Did a lack of common cybersecurity sense elect Trump?

There is little debate that the US election will be described as a referendum on the status quo, with very strong anti-establishment and anti-elitist sentiment driving record numbers of unexpected voters to the polls. But that doesn’t tell the complete story.

Yes, the Hillary campaign brought the current administration out in force in the final weeks, thus cementing her image as an entrenched Washington insider. But I can’t help but think that this status quo image began to be shaped and hardened as a direct result of the leaked insider communications exposed on WikiLeaks and as a result of the hacked DNC network and campaign chair Podesta emails.

Is it possible that the lack of common sense cybersecurity, including the non-use of two-factor authentication, ultimately helped elect Trump?

In the devastating DNC hack, there were many revelations that fueled the rhetoric that Hillary was given preferential treatment by the DNC party officials including the discussion of an anti-Bernie strategy and coordinating anti-Sanders messaging.

One particular example has Luis Miranda, DNC communications director, discussing with another party official about a strategy against Bernie Sanders: “It might may no difference, but for KY and WVA can we get someone to ask his belief. Does he believe in a God. He had skated on saying he has a Jewish heritage. I think I read he is an atheist. This could make several points difference with my peeps. My Southern Baptist peeps would draw a big difference between a Jew and an atheist.”

There was even a head-slapping response to the realisation that a shared password was compromised by…wait for it…emailing out a new password. Doh!

Unfortunately, security response consultants have not definitively discovered how the attackers got into the DNC servers. Typical attacks use phishing schemes to trick users into installing malware onto their systems and then using keylogger software to capture passwords that can be used to VPN into the network and move laterally among systems on the network. Passwords alone are not effective at securing access to critical systems and resources. Used in combination with additional factors, such as a one-time code sent to a user’s smartphone, so-called two-factor authentication can pose real difficulties for remote hackers.

The Podesta hack was a(nother) lesson in two-factor authentication. It looks likely that Podesta fell victim to a typical phishing scheme, compromising his email and twitter accounts. If that is the case, this embarrassing event could have easily been avoided with the common-sense use of two-factor authentication. The Podesta emails exposed insider communications that included revelations about Hillary that could be interpreted as pro-establishment, Washington insider and elitist. Just a few examples from WikiLeaks:

Example #1: Her instincts seem to side with law enforcement with respect to government surveillance and strong encryption when Podesta writes to Luke Albee, a Hillary campaign strategist, that Hillary’s “instincts are to buy some of the law enforcement arguments on crypto and Snowden type issues.”

Example #2: She wouldn’t come out against keystone because she wants to appear to support Obama in public when Dan Schwerin, director of speechwriting, writes to Cheryl Mills, a top Hillary aide: “We are trying to find a good way to leak her opposition to the pipeline without her having to actually say it and give up her principled stand about not second-guessing the President in public.”

Example #3: She gave a speech which Dan Schwerin says he wrote Hillary “a long riff about economic fairness and how the financial industry has lost its way, precisely for the purpose of having something we could show people if ever asked what she was saying behind closed doors for two years to all those fat cats…” This clearly plays into the widely reported quote that Hillary says “you need both a public and a private position.”

Example #4: It seems that debate questions were shared ahead of time giving Hillary an insider advantage when Donna Brazile, a CNN contributor, sent one email prior to the debates to Jennifer Palmier, communications chief, with the subject line: “From time to time I get the questions in advance”, detailing a debate question about the death penalty. And another email with the unambiguous subject line: “One of the questions directed to HRC tomorrow is from a woman with a rash.” These emails were particularly damaging as they clearly showed at a minimum a member of the press with her finger on the scales favouring Hillary.

Perhaps the rhetoric is correct and Hillary is indeed a political elite too entrenched in Washington to appeal to much of mainstream America. Or perhaps, the lack of basic cyber hygiene ultimately contributed to the damaging image of Hillary as a Washington insider representing the status quo and thus leading to the stunning results of the 2016 presidential election.

Hopefully the new president and his administration will echo and amplify Obama’s Cybersecurity National Action Plan designed to protect US innovation from cyber threats, launched in his February op-ed in the Wall Street Journal. Over the last few decades, most Americans have come to accept seat belts as an essential safety measure. The “Click-it or Ticket” education campaigns have been highly effective. Maybe this national campaign will serve raise awareness about the inadequacy of the common password and to introduce the “cyber safety belt” — two-factor authentication.

After all, it’s the number one job of the government to keep Americans safe, and in the modern age, cyber safety is just as important as physical safety. And while we are at it, let’s all take a moment to fully realise that the cybersecurity decisions that we make can have a profound impact on the foundation and direction of our business, partners, customers and even our country.

Corey Williams, Senior Director of Products and Marketing at Centrify

Image Credit: Flickr / Matt Johnson