 So my name is Robbie Mook. I ran Hillary Clinton's campaign in the last election cycle, up through last year, but actually before that was working on campaigns basically straight for about 15 years. Ran a governor's race, a senate race, local legislative race and then worked at the Democratic Congressional Campaign Committee which oversees all the house races for four years. So I'm a campaign guy. I've recently made a slight pivot and I'm at the Harvard Kennedy School at the Belford Center doing a senior fellowship there with a Republican colleague of mine actually Mitt Romney's former campaign manager and we're working on cybersecurity on a bipartisan basis to help get our campaigns and elections more secure. That's what we're doing. So that's Robbie's intro. I'm going to get a sense for everybody here now too. Raise your hand if you are like an enterprise security, chief security officer, security engineer, someone who builds strong things. Okay. What about if you're like a policy person, someone who does legal stuff, policy and what if you just break stuff? You just break stuff. Is it working now? Okay. There we go. Yeah. Okay. Yeah. So my background is for the last 20-ish years I've worked with people I see in the audience building companies that break stuff essentially and helping people understand how to build things that can't be broken. And then I came over to Wicker because I thought it'd be fun to try and build a product that was impervious to that breaking. So I kind of come from the audience standpoint a little bit more and when I took the job at Wicker I got pulled into sort of post-election, how do we fix this stuff? How do we deal with these comms? How do we make them stronger? And one of the first people I was introduced to was Robbie. And one of the first things I figured out is that we didn't speak a common language a lot of times. I didn't know what a committee was. He did. Or I thought I knew what a committee was, but I didn't. And so we spent a lot of time trying to figure out how to go out and help people. But the first thing we did is we tried to find common language around these issues. So that's probably the best embodiment of the goal for this talk. So one of the first things that I didn't understand that I looked to Robbie to understand is how was it that there were these persistent security issues in 2016 that people knew about but they just weren't mitigated? Why did it take so long to really understand them and deal with them? Yeah, well the interesting thing about this is the first presidential campaign I worked on was John Kerry's campaign in 2004. And that campaign was actually suffered a breach that got pushed out by the, I think it was the Chinese. And then I know that both in the 2008 and 2012 campaigns there were also incidences. When we were beginning our campaign, and it's important to make a distinction, the campaign is different from the DNC, but when we were beginning our campaign what we were mostly anticipating was espionage. So that people were going to try to break in to get information that would probably be very helpful. If you're trying to plan for another administration coming in it's nice to know everything that the campaign was talking about and different policies that were being discussed and so on and probably some of the rationale behind some of what the candidate was thinking. So that's what we were anticipating and the important thing to understand about that from a mindset perspective is if somebody goes in and gets something but you're not imagining how they could sort of release it then it's like well at the end of the day we can do so much, we can spend so much money, we can put so many resources into this but I guess the Chinese will be that much more intelligent about what could happen. So look, from our campaign standpoint as far as we know, and that's like people here understand that caveat much better than me, we were never breached, but my biggest lesson coming out of this and I think a lesson everybody needs to take away and people in this room understand this perfectly well is it's not just the data that you control, it's the data about you or that other people control that can be weaponized against you. So I think the, so having said all that, I think the entire ecosystem of our elections, of our democracy frankly were not, I think first of all didn't really believe that what happened could actually happen. You know there was a lot of resistance early on when we were educated on what probably took place. There was a lot of resistance, this idea that it was actually the Russians, that it was actually done as a retaliatory measure against things that Hillary had done and said as Secretary of State. So that was one issue but then again I think because it had never happened before, look I think law enforcement could have done a lot more to be a lot more proactive with the DNC, I mean the fact that they were only calling a help desk and that they were only doing that intermittently, I think that's a problem. I think the DNC obviously internally could have done a lot more to shoot this up to the top and do something about it and then I think there's a series of questions that are really tough around the news media and social media and what ethical obligations they have and we can talk more about like France and other places where I think we saw some different strategies work. You know what role they have in mitigating the ability of another country to influence our election. The last piece that I touch on which is really complicated, I don't think we're going to figure this out for a long time is and France again is a good example of this, what is the government, does the government have a role and then what is that role to work proactively with campaign organizations to make them more resilient to these sorts of attacks? So that was going to be my other question is law enforcement seemed not speedy to come to the rescue and yet we had these past elections, I mean I think probably a lot of people in this room had some knowledge of what was happening in the geopolitical sphere, if you will, in previous elections. So was there something around the political climate that constituted that a call to the help desk was an appropriate progression or what do you think really led to that? I