DHS infosec chief: We should pull clearance of feds who fail phish test

In the wake of the Office of Personnel Management hack this year, which reportedly took advantage of a phishing attack to steal credentials used to gain access to highly sensitive personnel records, US federal agencies have been increasing their security training and employee testing around phishing. In addition to the employee awareness campaign launched by the National Counterintelligence and Security Center, more agencies are using security auditing tools that simulate phishing attacks against employees to test whether the employees abide by their information security training. Those who fall for phishing tests are generally either required to take a security refresher class or at worst are publicly called out for their errors in agency e-mails.

But at least one federal chief information security officer thinks that these steps aren't enough and that repeatedly falling for phishing attempts—fake or real—should have more dire consequences than a slap on the wrist. According to a report from DefenseOne, Department of Homeland Security CISO Paul Beckman said during a panel discussion at a cybersecurity event in Washington last week that he believes it's time to ban those who flunk Phishing 101 from having access to sensitive government data by revoking their clearances.

"Someone who fails every single phishing campaign in the world should not be holding a TS SCI [top secret, sensitive compartmentalized information—the highest level of security clearance] with the federal government," stated Beckman. "You have clearly demonstrated that you are not responsible enough to responsibly handle that information."

Beckman runs his own phishing tests, and those who fall for the fake phishing emails (by clicking on the enclosed link and entering usernames and passwords) are required to take Internet security training classes. And while the test e-mails he uses are clearly coming from outside of DHS and "to any security practitioner, they're blatant," Beckman said that there are some employees, including senior officials, who continually fall for them. Beckman suggested this is because "there are no repercussions to bad behavior... there’s no punitive damage, so to speak."

To give security policies more teeth, Beckman said he plans to raise the issue with Homeland Security's chief security officer and look for ways to include susceptibility to phishing tests in broader evaluations of employees' fitness to handle sensitive information. The problem is getting much closer attention because one of the potential uses of the stolen OPM data is "coming up with insidious phishing campaigns that look very tailored and very personal to these people," Beckman said.