The "DNC Security" Breach And The Argument For Open Source

With the recent and widely publicized DNC data breach between the Sanders and Clinton campaigns, everyone has been too busy throwing feces at the "other candidate" since this thing started to break down what actually happened, and what it illustrates about the DNC's data insecurity. Let me break it down to you in the simplest way I know how:

Imagine you and I share a computer, and we both have different profiles we log into in order to use it. I can't see your profile, and you can't see mine. In that profile, there's a shared folder that we can both see and add files to. Now imagine that the DNC's data is organized in essentially the same way. There is shared data that all of the candidates can see. There is also data that only one candidate can see, through their own “profile,” so to speak. Now imagine you log into your profile one day, and when you go to the folder we share, you can see all of my data, all of your data, and all of the shared data. And when I log into my profile, my shared folder looks exactly the same: I can see my data, your data, and our shared data. Now, if you and I both had private data within our own profiles that we didn't want each other to see, this would be very bad news, indeed. Well, that's pretty much what happened to DNC database, and the Sanders campaign just so happened to be the first one to spot it. The analogy isn't perfect, but it works well enough without getting overly technical.

NGP-VAN, the company that manages the DNC's campaign database, is the real guilty party here. Their failure to respond efficiently to the breach despite numerous requests to do so is a far bigger problem than whomever happened to violate the breach first. Yet, it seems no one within their organization has been held responsible for maintaining a faulty system in the first place, let alone not dealing with a rather serious problem in a timely fashion. Not publicly, at least. Nor does it appear that the DNC will learn any real lesson about having independent contractors handle such incrediblly sensitive data.

But there is another way. This is about having control over your own damn campaign, DNC. NGP-VAN holds all of the DNC's data on their own private servers, out of the reach of the Committee when something goes south. And something always goes south. This is about the DNC having their data on their own damn servers, whether on site or remote. Servers their people control, not some third-party provider. What we're talking about here is "big data" by definition, and for the DNC and their candidates, this data is very, very, very important.

So, to the DNC I say: Get your own servers. Hire your own people. Roll your own damn database. Roll your own damn donation system. Roll your own damn website. Roll your own shit and do it using time tested open source software. There are tons of software engineers out there that are just getting out of college, and many of them are registered Democrats. I guarantee more than a few of them would love to have something like "Lead Database Administrator for DNC 2016" on their resume.

Build your system right, build it once, and as long as you have the right people in place to keep the system up to date in the "off season," it'll run for a lifetime. Take control of your own goddamn data. The data the DNC is collecting is far too important to leave in the hands of independent contractors. Have your own team build fail-safes into the system so that if the permissions do fail, the system locks everyone out until the issue is fixed. Have your own team in the main DNC office handling this so that you don't have to call a customer service line. Your service team is right there in your office, and they know your name, you know theirs, and you probably had lunch together last week.

Yeah, I know it's easier to pass this off on some contractor with a shiny website and pie-in-the-sky promises, but what's behind that website? Who knows? Only the people who built the software, that's who. And no matter how good they are, they will always be an extra link in a data chain that really shouldn't be there. If I ran the DNC (don't want that job), this would be completely unacceptable to me. I don't care who the CEO is, who he/she knows, or who owes them a favor. I would not run a presidential campaign on a piece of software I cannot have a third party audit if I were to feel so inclined. It's just too risky, especially when there's so much at stake. However, given the way privatization of public services has fragmented Washington in the last couple of decades, I guarantee you that, while this may have been the biggest breach thus far, it won't be the last before they get the hint.