Until October, John Podesta was most known as a diehard Democratic campaigner who worked in the White House under Bill Clinton and served as the chairman of Hillary Clinton’s presidential campaign.
But after WikiLeaks began publishing a trove of Podesta’s emails in the final month before the 2016 election, Podesta became perhaps the most widely recognized victim of hacking. U.S. intelligence agencies have assessed that Russia stole Podesta’s emails — which contained everything from his risotto recipe to transcripts of Clinton’s private Wall Street speeches — and leaked them in an effort to tip the election in favor of President Trump.
Podesta reflected on the hack and its aftermath at the NewCo Shift Forum today, along with Shawn Henry, the president of the cybersecurity firm that investigated the DNC hacks, and Marc Elias, an attorney who worked as general counsel to the Clinton campaign. Podesta called out the FBI and WikiLeaks for damaging the campaign and issued a warning to tech and the media about the rise of fake news.
“I think to this day it’s inexplicable that they were so casual about the investigation of the Russian penetration of the DNC emails. They didn’t even bother to send an agent to the DNC; they left a couple of messages at the IT help desk saying, ‘You might want to be careful,'” Podesta said. “There are at least forces within the FBI that wanted her to lose.”
Henry, the president of CrowdStrike and a former executive assistant director at the FBI, also questioned the Bureau’s reaction to the hacks that plagued the Clinton campaign. Henry recalled personally notifying the Obama and McCain campaigns about breaches that occurred in the run-up to the 2008 election.
It wasn’t just that they didn’t like Hillary Clinton’s pantsuit, it was that Putin had a vendetta about her. John Podesta
“Obviously the DNC should have been at the top of the list in terms of prioritization. The agents engaged there didn’t seem to recognize it for what it was. I believe they didn’t pay enough attention to the severity of the attack, what was being targeted by whom, and what the results might be,” Henry said. “There has to be a sense of urgency. If you don’t see an attack on the election system as a threat to our national security … then you’re in the wrong country.”
CrowdStrike investigated the DNC breach and attributed it to Russia in June, long before the intelligence community released its own attribution and before BuzzFeed published unverified allegations that the Trump campaign colluded with Russian intelligence to orchestrate the hacks.
The allegations have had little meaningful impact on Trump so far. Trump has been able to leverage fears about election hacking to suit his own agenda, Elias claimed. “Efforts to crack down on voting and make voting harder — it’s open season,” Elias noted. “I think what Trump is doing now is signaling the next stage: not just to cut down on convenience voting but to have the states be much more aggressive in the registration process.”
TechCrunch caught up with Podesta after the panel discussion to learn more about his experience with Russian hackers and what political campaigns need to do to step up their cybersecurity.
TechCrunch: When did you know your account was compromised? You were hacked in March but these emails didn’t start coming out until October. Did you know in between then that this was a possibility?
Podesta: In the summer, when the DNC hack documents started coming out, there was a document in that release that didn’t seem like it would have made its way to the DNC and may have come from my email account. So at least the possibility I’d been hacked rose during the course of the summer. In August, [Trump adviser] Roger Stone started pointing to WikiLeaks and pointing to me. So that seemed to be the second indicator that they at least had something, but it wasn’t until October 7th that the full extent of the loss was known to me and our team.
Hours after the leak started, you tweeted that you were attributing your hack to Russia. Did you already feel confident that was the case?
Our tech people might know the answer to this, but I think we had a strong suspicion that this was going on. Other people’s emails had been compromised. They had done the forensics on those. So I think we knew that, and Shawn talked about this, that there were two different incursions into the DNC but the GRU, the Fancy Bear side of this, was active in going after personal emails.
A lot of the people I’ve talked to who have had their emails leaked are victims of doxing, and they go into hiding. But when you’re in the final month of a campaign, you can’t just hunker down —
Put a bag over your head?
Yeah. How did you deal with it personally?
