RNC tight-lipped about IT security
The hackers, widely assumed to be backed by, or be a part of, the Russian government, were able to gain access to an array of DNC databases and email accounts, which they released to the WikiLeaks website.
While the hackers were eventually discovered and blocked from the system, the damage they caused was already done. The question now becomes what Republicans have done to keep their networks from falling prey to a similar intrusion.
A Republican Party spokesman told AMI Newswire the Party takes all necessary measures to ensure its network’s security. The spokesman offered no specifics. But information technology experts that AMI Newswire spoke with said there are some very basic policies, and personnel, that must be in place to guard against hackers.
Scott Hirons, a Northern Virginia technology consultant, said the most important thing a organization can do is to "test, test, test,” including using hackers to do the testing.
"There are hundreds of companies that will do penetration tests, network/security integrity test, etc.,” he said.
"Essentially, hackers that get paid to be good guys, doing what bad guys do. An organization like RNC or DNC, for that matter, should have contracts with these types of folks to ensure their security.
"Having the best-laid plans, technology, policy and procedures means nothing if an unknown pinhole is left open. What happens all too often is the business operations guys rely on their IT shops to say ‘yep. network is secure,' and give the IT guys trust what they say is right,” Hiron said.
Waldo Jaquith, the founder of U.S. Open Data, which promotes the public release of government data to enhance accountability and effectiveness, said there are a number of basic steps political parties must take to ensure security.
"Two-factor authentication is the No. 1 thing that they should have for security.” Jaquith said. "If [organizations such as the RNC] access their systems or network without a security token, like a Google Authenticator, that's a huge red flag. If they host their own email, instead of using a secure, audited provider (like Google Mail), that's another red flag.
"If they're hosting their own email, they're either wildly competent or extremely foolish. Tip: it's not the former,” he said.
"They should have a CISO, and know what the acronym means. That's a chief information security officer. If they don't have a full-time CISO, they've got nothing,” he added.
The Republican National Committee has a chief technology officer, Darren Bolding, who served as director of network engineering, information technology and security for Intelius. The RNC’s director of network operation, Dirk Eyman, has been with the committee since 2005, having previously worked as the IT director for the Bush-Cheney campaign in 2004.
Hirons said there were other internal steps the RNC must take to protect its systems.
“They should have multiple layers of firewalls with segmented networks to ensure data security, network penetration security, web security, and general infrastructure security. They also need to ensure physical security, so that the general user within the RNC takes proper steps in securing their own workstations and data,” he said.
International technology security expert Bruce Schneier told AMI Newswire the specifics of what the party must do are too extensive to list. “In broadest terms," he said, the RNC and other organizations should be "doing all the right things, and doing them well.”