Brown Hat Security - Phishing the Government

The CISO of the Department of Homeland Security made a statement which the information security world has found to be somewhat controversial.

He is quoted in the above-linked article as saying:

"Someone who fails every single phishing campaign in the world should not be holding a TS SCI [top secret, sensitive compartmentalized information—the highest level of security clearance] with the federal government," stated Beckman. "You have clearly demonstrated that you are not responsible enough to responsibly handle that information."

Backlash from Infosec

This resulted in quite a bit of backlash amongst many infosec professionals, who regarded this statement as blaming the victim and thought that a more appropriate response would be to institute technological controls to handle the situation rather than relying on user training.

User training itself is considered to be time and money wasted by some sources as a matter of general principle.

Why Government Differs from Industry

Part of this backlash is, I think, due to the perception that much of the information security industry has of the usual causes and goals of phishing. In the commercial and home-user sectors, phishing's usual goals and motivations are typically either that of gaining access to accounts (email, bank, facebook, or what have you) or of attempting to install malware to recruit the user's computer into a botnet.

In the cases where the phishing is targeted - so-called "spearphishing" - the goal is generally to compromise a high-value individual to gain access to company resources. This is similar to the untargeted version, but for bigger stakes - the corporate email server for a large spam campaign leveraging the corporation's trust, for example, or access to the company bank accounts to authorize a large transfer.

These motivations change greatly when government is concerned.

Phishing the Government

Government is subject to all the same attacks as industry, true. There is, however, a different goal for many government-targeted phishes: that of espionage. Phishing may be used as a means of gaining access to government secrets or the asssets of persons having clearances in order to gain access to classified information.

Phishing is remarkably effective for espionage overall; it has a fairly low investment required to carry out a campaign with very high ROI historically. The risks involved for the phishers are very low compared with other methods of elicitation - getting someone to click on a link to a server hosted somewhere bulletproof does not expose the phishers to any real danger; even if their campaign fails and they are detected, they can close down their operation and set up somewhere else with a minimum of fuss and bother.

This compares favorably with the risks required for eliciting information in person - approaching an employee on the street means you can be identified later, and risks one's person being detained by police or security forces.

Security Philosophy

One of the important aspects of information security when it comes to government is that keys are classified at the level of the systems they protect. Or higher! (Warning: powerpoint presentation)

This does (strictly) only apply to keys used to encipher information, true, but does highlight an important part of information security doctrine: a system is only as secure as the weakest component securing it. Just as you would never use a (smaller and lower classified) key to secure highly-classified information, you should not trust large secrets to those unable to secure small ones.

If You Have a Clearance, You Can't Afford Victimhood

By the nature of their work, all government employees and contractors who have security clearances are targeted. By working for government, and by applying for and receiving a clearance, you are implicitly opting in to being the subject of direct, targeted attacks by spies.

This is the reason why many folks, especially in the military, receive explicit counterintelligence training, and why anti-phishing and information security trining is required for those who use computers in their jobs.

Cleared workers cannot afford to fall for phishes, as a core function of their jobs is specifically to keep information secret - and one of the basic skills required to carry out that job successfully is to determine if it is appropriate to discuss or otherwise reveal information that is intended for limited distribution.

Passwords very clearly fall into the category of "things you do not discuss" and "things you need to be careful revealing."

Recognizing that a Problem Exists

An email password may seem like a relatively minor thing to mess up on - many government systems are properly secured by two-factor authentication, after all, and leaking a password in those circumstances will not compromise the overall security of the system if it's properly set up. However, the judgment call that led to the leaking is the thing that is being criticized in this instance.

Just as pre-clearance interviews and questions are designed to determine whether a potential cleared worker is responsible enough to take seriously their responsibilities, and to determine whether or not there are any behavioral factors that would put them at risk of inappropriately revealing classified information, a phishing test reveals whether the cleared worker is capable of recognizing a potential hazard that would lead to them revealing information they should not have revealed.

Notably, Mr. Beckman isn't recommending removing a clearance for failing a single phishing test.

Instead, he is pointing out that people who habitually are unable to recognize elicitation when they see it are not equipped to perform a necessary job function, and should not be entrusted with that level of responsibility.

This is not blaming the victim; this is recognizing that an individual who is incapable of performing a job function should not be working at a job requiring that function's performance.

Just as you would not hire an illiterate copyeditor, you should not entrust secrets to someone unable to determine when not to discuss them.