As we all know now, we’re going to spend today discussing the data breach that happened to NGP-VAN and the result by the DNC. What hits me is that many of the people writing about this are not writing about this from the perspective of anyone in IT.
So, having been through more than one instance of concerns over data security breaches in my 20+ years in IT, I thought I’d share some insight, so we can clarify a few things.
First, I want you to imagine you walk up to a bank ATM. You check your balance. The bank ATM informs you that you have $100,000 more than you know is in your checking account. You had expected to find rent money, but suddenly the bank shows you have enough to pay off a large slice of your student loan debt.
Hurray! You spend the money in a hurry, and celebrate your good fortune. Here is the reality: under the law, despite the fact the bank made the initial electronic mistake, you taking advantage of it is a crime that will send you to prison.
This is the case in most instances of cyber security. The initial reporting of a security breach event happens frequently; a user may discover their access privileges allow them to see data secured for a manager, payroll, or Sr. Staff in a company. They report it, and the group in charge handles it.
For many companies and entities, this is part of your “Term of Use”, “Employment Contract”, “Subcontractor Agreement”, “Internet Service Agreement” etc. These agreements are binding.
In the case of NGP-VAN, users are required to agree to a terms of use in regards to access and handling of data that complies not just with NGP-VAN, but also federal guidelines on the privacy of voters and their information.
This is your terms of use statement. For the Sanders campaign, it isn’t just a matter of violation of terms of use, it is that their administrator moved from “White Hat” reporting to taking advantage of the situation:
http://www.bloomberg.com/politics/articles/2015-12-18/sanders-campaign-fires-data-director-after-breach-of-clinton-files
The database logs created by NGP VAN show that four accounts associated with the Sanders team took advantage of the Wednesday morning breach. Staffers conducted searches that would be especially advantageous to the campaign, including lists of its likeliest supporters in 10 early voting states, including Iowa and New Hampshire. Campaigns rent access to a master file of DNC voter information from the party, and update the files with their own data culled from field work and other investments.
After one Sanders account gained access to the Clinton data, the audits show, that user began sharing permissions with other Sanders users. The staffers who secured access to the Clinton data included Uretsky and his deputy, Russell Drapkin. The two other usernames that viewed Clinton information were “talani" and "csmith_bernie," created by Uretsky's account after the breach began.
The logs show that the Vermont senator’s team created at least 24 lists during the 40-minute breach, which started at 10:40 a.m., and saved those lists to their personal folders. The Sanders searches included New Hampshire lists related to likely voters, "HFA Turnout 60-100" and "HFA Support 50-100," that were conducted and saved by Uretsky. Drapkin's account searched for and saved lists including less likely Clinton voters, "HFA Support <30" in Iowa, and "HFA Turnout 30-70"' in New Hampshire.
Now, this is where, as an IT person, I see a serious problem. The moment a user, in this case, a systems admin, notices a breach, then per the terms of use of his agreement, he is like the person who finds a ton of extra money in his account; any move to take advantage of it is considered a serious offense, with numerous federal guidelines attached no matter whether or not you caused the problem or you simply took advantage of it.
There are those who are commenting on the DNC’s approach here, and I would agree, the complete suspension of access to the campaign seems like a big deal; that said, I’m not sure if having staff members put under arrest for cyber crimes would have been much better, and probably far more damaging to the Sanders campaign.
The most important part of this, though is simple: vetting staff is a serious and real matter, and having good to great staff who understands not just the rules but the spirit of governance behind them is significant.
Several years ago, in a multi-national company I provide outside consulting too, an employee gained access to HR data within the company due to an errant click by another user. This change of folder permissions allowed an employee to see “action plans” in place on other employees, status, etc. He reported it. He also read through half of them before he did. Not only was he terminated, but he barely avoided prosecution.
Information Technology is something too many individuals simply take for granted. We zip through terms of use; people pirate and share content frequently; we violate and flaunt the guidelines often in private life most of the time with limited penalty.
The handling of client data, though, especially data with dollars attached and personal information is governed in such a strict way that people who can do so appropriately have real value, not just to a campaign but to their party.
There are two ends to this coin. Many Bernie Sanders supporters — and I am one of them — believe that the DNC penalty on the Sanders campaign may be far too harsh, and it may violate the spirit of good campaigns. I would argue that the candidate in this instance is not at fault; a wayward employee (who stupidly can’t stop talking to the press and he continues to dig his legal hole much, much deeper) should not sink an entire campaign.
There are measures to be taken here, and per the guidelines much of it is simple; the members who had those four accounts would all be terminated and Bernie made a good start on that today. Depending on what they did or viewed with that data, they will likely be subject to at least an investigation by NGP-VAN, DNC, the Sanders & Clinton campaign to see if private, 3rd party data was shared and they read through it, which could create a situation that would need review by a prosecutor.
Is Bernie Sanders at fault? No. This is not Bernie Sander’s fault. He didn’t sit at a computer and handle this. Should his campaign be permanently crippled by this? I’d argue no. Should the DNC have seemingly went public with this? No, because I tend to think it hurts the party, and making it public was a bad idea.. UNLESS they knew someone else was going to leak the story OR they were aware of a breach which impacted anticipated donor data, which would be potentially public in short order.
This does not, in any way, positive or negative, impact my support for Bernie Sanders, which is based on his dedication to the issues alone. For those who sit on the sidelines or are Hillary supporters, it opens up a new line of attack though; not over the purge, but over whether or not the Sanders campaign has hiring practices that recruit those best prepared for a fall election.