Nearly six months removed from the OPM hack and with many government departments still reeling when it comes to security, several federal chief information security officers volunteered a handful of new ideas at last week’s Billington Cybersecurity Summit in Washington, D.C to combat future hacks and improve overall security in the private sector.
One federal CISO, noting the continued naivety of some government employees, stressed that there should be stricter punishments for those repeatedly tricked by phishing emails, including one that would strip offenders of their security clearance.
The Department of Homeland Security’s CISO Paul Beckman discussed his plan during a panel at the conference last week, according to Defense One.
Beckman told the crowd that he periodically sends his own staff bogus-looking phishing emails to see who falls for them, and that a handful of higher ups, senior managers, and other VIPS, often do – repeatedly.
The tests aren’t even that difficult, Beckman insisted.
“These are emails that look blatantly to be coming from outside of DHS – to any security practitioner, they’re blatant, but to these general users, you’d be surprised at how often I catch these guys,” Beckman told the crowd.
Those who fail the test have to take a mandatory online security training class, but Beckman is campaigning for chronic offenders to lose their top secret security clearance.
“Someone who fails every single phishing campaign in the world should not be holding a TS SCI with the federal government,” Beckman told Defense One, “You have clearly demonstrated that you are not responsible enough to responsibly handle that information.”
“There are no repercussions to bad behavior, there’s no punitive damage, so to speak. There’s really nothing to incentivize these people to be aware, to be diligent.”
The concept is still in the beginning stages, Beckman says, adding that he still needs to discuss the plan with other CISOs, some who simply view phishing tests as a training exercise.
Department of Homeland Security’s CISO Paul Beckman
Some critics have called out Beckman’s stance for being too rash and reactive, including a security expert who points out that threatening to take away an employee’s security clearance could cause a deal of unwanted anxiety, and believes the DHS should explore other avenues first.
Adam Shostack, a former Microsoft Principal Program Manager, and the author of Threat Modeling: Designing for Security, wrote in the Emergent Chaos blog Monday, that the government should look into multi-factor authentication for federal logins, or email clients that make seeing phishing emails easier before punishing an employee for a human response like engaging with a phishing email.
“They could, I presume, do other things which minimize the request on the human being,” Shostack wrote in the blog, pointing out that the government is having a difficult time as it is hiring cybersecurity experts.
“My understanding is that those who work for the government already have enough things drawing on that budget. Making people anxious that they’ll lose their clearance and have to take a higher-paying private sector job should not be one of them,” Shostack wrote.
It’s unclear if the Office of Personnel Management has actually begun sending data breach letters to the 21.5 million workers impacted by this spring’s breach. The agency claimed it would begin to send letters to those involved via the U.S. Postal Service “later this month” three weeks ago. Ironically, not long after the OPM hack was disclosed, many federal employees actually mistook government emails for phishing scams, a move that prompted the Department of Defense to stop its email notification program.
Elsewhere, across the Anacostia, The Department of Defense announced last week that its planning on building a large, electronic system that it hopes will eventually act as an automated “scorecard” to keep track of vulnerabilities across its networks.
Lieutenant General Kevin McLaughlin told a group of journalists at Billington that U.S. Cyber Command is in the process of assembling the system, but the framework around it won’t be finalized for another few months.
Once it’s off the ground, the system would automatically detect and respond to cyberattacks in the military’s networks and weapons systems, and ideally prioritize how fixes are applied, McLaughlin claimed.
The idea behind the so-called “scorecard,” surfaced several months ago, McLaughlin told Reuters last Thursday, following a report penned by Michael Gilmore, the Pentagon’s director of testing and evaluation, that stressed every major U.S. weapons system was vulnerable to cyberattacks.
“There’s probably not enough money in the world to fix all those things, but the question is what’s most important, where should we put our resources as we eat the elephant one bite at a time,” McLaughlin said.
Photos by Nathan Mitchell, courtesy Billington Cybersecurity Summit