don't know, I don't know if it was politically motivated, you know James Comey said in retrospect he would have walked over to the DNC, that would have been nice, but again I don't like to get into too much finger pointing on all this because I think we are where we are and everybody in this entire situation could have done a lot of things differently so my focus right now is on okay what should they do differently and you know this is a perfect example I think there is no absolutely no reason this is one of the things we are working on that law enforcement and the party and campaign infrastructures can't have systems in place to have those conversations and they should. So in Robbie and I first met in February something like that after the elections and again it was precipitated by people trying to get me, us involved in helping and then we submitted a paper to talk at this conference and one of the things we said is information security is now the number one priority of all elections domestically and internationally. Penn tests that statement, stress test that statement, do you still think that's a valid statement? Yeah I think and again this is what we are trying to work on, I think if you pulled aside any campaign manager now and said obviously do you want to get hacked, they'd say no. Do you think it's a big problem if you get hacked? I think most of them would say yes and then I think if you ask them have you done everything you can they'd sort of say no but I don't really know and so there are two issues here. I think one is campaigns often underestimate the value of the information they have. I'm still hearing this today where a campaign will say well we don't have anything that's that great and you say well how would you feel if that poll you did got out? How would you feel if the research about your candidate was pushed out publicly? And then they say well yeah but that's really hard to find. So I think we need to do more culturally to get people to understand if that information exists anywhere it's vulnerable. And then secondly we need to do a much better job getting all the resources that exist like in this room for example but certainly in this building today plugged into the campaign space on both sides of the aisle because we know everything we need to do. I would argue to protect certainly these midterm campaigns because they're in the scheme of the world they're pretty simple organizations you know they're anywhere from like 10 to 200 people by and large. Presidential campaigns are bigger and the more complex and the committees you know the campaign committees or the DNC or the RNC those are more complex but I would even argue there we have all the tools and resources we're just not we're not getting connected so we got to deal with the cultural piece and then we got to figure out how to apply the brain power that exists and the strategic know-how and get people up to speed. So first hand I'm seeing committees and different campaigns come to us and say hey we want to use a different kind of tool for communication. And so that's a I don't know if that's the United States thing but it's apply a product to a problem. Talk about France a little bit because I think there was a little bit of a different approach there. Yeah well and I'd say during and we talked about this during the campaign our problem was we didn't know if the Russians so again we were the campaign we knew the DNC had been breached as a campaign we we had to assume we were breached too until we could get a team in there to test that. And so the question came up how do we communicate how do we share documents how do we do phone calls and how do we message each other and that's where you know the encryption piece became key. So I think between Wicker and a lot of there's other solutions out there. I think that's going to be a lot better next time. You know that people won't face like there's almost like a comedy sometimes we were trying to figure out like do we print this do we you know what do we do. But in France I think a few things went much better there. First of all you had a non-military non-law enforcement government agency work very proactively with all political parties together to provide them with strategies to better secure themselves. So first of all just providing that base level security that they need. But also we know that the government worked very proactively with Macron in particular when they knew that information had been stolen to set up a bunch of honeypots basically so that when it was pushed out there'd be confusion about what was real and what wasn't. We in theory have that with DHS and they're working very hard to get into that space but I think we have a long way to go in terms of having that kind of working relationship. Look the other piece in France was the media was blacked out for days when that came out and that's never going to happen here that shouldn't happen in the United States. I would never argue for that but I think like I said I think there's an important ethical discussion to be had about let's say that information is put out. Every reporter I've ever worked with and I understand where they're coming from is going to say well if I don't report this someone else will. So if I'm running a news organization that's supposed to keep people informed I need to report that. So I also don't think the answer is the news media saying well don't you know we shouldn't mimic a blackout. But I do think there's important contextual information and I think I'm certain most reporters now would say well if we had all the context around what was going on when these emails were put out. We of course would have provided that context. So I think there's a real question about how do we take intelligence and get that out there faster in real times too much to ask. But how can we leverage resources outside the IC community to give reporters more confidence to give that context. So that's just one of many things. Yeah I mean don't get me wrong I'm interested in products being used but I love the misdirection piece. I love the fact that law enforcement came together and said here's it. You know we're going to learn from what happened in the U.S. and we're going to figure out ways to make that information less disruptible. Because that's a lesson that