DNC Creates 'Cybersecurity Board' Without Any Cybersecurity Experts

An anonymous reader writes from a report via Techdirt: The Democratic National Committee has created a "cybersecurity advisory board" to improve its cybersecurity and to "prevent future attacks." Politico reports: "'To prevent future attacks and ensure that the DNC's cybersecurity capabilities are best-in-class, I am creating a Cybersecurity Advisory Board composed of distinguished experts in the field,' interim DNC Chairwoman Donna Brazile wrote in a memo. 'The Advisory Board will work closely with me and the entire DNC to ensure that the party is prepared for the grave threats it faces -- today and in the future.' Members include Rand Beers, former Department of Homeland Security acting secretary; Nicole Wong, former deputy chief technology officer of the U.S. and a former technology lawyer for Google and Twitter; Aneesh Chopra, co-founder of Hunch Analytics and former chief technology officer of the U.S.; and Michael Sussmann, a partner in privacy and data security at the law firm Perkins Coie and a former Justice Department cybercrime prosecutor." What's surprising is that none of these members are cybersecurity experts. Techdirt reports: "If the goal of the board was to advise on cybersecurity policy, then the makeup of it is at least slightly more understandable, but that's not goal. It's to actually improve the cybersecurity of the DNC. Even if the goal were just policy, having someone with actual technology experience with cybersecurity would be sensible."

DNC cyber security.

[HornWumpus]

Just never write down any dirt.

See also: Bill Clinton's meeting on the tarmac. That's how serious dirt is done.

Re: DNC cyber security.

[HornWumpus]

Unscheduled and unplanned. He almost got away with it, clearly they intended to do it on the sly. SOP

Re: DNC cyber security.

[HornWumpus]

Airport tarmacs aren't very public. He did, in fact, get away with it. No witnesses, can't prove anything.

There was no paper trail, do you believe that was a coincidence?

Re: DNC cyber security.

If nothing else this election has shown how generally we're herded into voting for A or B, where A and B are carefully selected by a few power brokers. The GOP lost control of their election process, and now we have Trump taking a dump on everything Republican. This leaves us with only one realistic choice, because Bernie was railroaded out of the Democratic process.

And honestly, Bernie was the most viable candidate out of the last few realistically standing. Cruz reminds me of an angry born again cookie monster. Trump is a schizoprhenic bi-polar narcissist. Clinton is... Clinton. Bernie was out there but had some realistic ideas, and his crazier crap would never get by Congress anyways. That's part of Congress's job, after all, to rein in presidents.

Re: DNC cyber security.

[Archangel+Michael]

He did, in fact, get away with it. No witnesses, can't prove anything.

There wasn't supposed to be any witnesses, but there was, which is why we know about it. NORMAL people don't try to hide their activities. However, this is Clinton, and we all know that he isn't the most trustworthy of people. That being said, there are those who are running to his defense, saying ""Can't Prove Anything" as if we were to just stop looking at something suspicious.

Had this been Trump's kids / family, it would have been all over the MSM Headlines until the election, and those same people who are defending Clinton now, would be frothing at the mouth. Such is politics, and why most NORMAL people are sick to their stomach with American Political Cronyism.

All Boards are created Equal

[im_thatoneguy]

The point of every board isn't to ever do work. It's just to head up the meetings and organize the allocation of funds to achieve the agenda.

You might want one technician but management is management. Management is just about allocating your resources to do get shit done.

Obviously nobody on the board is actually going to get their hands dirty. And boards don't do very much. They will probably meet once a quarter... by phone for an hour. Agree that the consulting firm that they hired is spending the money wisely and then go back to their real jobs.

Business as usual

[Jfetjunky]

Political officials setting themselves up to regulate things they have zero background knowledge in? Sounds like business as usual to me.

Typical political do-nothing bullshit

[Chas]

And the politicoes are all stumped as to why people are angry at them and screaming for real change, to the point where people will actually vote for an asshat like Trump...

Re:Typical political do-nothing bullshit

Actually doing things eventually leads to racisim. The only thing left is to remain motionless and receive your white privilege lectures.

Political elites

[EEPROMS]

Just the political elites doing what they do irrespective of the skill set of people they are employing. People keep banging on about corruption in some third world nation when corruption is well and truly alive in your back yard.

Re:Political elites

[El+Cubano]

Just the political elites doing what they do irrespective of the skill set of people they are employing. People keep banging on about corruption in some third world nation when corruption is well and truly alive in your back yard.

Actually, this is not a political elite mindset thing, it is a government mindset thing.

About 10 years ago or so I attended a government information assurance (they didn't call it cybersecurity back then) conference. The keynote speaker was a technical high up (maybe CIO, maybe CTO) of one of the three letter agencies. He said to an auditorium full of government information assurance managers something to the effect of, "the federal government is the only large organization that will regularly take people with no technical education, no technical training, and no technical knowledge/experience and put them into the inherently technical role of being responsible for securing information systems." You could hear a pin drop.

The point is that this sort of thing has been going on forever in the government (a campaign functions in nearly the same way as the government in many respects) for a long time. It makes sense why the government gets hit with so many data breaches. In fact, it was always surprising to me that it didn't happen more often.

Sounds typical

[Snotnose]

A board designed to investigate a technical thing, being staffed by people who are better at raising money and making good sound bites than actually knowing anything about what they're supposed to be figuring out.

On second thought, erase the word "technical" from that paragraph.

Re:probably...

[93+Escort+Wagon]

A bunch of cannibals?

I used to know a guy who would always make reservations under the name of "Donner" because occasionally he'd then get to hear "Donner Party - your table is ready".