I was in the public eye, I was doing media. I had to answer to some of the specific questions that were being raised. Marc Elias raised this point on the panel, which was that my emails themselves weren’t all that sexy. So I was able to go out and put them in context and talk about them. In the final month of a campaign, you’ve just got to be in overdrive. So you can’t even take the time to feel the pain. You’ve just got to move forward. I noted the things that — hurtful things happened to people, including my own family, that obviously I paid attention to and cared about. But for the most part, it was just, ‘What did they put out today? What are we going to do about it?’ Try to knock down stories as best we could. Try to put the context of the fact that this was a foreign power directly interfering in our election in context. Get that story out.
I think we still needed to try to press the case and give the public a sense of what was happening, what the stakes were, and why. It wasn’t just that they didn’t like Hillary Clinton’s pantsuit, it was that Putin had a vendetta about her and her tenure as Secretary of State. But mostly it was about Trump having adopted positions that were extraordinarily friendly to Putin and strongly at odds with a bipartisan collection of national security officials and people overseas.
How do you think this changes the way a campaign needs to be run? Everyone’s freaking out about the risk of being targeted by an adversary that you’re wholly unprepared to deal with.
I think there’s two aspects to that. One is the technical protection of your communications. The use of greater encryption, the sensitivity. I thought I was pretty sensitive. And I did learn one thing from this, which was a bitter experience. I just didn’t realize how much I had archived on Google. I’m fairly sophisticated, but it just was not in my consciousness how much, including in the delete folder, was still there. I should have known that. I should have thought about, on my personal email account, what my retention policy is. We have one in the campaign. But I didn’t and I bet you a lot of people don’t. They rely on the default and they don’t realize the retention risk, just the sheer volume of what’s there.
The Russians have to feel empowered by what happened. This is probably the best money they ever spent. John Podesta
There’s a separate issue that floats through all this which is different, but also deployed by Russians and their actors, which is the fake news story. How one combats that, is able to put that genie back in the bottle, is going to be a big challenge for campaigns going forward. And you see that playing out not just in the U.S. but in other democratic elections. It’s just very hard. It’s easy to get mainstream media to say, ‘This is out there; it’s not true.’ That does not stop the spread of it. I think that the platforms have some responsibility to try to think about what solutions look like in that space. Are they creating technical tools and strategies that actually enhance fake news at the expense of real news? I think that was part of what was going on with Facebook. The way news was being delivered to the News Feed actually elevated fake news and suppressed the stuff that was debunking it.
But I think that’s an extraordinarily difficult problem, with a president for whom nothing is real. It is a context which authoritarians have been able to exploit. Ripping apart of basic reality — that’s what Putin’s done in Russia, that’s the way media channels work in Russia.
Is that a conversation you’re having with companies now? What are you telling them?
I think it’s mostly, “You’ve got to fix this.” If InfoWars went ‘poof’ tomorrow, I’m not sure things would be all that different — although I wish that they would go ‘poof’ tomorrow. The normal inclination to support First Amendment values, to not be censors, to support a robust conversation which leads to good democratic outcomes, is really upended by this. I’m not sure you can solve the problem, but at least mitigate the problem.
You were talking about feeling more sophisticated with your security. I’m curious about what measures you were taking. Because in the security community, I hear people say, “His password was just ‘password’ or ‘runner4567’ and it should’ve been better, he should have used 2 factor.”
But that’s sort of blaming the victim. That’s not particularly useful in this context and it’s kind of an excuse on that side. Look, as I said, I feel like I’m sensitive at least. And I’ve enhanced the technical security side of my life, but I guess I had a false sense of protection. I’m used to a lot of this and repelled a lot of it. That was naive I guess. I also feel like, this was pretty odd in that I never touched the keyboard. I had people who had access to my email, they checked with the security people, the security people told them to take a step they shouldn’t have taken.
If I knew there’d be a leak, I probably would have put [the Wall Street speeches] out earlier. John Podesta
So you don’t think it was you that clicked the phishing link?
No. And they checked, and were given bad information. Woulda coulda shoulda. I don’t think it was an issue of what the strength of my password was. Although I now have stronger passwords.
Did you feel any sense of vindication when BuzzFeed published the dossier on Trump, after having your personal information dragged through the mud?