they learn. Here's a funny thing too we actually discussed doing that when we we learned very shortly before it was announced the DNC had been breached and I remember brainstorming this idea of like putting a honey pot in there so we could prove like if we saw where that popped up and we didn't do it because we were afraid nobody would believe us. Now I think everything would be different. But that's where if you had a government agency partnering with you with credibility you can do those sorts of things. Okay so some of my naivete around the political scene was I don't think I fully appreciated the difference between the DNC and the campaign itself and so as Robbie talked about you know he ran the campaign. And so I'm pivoting here I'm making an assumption a lot of people in this room just from having come here for years you're working on security problems for larger organizations. Something I didn't appreciate was that you were actually a CEO of a 5,000 person startup that had to kind of grow overnight. And so I mean I've been working with companies like that for a long time and I absolutely understand that it's difficult to build an organization that is growing that fast and changing that fast and then to put the appropriate you know priority on securing your systems that's kind of a heavy lift and not something I appreciated. So in that context you know if Podesta's email is the huge thing the tremendous thing that changed everything you know you told me that of the 5,000 people you were overseeing you know 4900 were only using their phones and messaging and yet it's this Gmail that had all the impact. How in retrospect would you attack those two different populations that are not aligned I'm only going to use messaging versus you know kind of what is the equivalent of like a board of directors or a C-suite that's using older antiquated technology. Well I think the, I mean look this gets to this whole cultural issue and I didn't know very much about cybersecurity at all and I certainly didn't have any training in how to lead an organization when again it wasn't, when there was a breach that affected us so deeply right and in fact as an example of that the DNC had some PII taken and put out those were our donors that we directed there basically so we had to kind of deal with this thing across the board and I don't know the answer to this the cultural piece is so key if the staff are sensitive to understanding how their behavior could potentially lead to something that's catastrophic for the organization they'll do the right thing by and large as much as they can it's really hard to make that real until it happens so I noticed we talked about this at the beginning of the campaign you know we had, we required two factor for the work accounts you know we had endpoint protection on the devices and everything and we talked about it and we talked about not clicking on the links because we were all getting fished pretty constantly but you know I can tell you the way people behaved and the way people heard and checked into those conversations after the DNC breach was totally different I think the other thing that really helped was like fishing our staff you know internally to prove to them that everybody had more work to do to be vigilant that I found was a really helpful conversation starter but look I think they were both I guess they were similar in that people needed to understand and we have to start being sensitive that anything we write down could be out there and we have to be sensitive about what we save so another example is we auto-deleted emails after every three weeks some people were archiving they changed their behavior after that happened and so you know hopefully I think the sad reality of more breaches is we'll have more reference points that hopefully make it more real so this gets to be a wickery thing so apologies in advance but one of the other things I learned around ephemeral communications and so look when I was out there I was always thinking about attack surfaces and crown jewels and what's the thing that matters most to the company and how do you access it and how do you protect it and in political context you say things like polling data or opposition research and people are like oh god yeah that has to go right away and so you know it's interesting how the political campaign has these pieces of information that are very different than other things I mean communications are one thing but there are certain pieces that are not needing to be kept around can you expand on other things or why that is well definitely I mean I think for every organization nowadays there's the liability of maintaining something and the liability of deleting something obviously some organizations have a legal obligation to preserve communication so there's a high liability for deleting that that's pretty simple I think for a campaign where we have very few retention requirements the liability of keeping anything is enormous and in particular because campaigns exist to communicate a message to people that's all we do we communicate at the end of the day the tactical we do a ton of things and a lot of times we sort of think about well they produce TV ads or they organize volunteers to knock on doors all about delivering a message and the killer about an information operation like what was perpetrated and the danger in any communication whatsoever getting stolen is that blocks your ability to communicate even if it's just the media talking about the fact that you had a breach instead of your own candidate's ability to get out there and just drive what you want people to understand about them so that's why on it like I've been arguing to campaigns now just default is ephemeral obviously there's exceptions when you have legal requirements but there's just very little reason to keep things and I even experienced situations you know where we had people breach retention policies who had to you know when I was doing congressional races who had to spend time in depositions for hours and hours in fact we talk about redistricting nowadays Republicans would try to take our emails and spin them into you know getting defending their really terrible gerrymandered maps so I just think there's every incentive in the world not to keep that information there's some