The 2016 presidential election had its share of surprising and alarming moments, but none more so
for cybersecurity experts than the summer's hack of Democratic National Committee email servers,
along with email accounts of prominent Democratic leadership. A hacker operating under the
moniker. Guccifer 2.0 leaked the emails to WikiLeaks, which subsequently published an archive of
the stolen emails.
Confusing matters slightly, consulting cybersecurity groups such as CrowdStrike examined emails
associated with the hack and found that not only was there some evidence of Russian state
involvement, some of the documents released through WikiLeaks may have been doctored and
integrated into the breached emails.
The DNC hack may have marked a shift in the threat landscape for large organizations and
enterprises, according to many in the cybersecurity community. Steve Chabinsky, general counsel
and chief risk officer for CrowdStrike, said the company saw a couple of distinct markers in its
investigation of the breach.
"When I look at the DNC hack, what I think is unusual about it and is likely to become a trend is use
of hacking as a means of creating influence operations and brand disruption," Chabinsky said. These
two motives, he added, differ from the more commonly recognized goal of cyberattacks on
businesses: acquisition of data, be it customer account credentials or trade secrets, that leads to
financial gain for hackers.
Brand reputation has been a question for many following the highly publicized Yahoo customer data
breach earlier this year, which drew concern and a possible revaluation of its $4.8 billion deal with
Chabinsky said the DNC hack may signal a ramping up of corporate influence and reputation-based
attacks, and companies should start looking to reconsider what vulnerabilities lie in these motives.
"The concern, looking at this from the lens of the private sector, is: How do you go up against an
organization, whether they're a criminal group or a foreign country, that would get into your system
not to benefit from the data they steal, but to use that data for the purpose of influencing your
operation and destroying your brand?" he asked.
This may require a shift in the ways that corporate leaders determine what information is critical to
safeguard and what can be left vulnerable. K2 Intelligence senior managing director Austin Berglas
said companies need to "shift from a normal security mindset away from protecting what we've
always wound up having to protect into [looking] at what could do damage to the organization."
This may mean shifting away from keeping the heaviest restrictions on source code and proprietary
data and looking outward into companies' other risky data. Berglas and Chabinsky both agree that
the DNC hack demonstrated that email should be high on the list of potential threats to a company's
value."Email is one of the most vulnerable things we do every single day because it's completely internetfacing,"
David Katz, a partner at Nelson Mullins and head of the firm's privacy and information security
practice group, said the hacks may force organizations to reckon with the broader issue of email
"The way we communicate now is electronic, and that in and of itself creates risk because it makes a
record that is potentially discoverable," Katz said. That, he said, requires that companies and other
organizations not only take steps to secure their data and prepare for breaches, but also to think
about what kind of sensitive data they may be producing without thinking.
"If you're engaged in very sensitive communications, I think you should almost assume that they're
not going to be secure, especially if they're in the context of something that's potentially controversial
or that folks might have a reaction to out of context," Katz said.
Joe Whitley, a shareholder at Baker Donelson and chairman of the firm's government enforcement
and investigations group, thought that both the publicity generated by the DNC hack and its
potential impact on the outcome of the presidential election may encourage companies to reconsider
their dependence on electronic communications altogether.
"I think it may change how people communicate," Whitley said. "You may see more use of the
phones for communications and maybe even old-school written communications may come into
Berglas approached the issue with more skepticism toward companies' willingness to migrate away
or even moderate use of email accounts.
"No matter what the policies are, most people are probably going to put sensitive information in
email because it's just the way people are. They obviously take accessibility over security," he said.
If this proves to be the case, companies will need to step up their crisis management game, starting
with company leadership, Chabinsky said. "The awareness that this is possible needs to be in the
back of the minds of business management teams so that their response can anticipate these as
potential issues," he said.
Gabrielle Orum Hernandez