RSAC 2019: DNC Security Boss Bob Lord and Symantec CTO Hugh Thompson Talk Security

The head of security for the Democratic National Committee has a suggestion about how to promote better cyber security protection. Make it simpler, please. A lot simpler. “When we think about these things, this stuff is still too hard,” says Bob Lord, who was put in charge of security for the Democratic National Convention after the 2016 elections.

Lord, who held top security posts for Twitter and then Yahoo when he worked in the private sector, also offered a critique of an industry he’s grown up in. He said that while sophisticated cyber security solutions remain necessary to keep malicious hacker groups at bay, security remains far too complicated for most users, who are often left confused as to how to properly protect their devices.

In his interactions with the roughly 200 people working at the DNC as well as with the state and local officials responsible for their own campaigns, Lord came away convinced that current approaches to security need to get re-thought in advance of the 2020 elections. For a security expert whose job was created after a foreign hacking campaign that U.S. intelligence agencies say helped Donald Trump get elected, Lord has more than a passing interest in getting this one right.  

Drawing on the experience of the last couple of American elections, Lord said that campaigns now faced “dedicated adversaries” who work in teams and are methodical in their methods.  “This is not smash-and-grab…we’re talking about [adversaries who make] long-term investments in which you may see only a small part of the attack.”

Organizations not quite sure what their next steps ought to be – other than to hunker down with even more sophisticated defensive solutions – are missing the bigger picture, according to Lord.

“People come and ask what VPNs to buy or how to design their Wi-Fi,” he said. “As cyber professionals, sometimes I feel that we’re doing a disservice by answering that question. You should do those things – but at a certain point in [the organization’s] maturity.”

His proposal in the meantime? Focus on the “basics.”

“If you do those things, then it’s appropriate to do some of these other things, he said.

Speaking on the final day of the RSA 2019 conference, Lord was interviewed on the keynote stage by RSA Program Committee Chair and  Symantec’s CTO, Hugh Thompson.  

And he came armed with a checklist to put his words into action.

• Patch your software applications
• Require employees to use 2-Factor authentication
• Deploy a password manager

Lord said that the recommendations actually take up one page – printed front and back – with further details in support of each bullet point on the checklist. But that’s the gist of it. And for Lord, it’s more than enough.

“When I take look at all the attacks I see in the news, if you do these things, you won’t become one of those headlines, he said. “The basics are actually the real innovation.”

He said this will involve discipline, going step by step, with people who may not have deep experience thinking about the security of the products and applications they use each day.

“Even something as simple as updating phones turns out to have issues,” he said, recalling when he encountered staffers who couldn’t update their devices because they had run out of memory. At that point, they had to figure out how to copy – or upload – their pictures to free up storage. “But I also ran into cases where they didn’t know why I was asking them to update their software. They really didn’t know why.”

“Again, if you don’t have any prior experience, it can be daunting,” he said, adding that’s why he’s urging a move to keep things as basic as possible.

Looking ahead, Lord suggested that tech companies could help by implementing automatic protocols, rather than rely on organizations to take the responsibility of ensuring that their workers toe the line on cyber security.

“There is a history of technology providers not making security a default,” he said. “We have an opportunity to reprioritize how companies do security.”

At the same time, he recognized the constraints of a system that doesn’t always reward managers for putting cyber security at the top of their to-do list. People get promoted for more users and thus, more sales, not necessarily for making people safer, Lord said.