about a decade ago I thought some really thoughtful security people when they talked about red teaming exercises that was about I think when it became more and more popular to do red teaming and they would say what I really want to understand is how to deal with the PR aspect of this what matters you're going to try and fix the problems but it's how you control the message how would you control the message differently in retrospect it's a great question I would have been more forceful about what was going on in terms of the Russians were deliberately doing this to hurt our candidate and help the other candidate I think it even seemed crazy to us you know what I mean and it certainly seemed crazy to a lot of other people and if you go back and read the early coverage you know it was dismissed to sort of spin and I wish we had done I think we could have done more to formally bring reporters in with numerous experts to reinforce that this wasn't just something we were concocting this was a real we were saying what we were being told by by genuine experts and in fairness to our communications people they did they brought experts around but I think we potentially could have somehow raised the bar on that even more and brought in you know brought that into in a more focused way not to get off track but like Donald Trump this is actually I think this is the thing that Democrats are kind of like sometimes least conscious about moving forward it is incredibly difficult to drive a message when Donald Trump is your opponent it is a period for starters it's really hard when you got all this other stuff turning around so you know I think there's a lot of different tactical things we could have done to draw more attention to our message but I think back then and certainly moving forward we've got to provide the context so that voters aren't just hearing the intriguing pieces they're understanding that it's part of a broader effort that changes the way they hear the information that's not become at all I'm not advocating that but I would imagine that people are thinking from strategic thoughts about how to deal with the information in the next election cycle and how you can use that to your advantage while also trying to protect communications so I think there's a lot of strategy there yeah no look I mean we have to completely we have to completely start from scratch and rethink about the way people receive information about what's going on and figure out ways to help drive and control to the extent we can the narrative of campaign I can't even this is like my big thing that I haven't had enough time to talk about I mean look at the last few days it's so hard to drive anything when Donald Trump is around I mean it's like that reality show it's like you've got like the PBS like you've got like the Lawrence Welk Show and he's got like Survivor you know what I mean it's like it's really hard I'm going to switch gears here real quick I'm going to assume for this room a relatively provocative question that's around policy and the law around encryption and there's an awful lot of discussion right now around I mean our back doors mandatory and do you have an opinion on that I think what's more important is do you see any distinction on the left or the right in terms of someone falling into a certain camp on that issue yeah well I think I think the good news is people in the two parties are in different places you've Democrats who are definitely pro back door you've Republicans are pro back door and then you've people on both sides you're not I my answer to this would be I don't know enough to feel passionately and number one and number two when I talk to experts the idea of building a back door opens up vulnerabilities potentially as many as it's trying to solve and there's also a legitimate argument that like that's just not possible you you you create what you created back door in this technology but this one doesn't have one so why aren't people just going to go there and so that leads me to think that it's it's hard to imagine how that scenario is realistic all that said the reason I start by saying I don't know enough to feel especially passionate is that I think the political space I think this world needs to help get elected officials and actually practitioners like myself were interacting with some of those officials as candidates better educated on these issues so that there we have we can look at it from multiple angles I think people who want to protect lives and stop terrorists are entirely legitimate and I think Alex's Alex Stamos' speech earlier this week really encapsulated this well I think everybody has really good intentions but I think sometimes the policy debate isn't as productive as it could be because you've elected officials many of whom just don't understand the basic technological the basic technologies or mathematics that we're talking about here so I don't know if that's a long answer no it doesn't fall in party lines I was just going to weigh in I think that would be one of the worst things that can happen here I don't see that actually I mean we're getting drawn in that conversation quite a bit and I don't see that happening and I think it would be very damaging if it did I would lump cyber security in there in general too I think conflating whether what Russia did is bad with whether Donald Trump did well in the election or anything else is horribly counterproductive and stupid Democrats and Republicans should be angry about what happened we know that in past elections both campaigns were hacked and we have to work on this together and actually sorry the last thing I'll say on this this is something I'm passionate about I think the political space can learn from the security space because you talked with these the I was at the CISO summit at black hat their competitors out front with their customers but behind the scenes they're working together on security we've got to build that culture in the political space my goal and my hope is that within a year or two you see Republican and Democratic folks working together on this issue pretty seamlessly so Mike I'm going to layer on there it's not just my military but it's the people and I deal with this sort of thing my job is to really truly is to protect all the people not just a segment and