Re:Not that surprising

[slashdot_commentator]

Apparently, you don't know too much about designing/administering computer systems security.

Computer security is more than keeping a system secure from outside attacks. The two results you do not wish to occur in a "breach" is exposure of confidential information, and permanent data loss (sabotage). These forms of security breaches can occur from the "inside".

Another consideration in designing security in computer systems is workflow. There are a ton of ways to make a set of computers secure, but sometimes the solution would end up crippling the patient.

Hardening systems is only part of system security. Compartmentalizing access to workgroups is another consideration. There's no reason why a volunteer local office worker needs to access mail systems meant for confidential communications between senior managers. Laptops (& to a lesser extent tablets) are infamous vectors for intrusion, but they can also be managed by limiting their ability to access systems remotely (through VPNs) and credentialing. Finally, metadata monitoring of all computer traffic can be useful in tracking down a breach, as well as intrusion detection systems. Finally, this doesn't mean much if you can't hire enough competent IT staff to manage the entire operation (Which also requires vetting).

3. Insert fictional defense method here which will never work in reality, because the PHBs always need a fall guy they can blame for their own security nightmares they created by ignoring advice.

The reality is that most PHBs do operate on a nominal amount of common sense. If you're the security architect, and the PHB doesn't realize they are subordinate to every protocol, then that's the signal to find a new employer. Doesn't help much if you want to work for the Democrat nominee for PotUS.

Re:probably...

[FatdogHaiku]

A bunch of cannibals?

I used to know a guy who would always make reservations under the name of "Donner" because occasionally he'd then get to hear "Donner Party - your table is ready".

At which point he could exclaim, "It's about time, we're starving!"

Fallacy of MBA management

[Okian+Warrior]

An acquaintance who is a manager once told me that he can manage anything because, well, managing is managing. Another one suggested to me when I was a teen to go study management because, well, managers will always be needed...

Isn't that a little pretentious and old school like where the boss is the boss, doesn't matter if he is right or wrong or if he knows what he is talking about.

Seems to me hard to understand how a manager can manage something he doesn't know anything about unless he has skilled technical assistants. But how will he evaluate the skills of his assistants? I suppose if the assistants tell him what he wants to hear, it might help.

This is one of the fallacies of modern MBA-style management: management is a specific skill that's the same across all industries.

In it's worst form, it's what gets us CEOs who slash costs and show growth for the first year, then leave with a golden parachute while the company flounders.

If you study management even a little, you realize that the best managers are expert in their respective fields. This is not to say that software managers must be expert coders, but they need to have in mind the capabilities and limitations of the company products, the tools that the coders use, the current marketing trends, and some ad-hoc guesswork as to where the market is going. And also, they should at least know how to code, if not be an expert at it.

Consider: Do you think a generic manager could step in and manager a newspaper without intimate knowledge of the newspaper business? How well do you think that company would do if it actually happened?

Looking at some of Warren Buffet's writings, I note that he has people he trusts that can quickly learn the business and make informed choices that ultimately turn a company around. For example, a troubled company that supplies hardware, his people identified parts that had little profit and were available from other suppliers, as opposed to other parts that had more profit and were unique to the business. That's how he buys distressed companies and turns them around.

This is not what generic MBA-style managers do: learn the business, go into detail, and make strong decisions that benefit the company.

Looking at how GE gets vice-presidents, they always hire from within. They take a director and move him over to another department for a couple of years, and see how well he does. Then they move him again, and in a couple of years move him again. Over time, the directors become very well informed about how the business actually works, and anyone who isn't flexible enough to learn and do well in the business gets weeded out.

GE executives are some of the best managers in the world.

I've worked with a lot of "plug-in" managers who never seem to know where to go or what to do. They take the opinions of their staff as gospel without adding their own expertise, and serve as a simple buffer between the workers and upper management.

Re:Fallacy of MBA management

[ls671]

Of course, in the process of tutoring, I learned lots,

That's the key point, being able to learn fast and adapt. But then again, doesn't this apply to any activity field and is this in any way specific to management?

Someone could manage outside their expertise, but it'll be harder.

Yep, because you would have to learn quickly to be efficient.

Democrat party leaders show their competence

[slashdot_commentator]

Don'tcha just feel good knowing how well Hillary will be keeping the nation secure when you cast that ballot?

Re:probably...

[sconeu]

Donner, party of 8, Donner?
[pause]
Donner, party of 7, Donner?
[pause]
Donner, party of 6, Donner?
[pause]
Donner, party of 5, Donner?

etc...

Headline next week...

[otaku244]

"DNC emails leaked regarding insiders' placements on DNC Cybersecurity Advisory Board. The DNCCAB releases statement, 'It depends on your definition of hacking.' Nude photos of Clinton found among the leak which boost her in polls by 75%. Trump tried to counter by leaking his own sex tape, but the effort tanked because no one wanted to hear him dirty talk Chris Christy."

... if any of the above headline becomes true, the terrorists have won

Yes, but these are lawyers, what more do you need?

[sabbede]

"That's illegal, don't put it in a memo. Someone might leak or steal it"

See? They only need lawyers.

Surprise

[Curunir_wolf]

What's surprising is that none of these members are cybersecurity experts.

Not surprising to me. The DNC and their members create economic policies with no understanding of economics. They put people in charge of justice with no understanding of justice. They put people in charge of foreign policy who are incompetent in dealing with foreign policy issues.

So this is just what they do - meddle in things they know nothing about.

Re: probably...

No, they usually just shoot people that leak emails.