If I had a sense of vindication, it was not about tit for tat from my perspective. It was the frustration that our campaign had with getting real news sources to really push and look at — maybe not the most salacious issues that were in the report. Everyone was focused on the sex.
The golden shower was the thing that trended on Twitter.
But all the stuff on money, the deep hooks that Russian money had into the Trump organization. I think it’s a small solace, but at least it forced people to go back and look again at what those connections were and follow those stories. And to not just say, “Okay, the election’s over.” Because this still has a deep overhang on the relationship between Putin and Trump, the relationship between Russia and the United States and the security posture of our country. At least it kicked that back up again. And I hope that people stick with it.
So what happens with the future of cybersecurity policy? You were saying on stage you don’t think this is an issue that Trump is going to take seriously.
He may claim to take it seriously. The problem is he gets caught coming around the barn, because the more he wants to dig into this, and try to come up with real solutions, the more open he is to the kind of inquiry that I was suggesting we really need. I don’t think he has an interest in having the story really told.
You had a bit in the Clinton campaign platform about cybersecurity and the need to establish norms for engagement in this space. Is the appropriate response to hack back?
Hillary was, as Secretary of State, engaged with the Russians to some extent on this. It became a major topic with the Chinese as well, and she was the first person to really press on that. Obama had some progress with President Xi in terms of pushing particularly on the commercial theft side of cybersecurity. Had she been elected and was in office, I think she would have kept the pressure on trying to create some global norms.
Another point that was made on the panel — there’s going to be espionage. They’re going to try to learn about what we’re doing, we’re going to try to learn about what they are doing. Whether that becomes an important agenda item for [Secretary of State Rex] Tillerson, I don’t know. It’s a little bit harder to imagine President Trump sitting across the table from President Xi and having a deep conversation about this, but I’m biased.
The Clinton campaign and the DNC got made fun of a bit for being bad at cybersecurity. How do you feel about seeing Sean Spicer possibly tweeting his password?
[laughs] I’ll leave it to Melissa McCarthy to comment on that. I don’t think I can add anything to what she seemed to say.
I’ll ask a more serious question then. You were talking about there being nothing really sexy in your emails. The one thing people felt like was the bombshell was her speeches. If you had known that they would leak in this way, do you think that would have changed the earlier decision to not release them?
It’s hard to think about that with 20/20 hindsight. The truth is, even in that case, there wasn’t really that much in those. She was saying to those audiences what basically she was saying publicly. Now the press decided to hype up a sentence here or there. But she was actually pretty tough on Wall Street in the Wall Street speeches and I don’t think the coverage reflected it. But I think if you go back and look at the speeches, what she was saying publicly and what she was saying privately was basically the same. What it did give the opportunity for the Trump campaign to do was to essentially dissemble about what was in them. And I think that probably hurt us. If I knew there’d be a leak, I probably would have put them out earlier.
You’re saying there’s not a lot there that she wouldn’t say publicly, but if that’s the case, why not release them and say, ‘See, there’s nothing here’?
I’ll tell you why — it goes to the quality and the context of the coverage of this election from the beginning. From the time she announced, there was the hyperventilation off of relatively inconsequential stuff as opposed to trying to have a real conversation with people about where things were going. We would have just been fighting with our press corps for 30 days about the meaning of speeches she gave in 2013. In retrospect, it probably would have been better to fight about that in June or July than it was in October. But the double standard by which she was covered versus Trump was covered was something that was just part of the landscape of our campaign. We made judgments that obviously weren’t all the right judgments, but we made judgments based on understanding what that was going to feed.
What will you do now? Will you become the poster child for fixing cybersecurity?
I hope not. I think that I am depressed, upset, and energized by the first weeks of the Trump presidency. I’m teaching at Georgetown Law School but I’ll try to find a way to contribute to make sure that the worst excesses of Trump are blunted and democratic realities are upheld. I think this is now a global phenomenon; I’ll stay in touch with my friends in Europe and see what they’re up to and going through. If nothing else, the Russians have to feel empowered by what happened. This is probably the best money they ever spent.
This interview has been condensed and edited for clarity.