you see what you're talking about is a little bit of this a little bit of that it's a whole damn picture this is typically a bit of an activist community I'm going to go out and pitch in and help and I'm going to tell you it is we're halfway there I'm told and we're about to go to Q&A so if you guys want anything I'm going to open it up it's not a problem what I was going to say is it's hard to understand DC let me rephrase it was hard for me to understand DC when I got pulled in and I was given an opportunity to step in and try and help people untangle some of this stuff it's a different language or it's a different decision making model it's not fast for sure so you have to be patient but if you really care and you want to get involved in this issue you can definitely lean in and get it done did you have any other questions you wanted to ask? I'm going to do this just to say now I see a hand back there I'm going to open it up for a question I think what they want you to do is walk up to the mic so there's not a mic I'm not fully understanding why that would be the case I think we'd give up I think you and I can share this one sorry I saw the stand I figured I'd stand there I have two questions if you don't mind my first question is you just claimed that both political parties were compromised the selection cycle no I assume in the past in 2012 that answers one question on 2016 I just don't know we've been told that at least the Russians were trying to do the same thing to the RNC whether they got in or not I just don't know my second question is that as someone who has served for a party that was not the DNC to the point that was just made earlier there are some of us who would love to engage in political technology across the aisle and in this current commercial and political climate it's very difficult to do so as a vendor obviously I'm not asking you to speak for the Democratic Party but in your opinion are we entering a world where that fungibility of allegiance is viable and I don't understand your question are you saying can people work can like a Republican help Democrats so traditionally you'll find that you have to pick a side if you're a vendor in American politics how far are we away from eliminating that concept what's that it's a great question so the work I'm doing at Harvard is going to pass us in a speech on Tuesday I think it was so I've partnered up with Romney's manager from 2012 and we are Alex announced that we're putting together an ISO a bipartisan ISO for campaigns and parties so it will serve on a bipartisan basis to provide that node that you're talking about what we want to have is first of all a culture change where the parties are working together on this behind the scenes where we want to bet each other out front but behind the scenes working together and then secondly the good news on this is I have not met a single person who doesn't want to help so we want to provide a place where people can bring that help and know that they are helping the system and our democracy and not having to pick sides so I don't know if that answers your question but I think that's where we need to go independent entities is certainly viable but there are companies that have contracted for either of the two major coalition parties and for smaller parties that find it impossible to get business with other parties because you're painted once you contract I see what you're saying we may get to a point where that's not a problem anymore I think the more the parties are working behind the scenes on information sharing and threat awareness we could potentially get to where you're talking about but I don't know in the short term it's interesting I mean look I'll give you an example we picked a different firm to come in and take a look at our stuff than the DNC because we didn't even want to have the same firm as the DNC necessarily right so some of that you deal with this in the corporate world too I imagine so I work for a large security vendor I was the speaker in the session before yours and I'm very passionate about this topic I actually gave a talk about doing fact checking on the indicators of compromise that have been publicly released by the various companies who investigated the different breaches that happened in 2016 related to the different bears and a comment and then a question for you the comment is as good as the security community is at sharing information internally I still think we have a ways to go one of the things that I learned in doing my analysis of those IOC's is that there was limited utility in that information that there were some file hashes for example that reference files that I just simply had no access to and that there was no way for me to get so there was no way for me to validate that the files were what the company who said that they were related to such and such attack and did this certain behavior I wasn't able to confirm that that was the case what we're seeing around us is a very rapid erosion of civil society and we're getting to a point where it definitely feels like there's a portion of this country that will do anything and will stop at nothing to win including and obviously on top of everything that has already happened that was dirty tricks in the last election how do we reverse that course and convince people are very interested in winning that they need to do it in a way that shows that there's some legitimacy to their win otherwise people will be upset yeah it's a really hard question I don't have a great answer but I'll give you some thoughts I think the first thing is I think there are way more people in this country who want to do things the right way and have good intent than there are people who do not and so I think creating a space for people who want to have a democracy that is robust and where we're arguing with each other but isn't sort of where ultimately we are greater than the sum of our parts and I think the problem right now is to your point we're just gnawing at each other so I think there's long term value in lifting that piece up I also think in campaigns we need I think something over the last 10 years that happened was like people like me the campaign operatives we kind of became enamored with what we do a little too much and I think the media sometimes reported that