Love online coupons? Can’t get enough gaming from your work PC? Do you click every interesting link that lands in your inbox? The Chief Information Security Officer (CISO) at the Department of Homeland Security wants those who fall victim to multiple phishing attacks to lose not just their pride – but their security clearances, as well.
During a cybersecurity summit held last week in Washington, Paul Beckman said he regularly sends phishing emails to test his senior staff – and far too many of them fail the test.
“Someone who fails every single phishing campaign in the world should not be holding a TS SCI with the federal government,” he said. “You have clearly demonstrated that you are not responsible enough to responsibly handle that information.”
Guideline M: Misuse of Information Technology Systems
When it comes to losing your security clearance for carelessness online, the government does have one angle it can take. Guideline M: Misuse of Information Technology Systems addresses misuse of IT systems and is one of the adjudicative criteria used in a clearance determination. This guideline has almost exclusively been used in cases where pornography has been viewed on a government or workplace computer system, but it also includes sending inappropriate email or other workplace misconduct. Is clicking on a phishing email in the same category? That would be difficult to argue. The main principle used in a misuse of IT systems determination is the ‘knowing and willful’ rule violation. It’s difficult to ascertain if an individual ‘knew’ a phishing email was malicious.
Recent announcements including the revelation that China is building an online dossier of personal information about government employees only increase the cautiousness of clearance holders today. It’s an important time to remember that ClearanceJobs is a closed ecosystem – it’s exclusively for US-based companies and cleared candidates. That means a connection request sent to you from inside the Cleared Network is a connection you can trust.
It Feels Good to be Bad
The primary issue the DHS CISO was pointing to is the current lack of incentive for adhering to government security policies. Outside of annual security training, little is made of how government IT systems should or shouldn’t be used (which was made clear by the 15,000 or so .gov and .mil email addresses found in the Ashley Madison database). While it’s good practice not to mix business with pleasure, the practicality of that often falls by the wayside for government professionals who may not even be allowed to access personal email from their government offices. When you want to spend your lunch hour looking at Aunt Betsy’s vacation pics or doing a bit of online shopping, it’s a slippery slope between acceptable personal use and an erroneous mis-click that could open the gates between your PC and China.
But Wait – Didn’t OPM Make me Easier to Scam?
Yet another problem that won’t go away is the Office of Personnel Management (OPM) breach. OPM announced today, ‘woops, we lost 5.6 million fingerprints, not the 1.1 million originally reported.’ With the federal personnel files and security clearance records of 20 million now in China’s hands, the quality of phishing attacks is going to increase exponentially. Spear phishers now know intimate details about your friends, family, criminal histories and habits. They will be able to put together very sophisticated phishing attacks and target them individually. The burden of responsibility remains on the user, but a security clearance holder now makes a good argument that he doesn’t just have himself to blame – Uncle Sam has his fair share, too.
Government employees and clearance holders won’t lose their status for a spear phishing email any time soon. But Beckman’s comment is a reminder that in a dangerous web world (the OPM breach originated with a phishing email), users will be held more accountable, and current IT policies will need to change. These changes will likely be manifold – including more restrictions on accessing personal websites from work, user privileges, and maybe a revamp of what that annual security refresher training looks like (and that is one change I can definitely approve of).