Ex-Hillary Clinton Campaign Manager: What I Wish I Knew About Russian HacksRobby Mook
By Robby Mook
(Fortune) – I ran a $1 billion start-up called HFACC, Inc., more commonly known as Hillary for America. Hacking was a problem for us, as most people reading this probably know. The campaign itself was never breached (we think), but the files and emails of multiple employee’s private accounts and our sister organization, the Democratic National Committee, were stolen by Russian agents. The impact on the campaign was devastating.
The Democratic Party hack is well known, but most incidents of cybercrime are a kept secret for fear of litigation or public embarrassment. This silence creates the impression that hacks are rare, which they aren’t, and leaves executives with little perspective from which to act; this was my situation when our campaign launched April 2015. Others can’t share their stories, but I can, which is why I want to share my lessons learned.
My first piece of advice? Take responsibility for cyber security and act now. No matter how small, obscure, unknown, or seemingly unimportant you think your company or organization is, the question is not “if,” but “when” you will be hacked. It’s your job to secure your data as best you can and, equally important, prepare for the likelihood that you get hacked.
When we launched Hillary’s campaign, I knew cyber security mattered, but I thought it was a “tech thing” best left to the experts. The Chinese had famously hacked the Obama and McCain campaigns in 2008 to gain intelligence on the next President. We didn’t want anyone snooping around, so we took basic security measures, like storing our data in the cloud, requiring two-factor authentication, and maintaining remote control of computer and mobile devices in case they were lost or stolen. These simple steps probably prevented the campaign itself from being hacked (we think). Ironically, it didn’t prevent hacking from being a major problem. Nor did we imagine how the hack could shape public opinion about our candidate.
As I’ve come to learn, cybersecurity isn’t binary. You aren’t either “safe” or “vulnerable” — you’re just vulnerable. That’s why you need to understand the full spectrum of data that matters to you and build a strategy to protect it based on what’s most important, or, put a different way, what you fear being stolen, destroyed or held ransom the most. A smart strategy seeks to protect all your data, but also recognizes that resources are finite and sets clear priorities.
When planning how to mitigate data risk, you need to look at everything; not just the data you store in your organization, but all the data controlled by subcontractors or partner organizations that will be your problem if it’s stolen or held ransom. You also need to think about connections between your data systems and outside partners that could make you vulnerable to attack.
Remember, Russia hacked the DNC and private accounts of campaign staff, not Hillary Clinton or the campaign itself. Remember, too, how hackers burrowed through their heating system vendor to steal Target’s consumer credit card information in 2014. Imagine the stories that could be written about your or your company if your law firm’s records and emails were stolen.
When a tape was leaked of Donald Trump making lewd comments about women on a bus, I was not celebrating at our headquarters, as Saturday Night Live portrayed. I was in a meeting about how to deal with another round of damaging emails from WikiLeaks. Our response to the hack was developed in real time amidst the rough-and-tumble of a campaign. Legal obligations had to be surfaced and operationalized. Our security protocols had to be reviewed and changed. Hundreds of thousands of pages of information had to be reviewed. We had to explain to staff and supporters what had happened and train them on data security. That’s on top of the full-time team we had to marshall to manage press and social media response.
A response can and should be planned long before you’re hacked. As a CEO, you should initiate a process to consider what could be stolen, what the fallout will be, and how to respond. If that plan is any good, it will involve your entire senior team and it should be reviewed and actually practiced through simulation. In the case of a major breach, you will need to set up a working group across your security, technology, data, legal, and public affairs teams, to name a few. This team can be trained and oriented long ahead of time. Trust me, a cyber theft presents you with a rapid fire of security decisions, intensive internal communications and training, all while cable news and social media spread what happened (true or false) at the speed of light. Trust me, you don’t know what you don’t know until you actually practice.
Most studies estimate that the majority of breaches are the result of an “insider threat,” which sounds like a disgruntled employee, but is most often someone who accidentally clicks on a malicious phishing link or uses a weak password. This was certainly the case for us and for the infamous Sony hack.
The landscape of risk is so vast that well trained and acculturated staff are by far one of your most potent defensive tactics. You can do everything perfectly at the office, but if you or someone on your team has work materials on a personal account or a computer that’s compromised, your data could easily be compromised–and people don’t care whether your “official” security was top notch or not; you still got breached. A culture where people think before they click and make careful, conscious data management choices is is priceless.
Another critical aspect of culture is your relationship with your security team. You will make the best decisions when they are honest with you about threats and vulnerabilities in real time, something they won’t do if you make threats. Stopping cyber thieves should be a team effort. It’s your job to hire an outstanding team and collaborate with them to find the right strategies and remain vigilant.
Which brings us back to the ugly reality that a breach is likely. The question is whether you are ready. I hope the 2016 election is a wake up call to all of us that cyber security must be a priority. As a manager, you already have the skills needed to prepare — know the terrain, have a strategy, make a plan, set the right culture, and lead. That’s what you do every day and that’s why cybersecurity is ultimately your responsibility.
Robby Mook was campaign manager for Hillary Clinton’s 2016 campaign for President. Previously, he managed Terry McAuliffe’s campaign for Governor of Virginia and Jeanne Shaheen’s campaign for Senator from New Hampshire. Mook also served as executive director of the Democratic Congressional Campaign Committee.