campaigns are not the voters listening to two arguments and then making the best informed decision and it's on them to pick the right person and more about campaigns are about which team can manipulate the situation better to their advantage and so I actually think part of what I've been you know I talk about this with some reporters sometimes is like we've got to get we've got to always go back to what are you what's the case you're making to the voters and not what fancy you know psychographic tool do you have to manipulate people's thinking because when we celebrate that we encourage people to go to do those things does that make sense so the success of the current campaign you know shows that there's some you know effectiveness to that and that they might want to continue to do that that's the narrative I mean that's the question I want to push on a little bit is I think we're too quick sometimes to point out tactics as the reason that somebody was successful and not look at bigger things if there's anything I've learned in all my time in politics like big part of why President Trump's behavior is not a problem right now for a lot of the electorate is the economy is doing very well the stock market is doing great if the stock market was losing 200 points today I don't think this behavior would be tolerated there's those meta things but that's never what gets written it's like oh it's this little tactical thing and so I think we need to like step back and get out of some of that because I think it encourages some of that nefarious behavior I'm not saying any of this is a panacea and the point you made right but yeah so when you were talking about encryption and backdoors being a nonpartisan issue you kind of phrased it as saying you knew people who are pro backdoor and people who are not and then you kind of went on to say you and others are not very passionate about the topic sometimes do you know anyone who is anti encryption backdoor or is it largely just people who are pro or kind of undecided or don't really care don't know which way to go not the best person to ask but you know you look there's a libertarian wing of the republican party and I think a lot of those people are very much on the record against the government doing anything having any backdoor to go read people's materials I think they're liberal democrats who are in the same place so I think there's lots of you know elected officials on record both ways and I think the I think yeah right or I think Paul I think or you know pretty out there against it do you see those pulling a little bit more along some lines so there's a liberal and a sorry libertarian sect of the party or you know do you see more of a line there than you see okay that's good and he you know it to me doesn't fall in a map in a specific way geographically party lines it's probably more you know but it's probably more like law enforcement versus you know some other like there's a lot of honestly I just think it's people have had time to think about it I think there's almost inevitable in the state of the thought process and it's people been involved in the debate it's the backdoor yeah they're listening that's been my experience I mean people who have been tasked with looking at this issue and it doesn't always fall down you know some people take a long time looking at it and they're like yeah we need to have an easier way to get access to these communications but ultimately it's the people who been around the issue for a while I think who end up with that inevitable we've got to find a way to not mandate backdoors one was only having two mics okay a quick comment to follow up on his which is to the people who are in favor of backdoors for the government if we can convince them that backdoors can be used by bad guys as well we haven't figured out a way to fix that then the question I would ask to the people who are in favor of it is how would they feel if their campaigns were hacked and it was public right so my question is just to assess the risk what is the data that has to be kept for governmental reasons assuming the communications are all going through wicker yeah very little there's some compliance information you basically have to store and in fact this is why a campaign breach is sometimes the flip of a corporate breach is you don't need the only reason the DNC had PII is because you need that for when President Obama was doing events basically people need to get waived by the secret service but otherwise all of your donor information is public anyway so for us it's actually the information itself it's not so much a financial loss as an opportunity loss okay does that make one of the things you mentioned was that we had basically a company growing up 5000 people all at once in a very short time can you guys hear this in the back I was supposed to switch on it test test test one two one two hello one of the things you mentioned was that we had a company grow up to 5000 people an organization grow up to 5000 people all at once you're going to have cultural problems with enforcing best practices with respect to compliance and making sure that people don't get fished so easily obviously you know this is not an easy thing to deal with but I would ask the question what sort of policy recommendations might you make to make the transition to making campaigns Republican or Democrat or whatever making them more secure as the organizations instantly grow yeah no it's a great question I think it's a few things one is just making the right tools readily available so like a small campaign should be using a cloud based email service with all the right settings right off including two factor right off the bat you've gotten like 90% of the way there right those sorts of things need to be routinized into the culture of campaign management so when I'm setting up a campaign I know to like if I go if I if I go with certain cloud based services and I use two factor I'm in good shape and then I think the third piece is getting managers in a I mean maybe it's because of my experience I just think it has to start at the top so just this I mean for example this is ironic given the current news of the last few days one of the things you're very sensitive to on a campaign is that your staff don't just wander out and talk to the press