When the National Republican Congressional Committee realized its emails were hacked, it called in a familiar firm: CrowdStrike, the same company the Democratic National Committee used in 2016 when suspected Russian hackers stole emails to sow electoral chaos.
The decision to employ CrowdStrike raised eyebrows amid remaining questions about the company’s performance in 2016, but several cybersecurity experts are pushing back on suggestions that the firm botched the DNC response, allowing more emails to be taken.
“Their reputation is warranted and they are very good. They have worked for both parties for years now,” said Nicholas Weaver, a computer security expert at the University of California, Berkeley.
“Criticism of CrowdStrike’s job in both cases is unfair. They are an incident response team: You bring them in AFTER the manure has hit the 3 MW wind turbine. So it is unfair to complain about a mess,” Weaver said in an email.
Few details are available about the NRCC hack, which reportedly lasted three months. CrowdStrike, which also worked with the NRCC before the hack, said in a statement it was asked in April to respond after the email intrusion was detected by another company.
The precise chronology of the NRCC hack and CrowdStrike’s role in the response is unclear. But reported details about the response to the DNC hack led to questions about why Republicans would use the firm.
A Daily Caller report said that CrowdStrike detected the DNC hack on May 5, 2016, but that suspected Russian agents were able to continue accessing documents until at least May 25, the last date of emails later leaked during the presidential election. “Their incompetence just makes me sigh,” an anonymous former Democratic employee was quoted saying.
But security experts say that allowing the DNC network to remain infiltrated for 20 days – if the reported chronology is accurate – is not necessarily a sign of a poor security response.
“There’s nothing glaring to me that they did wrong” in 2016, said Jim Jones, a digital forensics expert at George Mason University. “Kicking an adversary out of a live network is very hard … they were trying to do it stealthily, and that adds to the complexity.”
In response to a computer network intrusion, Jones said consultants typically offer clients options, including disconnecting a network from the Internet. A client may decide against doing so because of the resulting disruption of operations – in the case of the DNC, a potentially significant election-operation hindrance amid a threat of unknown severity.
“In the election cycle, shutting the network down entirely wasn’t a practical step,” Jones said.
Don Vilfer, a cybersecurity consultant, said that in his former career at the FBI he worked with CrowdStrike President Shawn Henry on a major operation, and noted that many details regarding the hacks of both the NRCC and the DNC are not publicly available.
“It is hard to comment on whether their response was acceptable without knowing a lot more,” he said.
But unlike other experts, Vilfer said he’s not immediately ready to discount criticism.
“I would not want to have emails leaving the system to hackers for weeks after our response,” Vilfer said. “I think it is fair to criticize taking weeks to resolve the DNC hack while emails continued to be siphoned off the system.”
Vilfer said that “the perplexing part is why did the NRCC hire them when this was widely known?”
“You don’t instantly get some magical cloak of protection the day that you hire a security firm,” added Dan Guido, co-founder of Trail of Bits, another cybersecurity company.
“It’s an ongoing struggle to map out the network and discover first, second, and sometimes third-line backdoors intended to preserve access even in the face of active efforts to remove them,” Guido said. “Furthermore, security firms may let intrusions continue for a short time to ensure they have complete awareness of their extent before a removal effort.”
Troy Hunt, an Australian data-breach expert, said CrowdStrike, along with another large firm, Mandiant, “often feature in incident responses of large or serious natures.”
CrowdStrike was founded in 2011 by former McAfee anti-virus experts George Kurtz and Dmitri Alperovitch, who was born in Russia. It has grown into a large operation claiming to have assisted clients in more than 170 countries.
Company spokeswoman Ilina Cashiola said the firm sees business from both sides of the aisle because of its “reputation-building” work.
“We are one of the top firms for incident response and many organizations that suffer a breach reach out to CrowdStrike to investigate and remediate,” she said. “Unfortunately, in most cases, we can’t discuss or disclose information related to customers.”
In response to the NRCC hack, the company issued only a brief statement, saying: “In April 2018, CrowdStrike was asked by the NRCC to perform an investigation related to unauthorized access to NRCC’s emails. Prior to the incident, CrowdStrike was helping to protect NRCC’s internal corporate network, which was not compromised in this incident.”
What was taken from the Republican Party’s House campaign arm, and how the infiltrator plans to use the information, remains unclear. Hacked emails were not deployed against Republicans ahead of the November midterm election.
