LAS VEGAS — When Democratic state chairs gathered here in Las Vegas, they were met with a stern warning from the party's new chief technology officer: When it comes to cybersecurity, Raffi Krikorian told them in a meeting, "you gotta up your game."
Krikorian, a leading Silicon Valley engineer who joined the Democratic National Committee as CTO this summer, has been working for months to strengthen electronic security at the party's headquarters in Washington, leading an ongoing internal assessment that will shape DNC protocol on email management and move staffers toward more office-wide encrypted messaging.
This week, at the DNC fall meeting in Las Vegas, he gathered state chairs in one room to talk about the hacks that compromised Democrats in 2016 and could pose a threat to 57 party committees across the country, some of whom are dragging far behind in their own security practices, according to Krikorian.
"The problem is that it's a pretty big spread. Some state parties are pretty on top of it," he said in an interview.
"On the other end of the scale — and I'm not gonna name names — there are definitely state parties that will get on the phone with me and I'll be like, 'Wait, what? Can you say that one more time?' That's really a problem. There are 57 of them and the spread is pretty big."
The 39-year-old former Twitter and Uber engineer cited the Minnesota Democratic Party as one state that is "seriously on top of all this stuff." The party there has hired a security firm and has worked to strengthen its email management, he said.
Within the DNC, the national arm of the Democratic Party, Krikorian has tried to create a far-sweeping "culture change" around cybersecurity, increasing education, implementing regular simulated phishing attacks, moving the office's email management to cloud services, and weighing a move to what's known as end-to-end encryption for chat, voice, and video communication. The other Democratic committees have already made the move to Wickr, an end-to-end encryption software for the workplace that makes messages indecipherable to third parties.
When it comes to the states, however, the DNC has no authority over those party entities. "My ideal world is that we're all on the exact same systems: that we all just use the same technology, and we're all in the same place," he said. "But the reality of the situation is that I don't have control of state parties. All I can do is make really stern recommendations."
One of those ideas: simulated phishing attacks for state parties. The reception to that idea and others, Krikorian said, was largely positive, noting that state party chairs in the audience took pictures of his presentation and reached out to him afterward.
Until a state party is secure, Krikorian said, he has instructed DNC staffers to communicate with them using apps like Signal rather than by email. "If I know they haven't implemented a lot of stuff, by default we have to treat them effectively adversarial when it comes to electronic communication," he said. "Do not trust anything that comes over the email lines."
"Even if I secure my boundary, if one of them have a problem, they might be a way in."
Krikorian said since he joined the DNC earlier this year, he's known of no state parties have been hacked or compromised. "I don't think anyone's explicitly been, but at the same time, it's arms race," he said. "It's just a matter of time. The DNC is constantly under some form of attack in some way. Generally, you assume that everyone is a target in this world."
"It's the world we live in," he said. "Good times."