all day long right that is just something that you that you make very clear on day one there are consequences it should be the same thing about phishing about what you're putting an email about what documents are saved or not all of that just needs to become part of the culture I know that sounds sort of ethereal but I actually think we can do that pretty quickly and it will make a huge difference one thing he mentions that you're working on a new ISO with a partner at the new organization you're with would this cover or would this be part of your ISO yeah our hope is that we can that it can be again a clearing house and a place where that can provide that sort of training and resource we have some like legal challenges we need to work through to get to that place but yes sir answers yes yeah kind of to build off of what he was asking where do you see state and local parties those smaller organizations fitting into this because I know we're talking about federal breaches and Russian hacks and stuff like that but if you think about it I mean just last night the boat came down 49 to 51 so one state election could determine policy for an entire United States and I know for a fact that and I'll remain unnamed state party has had an evil twin attack against their building so they're definitely happening at that state level no absolutely and in fact I think the most egregious and painful hacks of last time were actually against the DCCC when those self research books about the opponents were taken and given out locally so the good news though is if you put presidential campaigns aside state parties and these state campaigns congressional campaigns state ledges all so if we can just get them on these cloud based email systems and document sharing systems with the right settings we're in like such a better place than we are today but that's where the vulnerability is look the other vulnerability just quickly is the families of people running for office I think that's the next place you're going to start to see one of my observations there would be I talked about how I'm trying to learn politics the state local level is a whole new Rubik's cube and so it's heavy lifting to understand how you can help at all those levels the other thing one of the guys earlier was talking about trying to sell software into politics you talk to offices and they're trying to scrape up change from the couch for laptops so we're not talking about organizations that are going to buy you an island you have to really want to help in this arena and that's even at the higher levels getting in the state local government is going to be a difficult thing I guess you kind of touched on this but are you working on some way of getting a platform that then is affordable you're talking about these cloud platforms and stuff like that and you're saying we don't have the money which is a thousand percent true and I know that the cost of internet security is going way higher than people can afford that need it so is there some sort of plan in the place to try to get this is that what one of the questions are should the government step in and be like here is something that all campaigns can use I'm just going to use my voice I'd say my experience has been that to go do something at the highest levels in a procurement cycle is going to take a really really long time we're just going ahead and trying to be as inexpensive as possible and help that's not how we're kind of approaching corporate clients but definitely in the political arena if there's going to be fast change it's not going to crack rates so my question focuses more on the back end aspect of doxing whether the documents were released on the internet and the challenge that caused for the campaign so you talked about kind of the data retention issue trying to get rid of your data so that it's not available let's just assume that all the best security measures don't match up and data is released how did this experience change your view on campaign strategies for protecting or once your data possibly gets out there how does this experience kind of affect how a campaign responds to doxing the release of information like I guess as a voter one of my concerns was I saw this data but I wasn't sure if it was accurate if it was the integrity of it just how do you view that yeah well I think again this is where France is a great example where they prepared in advance for this to happen right so it was and I think this is where this will be better in the future it will never happen quite like this again it won't be as easy the media won't be weaponized so totally the information won't be so purely broadcast out to people so yes look I think every campaign now needs the same way it was routine for us to sit down and say what are we doing to secure our office and our emails at the beginning now you're going to sit down and say let's imagine there's a breach first of all do a basic table top exercise the way that any other corporate entity does nowadays but then second let's say there's an information operation what are we putting in place to disrupt that so that if stuff stolen there's a disruption factor within what they take but then also how are we managing that you know and we could talk about that for hours but yes I think all that just needs to become part of the routine you kind of mentioned this you kind of mentioned this already but you said that if you knew or if you understood like the full extent of the Russian hacks you would have like attempted to make a honey pot or you would have brought in more journalism right what do you think like tool wise and also culture wise how do you see like campaigns changing in the future to respond not just to prevent but also respond to hacks like this yeah so I think the first piece that I mentioned earlier is I think there needs to be a discussion between the media the news media social media and the political space about knowing that none of us want any foreign actor to be able to get in and influence us how are we going to handle this differently moving forward and I don't want to prejudge what that looks like and again a blackout you know is not an option and the other thing just to be specific about it part of why we didn't do more is because we weren't certain we were told things by the experts