The government has a phishing problem. The method hackers use to enter federal IT systems by luring them into clicking bogus links has led to massive data breaches, and now lawmakers want to ensure agencies are doing something about it.
"What steps are being taken to deal with phishing in terms of either requiring greater accountability by those who hold those positions who end up clicking, by either punishing them or coming up with some system so that we can anticipate that kind of phishing going on and prevent it?" Rep. Jackie Speier (D-Calif.) asked Defense Department officials at a Sept. 30 House Armed Services Committee hearing.
The officials generally declined to go into specifics, but they did offer a glimpse into the measures being implemented to stamp out successful phishing attacks.
"We have taken certain actions on the networks to eliminate the ability to click on links, and at a minimum we have a warning on there now that you must think about this link," said DoD CIO Terry Halvorsen. "And in some cases … you can no longer click on links via any of our networks."
That would appear to be the majority of cases, at least when the emails are coming from outside of DoD networks and contain links. Emails to .mil addresses that originate from non-DoD senders that contain hyperlinks are automatically headed with the following message:
"This email was sent from a non-Department of Defense email account, and contained active links. All links are disabled, and require you to copy and paste the address to a Web browser. Please verify the identity of the sender, and confirm authenticity of all links contained within the message."
In addition to raising the level of awareness and increasing the number of steps a user must take to access a given website, Halvorsen as well as Adm. Mike Rogers, commander of U.S. Cyber Command and director of the National Security Agency, said they've upped the ante when it comes to accountability and security culture.
"I've implemented nine specific technical changes where, quite frankly, I've told users now I'm going to make your life harder if this is what it takes to drive change in behavior," Rogers said at the hearing. "I will make your user life harder to try to preclude this from happening."
RELATED: Homeland Security Secretary Jeh Johnson and DISA Director LTG Alan Lynn will appear as keynote speakers at C4ISR & Networks and Federal Times' CyberCon 2015, held Nov. 18 at the Ritz Carlton-Pentagon City in Arlington, Virginia.