Defense and intelligence officials have declined to say what they do to employees who open bad emails described as “phishing” attempts.
“What steps are being taken to deal with phishing in terms of either requiring greater accountability by those who hold those positions who end up clicking, by either punishing them or coming up with some system so that we can anticipate that kind of phishing going on and prevent it?” Rep. Jackie Speier, D-Calif., asked officials at a House Armed Services Committee hearing Wednesday.
Related Story: http://www.washingtonexaminer.com/article/2572545
“I won’t go into the specifics of what has been imposed,” said Terry Halvorsen, the Chief Information Officer at the Department of Defense. “We have upped the level of accountability on that, and actions have been taken on people who have misbehaved.”
“We have increased the training frequency … and we have taken certain actions on the networks to eliminate the ability to click on links, and at a minimum we have a warning on there now that you must think about this link,” he said. “And in some cases, again, I won’t specifically … you can no longer click on links via any of our networks.”
Admiral Mike Rogers, commander of U.S. Cyber Command and head of the National Security Agency, added that agencies have taken extensive measures to remedy the problem. “I’ve implemented nine specific technical changes where, quite frankly, I’ve told users now I’m going to make your life harder if this is what it takes to drive a change in behavior, I will make your user life harder to try to preclude this from happening.”
Rogers did not describe what those changes were.
Phishing is a method of hacking in which a perpetrator sends an email to a victim that appears to be from someone they know. The victim opens the email and usually clicks on a link, allowing hackers to access their system. The technique has enabled some of the worst system breaches in U.S. history.
It has become an especially critical problem since more than 21 million personnel files were stolen from the Office of Personnel Management earlier this year. The files include information on all of the friends, family members, and associates of applicants who applied for security clearances with the U.S. government.
“The OPM hack was devastating,” Speier said. “It’s clear that China did it, they denied it, it’s also very clear that they now have very personal information about many persons with top secret status … whether it’s Russia or China, access to personal information is such that … they then can pretend they are your family member or next door neighbor.”
Related Story: http://www.washingtonexaminer.com/article/2572326
Earlier this month, Paul Beckman, a the Chief Information Security Officer at the Department of Homeland Security, mentioned at least one measure that officials have taken, which is phishing his own employees. “I am sending their phishing emails,” he said. “I don’t want to raise awareness; I want to raise paranoia.” Yet based on Wednesday’s proceedings, it remains unclear what happens to employees who fail.