but a lot of people were you know saying that's not true and we didn't the intelligence community didn't say until October you know they didn't speak out on this so we didn't know if we were how firm the ground we were standing on was you know we had good reason to believe we were talking to smart people who were very experienced so I think also next time people will be a lot more firm when they say this is an information operation and the media will understand what they mean so my observation is that we've seen this in the corporate world where it pivoted from you know not if but when and so I'm just seeing people understand that they're going to get owned the next election cycle and they're trying to understand how to deal with that not just how they protect their information but how they're actually going to work this tabletop exercise such that it's not how do we protect our assets when our assets get owned what are we going to do with it someone was asking about policy and it's a little bit radical but last company really tried to push for I mean I can't imagine growing an organization like Robbie did and training people not to click on links I think their policy is click on them all and then build a team that can handle it right but that's the type of change I'm seeing in this mindset in these campaigns it's coming because look you can't grow something that fast and have a bunch of young just entering the workforce people even though they're probably more passionate employees I imagine yours are the most passionate employees that exist they're going to do the wrong thing and so you have to be ready for what happens when the wrong thing is coming previous election cycles they knew the Chinese were in there looking at their information and it was just gathering nothing bad happened so now they have this you know like white hot nasty taste of this in the back of their mouth on both sides they know that this is going to be an impactful thing so I think it's just more people are really really batting down the hatches and saying alright this is inevitable what are we going to do what do we have to really protect I mean it sounds a lot like the corporate world right we've all gone through this what is the most important thing to protect let's go all out and then let's be really prepared for when it goes bad and would you say that to that extent like do that you see campaigns like yours in the future beefing up their in-house security analysis or just the third parties I think it would be like the corporate sector both right so you know we had security you know full-time security people this time I think you'll see that dramatically expand in the future but then we'll also have partners that we're working with you know from day one my question is kind of based off the previous two gentlemen as far as like when information is found and how it's delivered in situations like this like information integrity was the biggest issue because it led hesitation to putting up honeypots and who would believe I guess and I mean I don't know going forward it's simply just being worked on but how can we get that information more streamlined and get the intelligence community more involved to I mean in the two-party system it's difficult because the other side doesn't believe whatever they want anyway but I mean it seems like there needs to be an official policy procedure we found this this is how we deliver it as factual I totally agree I think if we could have that that would be awesome no and I don't mean that in like a dismissive way I really mean that that's where we need to get to I don't know how we get there today in the political environment that we're in and with you know just I'll leave it at that but I think we've got to get where you're talking about. So just to be a little bit of a skeptic now that we know that's Robbie's strategy if we're trying to run a campaign against someone I mean it's going to be hard this is going to be the squishing of the balloon right as soon as we have a standard for how that information is distributed you're going to figure out how you can impact the campaign based upon that standard so I don't think it's a bad thing to do but just that's my nefarious way of looking at it. Okay great I think we'll take one last question if you can make it quick sir. Nice t-shirt sir. Yeah so I had a question so it seems like if you had a campaign that seemed like it was run legitimately and you're using all ephemeral messaging not keeping anything unless you have to but then at the end there was something that came out where they had colluded with a government agency or a foreign power it seems like that it could be a really tricky scenario where there is no records there is no something to look back on what happened and so it seems like we have this need for encryption we have this need for ephemeral communication but at the same time we really need some ability to have accountability for who said what and who bought what you know so it seems like a really tricky problem to solve. I'll pass it over to Robbie but yeah I think what I'm seeing happen now is that I reference polling data and opposition books and there's just stuff that comes on a really rapid scale it's just it's daily feeds and you just don't need that stuff sticking around but I don't think at this point I've seen I mean we're working with the DCC's using Wicker by default but they're also using other communication tools for obvious reasons but this is for they understood their use case and there's some stuff that just we think of it as like molding bread maybe you'll get penicillin at some point but mostly it's just really nasty moldy bread some of it just doesn't need to be around I'm not going to do better than the moldy bread all this stuff is a trade off right just the same way in our own inboxes if we're racing the pushback I always used to get when we race emails was well I need to go back and get those and to me the pain of losing those emails is always outweighed by the assurance that nobody can go in and mess with you so yeah I just think it's a trade off and I think in the current environment that we're in it's better just not to have stuff around but everybody's got to make that choice for themselves I'm seeing the orange shirt saying no more thank you Joel