree. That may serve both him, and the party, well. Preventing history from repeating itself requires embedding Silicon Valley technological chops in a nearly 200-year-old political non-profit. Already, Krikorian has recruited engineers from Uber, Twitter, and Pinterest to join his team of 20 and counting. Together, they’re devising ways both to use technology to engage a broader swath of the electorate, and also ensure that technology doesn’t create new vulnerabilities.

Working for the “blue team” as Krikorian calls it, comes with all of the pressure and few of the perks of Silicon Valley. After word spread of the Russian hack, the DNC tech team was widely criticized for failing to heed warnings from the Federal Bureau of Investigation that the party was under attack. Now, the responsibility of cleaning up that mess falls to Krikorian. This week, he spoke with WIRED about why he took the job, his plans for securing the party’s infrastructure, and why he’s trying to phish his own staff. Edited excerpts follow:

Issie Lapowsky: You joined the DNC at a time when many others had run away. How come?

Raffi Krikorian: It never crossed my mind until around Inauguration Day. I was in a hotel room in San Francisco, and I was just like, “Gahhh!” I called my friend Alexander Macgillivray, who used to be deputy CTO of the United States and said, “What can someone like me even do in this world?” He laid out two or three options. The DNC was the hardest to get a hold of. I kept pinging, pinging, pinging until the chief of staff took my call. He then introduced me to DNC Chairman Tom Perez, and Tom’s first question was, “What can we do about our cyber problem?” I was like, “Can we just not call it a cyber problem? Can we start there?”

IL: Your predecessors took a lot of heat for the hack last year. Why did you want to put yourself in that same hot seat?

RK: [My wife and I] came to the conclusion this was probably the highest leverage thing that someone like me could do, and I didn’t want to wake up in four years and think I could have helped.

Tom said this a lot when he was recruiting me: This is my generation’s moment to pick up the charge. My generation’s got a whole bunch of people who build self-driving cars and build social-media platforms. We can go do the right things to secure our country, secure our democracy. When my wife and I looked at it through that lens, we were like, “Yeah, this is going to be super hard, but we’ve got to try.”

Krikorian at the DNC headquarters in Washington, D.C.

IL: Since you’ve gotten here, what have you done to make the party more secure?

RK: It’s a whole bunch of staff training. Turn off text messages. Move to end-to-end encryption. Get two-factor authentication in place. We’ve moved all our stuff into the cloud. The nice thing is that so many people want to help us. We’re approached by email and storage providers who are willing to fully disclose what their security plans are and how it’ll help us. We’re taking them up on their offers. We’re figuring out how to partner with Microsoft for email or Google for collaboration tools, and then we use a login provider across all our stuff that enforces two-factor authentication.

It’s not exactly rocket science, but you have to do it holistically. I got Tom Perez to stand up in front of the all-staff meeting and be like, “If you’re going to talk to me, Tom Perez, you’re using [the encrypted-messaging app] Signal. I will not respond otherwise.” This is important. The nation’s future is at play here. It’s about getting people to think that way. Even in the next few days we’re going to do a series of simulated phishing attacks on the entire DNC staff.

IL: Do they know that?

RK: You’re the first person I’ve told.

Trump's Win Signals Open Season for Russia's Political Hackers

A Guide to Russia’s High Tech Tool Box for Subverting US Democracy

Email Is Fracturing the Democratic Convention Before It Even Starts

IL: How much of what you do is tech support and how much is strategizing how tech can help Democratic campaigns?

My email is very full. But the vast majority is the latter. You have to remember how tech has worked on the blue team historically. Most innovation happens only around the presidential cycle, then you go through this crash-and-burn period. Right after the presidential cycle, this building emptied out. No institutional knowledge. No information got carried over. There isn’t a culture of make your technology better and better and better over time, so one of the things that we’re trying to do is take a bunch of those really cool things we built for Hillary for America, whether it be volunteer stuff, maybe SMS stuff, email stuff, and make it available to candidates further down the ballot, people who in their campaign budgets can’t afford to fund that type of innovation. The DNC has it. We have all of Hillary’s technology in a code repository, and we have data in our databases.

IL: Speaking of Hillary, she's been criticizing the DNC’s voter file lately. In an interview with Recode, she called the DNC’s data “mediocre to poor, nonexistent, wrong.” What do you make of that?

RK: Well, when I first heard it I was really depressed by it. I was like, “Really? I just took the job!” But we have a lot of work to do. Post-2012, there just hasn’t been very much funding of infrastructure or analytics at the DNC. It’s not surprising what she said. We need to modernize our data file. The voter file is an early 2000s thing. We live in a very new world where most people’s time is spent online or on social media or in apps. So that’s where we need to spend our time connecting with people. If you only think about voters as name, landline, and a physical address, you’re not going to connect with that many people that way.

IL: Smaller campaigns often complain about the DNC's exclusive relationship with one vendor, saying this gives the DNC’s preferred candidates a leg up. Others want the DNC to open its data set to more tech companies with new ideas for targeting voters. How do you plan to approach that tension?

RK: What it comes down to is how do we build an ecosystem so more tools can play faster? What we’re seeing in the Virginia governor’s race right now is a whole bunch of tools want to come in and help. It’s not a money-making scheme. They want to try out new methodologies for campaigns, but they’re all getting road-blocked.

What’s missing are some rules of the road around how we’re going to engage around Democratic data. How do we make it really clear that if you’re Tool A, this is the process you need to go through to get access to the data, and if it costs money, this is how much it costs. But the DNC is starting some targeted tests using these tools, because we’re curious about what the effects will be.

IL: Shifting gears slightly, you spent five years at Twitter. Given what we've seen recently, do you believe Twitter’s good or bad for democracy?

RK: I’ve been at the Twitter VP table. I can imagine what these conversations are like. [sighs]. When I was at Twitter, we literally saw people’s high school proms on the platform. I want people to remember that’s the stuff Twitter is really good at, and then I want to figure out how to teach people to use Twitter better. The president has clearly mastered it, but that’s only one way of doing it. There’s amazing grassroots organizing on the platform. Twitter is a medium, and we need to focus on the people using it.

IL: Since Charlottesville, there's been a loud debate about how social networks should respond to hate groups. Does Twitter have a role in policing white supremacist content?

RK: Probably. I understand the insane position they’re in trying to run a platform for all, while running a business at the same time. But probably is the answer.

IL: Last question: were you scared the first time you logged on to the wifi here?

RK: Um yeah.

https://www.wired.com/category/security/feed/