Brandon Dillon, the chairman of the Michigan Democratic Party, acknowledged that his team had been behind the incident. | Elise Amendola/AP Photo DNC security chief: We're making changes after false alarm over thwarted hack

After an embarrassing about-face in which the DNC first claimed that it had thwarted a possible hacking attempt and then disclosed that it had only been a test, the committee is making some changes.

The DNC is crafting rules for how state parties and other campaign organizations can run cybersecurity exercises that affect the party’s technology infrastructure, DNC Chief Security Officer Bob Lord told POLITICO.


“With any entity that wants to do something more advanced than hiring a phishing company to do training, they’re going to have to notify us," Lord said.

On Wednesday, the DNC told reporters that it had learned about a fake version of the login page for the VoteBuilder tool that Democrats use to manage voter data. It and its technology partners, including the security firm Lookout and VoteBuilder developer NGP VAN, believed that someone was preparing to pepper Democrats with emails that would trick them into handing over their VoteBuilder login information.

But early Wednesday afternoon, the DNC learned that it had not been a nascent attack. In reality, the Michigan Democratic Party had enlisted the support of a tech group called DigiDems to test state party officials’ ability to spot spearphishing emails, according to a Democratic source who requested anonymity to speak candidly.

DigiDems’ test setup “very closely mimicked an actual attack framework and did not in any way exhibit any behaviors of a training system,” Lord said. “This was a system that was set up expressly for doing much more advanced attacks.”

Morning Cybersecurity A daily briefing on politics and cybersecurity — weekday mornings, in your inbox. Email Sign Up By signing up you agree to receive email newsletters or alerts from POLITICO. You can unsubscribe at any time. This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Lord and DNC Chief Technology Officer Raffi Krikorian quickly huddled with their cybersecurity team, along with representatives of Lookout, NGP VAN and DigitalOcean, the hosting platform where DigiDems had set up the fake site.

“We had certain bits of information from Lookout that was different from the information that was obtained by DigitalOcean, which was different from the information that was available to NGP VAN,” Lord said. “And some of the data points seemed inconsistent with the initial story that this was just a phishing exercise.”

It took a while “to make sure that we were able to account for all of the seeming anomalies,” said Lord, who spoke to POLITICO from a meeting of the Association of State Democratic Committees in Chicago. Eventually, after consulting among themselves and speaking to DigiDems, “we knew that we had a complete understanding of the situation.”

By late Wednesday evening in Chicago, Krikorian’s team was satisfied that it knew what had happened. A few minutes before midnight Eastern Time, the DNC issued a new statement explaining that the fake site was “built by a third party as part of a simulated phishing test on VoteBuilder.”

Lord downplayed the embarrassment of the reversal and said he was impressed by “how quickly the right people came together and how quickly we worked through the issues.”

“I don’t know that that would have happened two or there years ago,” he added.

Lord, a veteran cybersecurity executive who previously led digital security for Twitter and helped Yahoo investigate and recover from two massive data breaches, stressed how unusual this situation was, telling POLITICO, “This is the first instance I’ve seen of something like this.”

But from now on, he said, the DNC needed to know about the cybersecurity exercises that its state parties and other affiliates conducted against Democratic technology platforms.

“They need to take into account the fact that multiple stakeholders may be involved,” Lord said, “and that each of them needs to be aware of these types of” simulated attacks.

Lord pointed out that companies like Amazon, which runs a widely used cloud platform, similarly require written agreements if their customers want to conduct exercises like penetration tests against those systems.

“That system that Amazon has in place is there because, when their alarms go off, they want to know if this is an actual attack or just a pen test,” he said. “We’re going to have to [set up] something similar to that.”

Brandon Dillon, the chairman of the Michigan Democratic Party, acknowledged that his team had been behind the incident.

"In an abundance of caution, our digital partners ran tests that followed extensive training," Dillon said in a statement. "Despite our misstep and the alarms that were set off, it’s most important that all of the security systems in place worked."

Alicia Rockmore, the co-executive director of DigiDems, confirmed that her group “ran tests on the Michigan state party campaign’s internal security measures which tripped an external alarm.”

“Despite our misstep and the alarms that were set off,” she said in a statement, “it’s important that all the security systems in place worked.”

Daniel Strauss contributed to this report.

CLARIFICATION: This report has been updated to more accurately reflect a quote from DNC Chief Security Officer Bob Lord.