recommended reading

ICE Hacked Its Own Employees to Teach Self-Defense in Cyberspace

Andrea Danti/

One federal agency is replacing workforce security awareness tutorials with real world hack attempts to test employee reflexes. So far, 80 percent of the personnel trained have successfully fought off potential cyberspies.

The "social engineering" prevention initiative has earned Immigration and Customs Enforcement a nomination for cyber trade group (ISC)2's 10th annual Oscars of the federal sector, the Government Information Security Leadership Award. GISLA winners are scheduled to be announced on Tuesday night. 

ICE's program focuses on a cyber hazard that is difficult tackle: human nature. Social engineering involves tricking individuals into divulging sensitive information that can be used to override computer protections.

To immunize employees against these threats, a handful of agency security personnel call everyone from administrative assistants to senior executives and convince them to say their computer passwords. They send “phishing” emails with links to credential-stealing forms and ask that office managers snoop around desks for thumb drives lying around.

Self-defense training, which includes in-person workshops, is voluntary right now. Of the 5,000 employees who have undergone coaching since winter 2012, only about 20 percent fell for the ruses, program officials said. Whereas, half of the uninitiated were about to spill usernames and passwords until the testers cut them off. 

“We want to instill into our employees a healthy sense of paranoia,” said Chuck Mader, ICE regional information assurance manager program lead. “They have to be cognitive that they are targets and to question that email that comes in that they weren’t expecting.”

Basically all government employees are social engineering targets, security researchers say. White House staffers recently had their personal Gmail accounts hacked after they received phishing emails with links -- labeled to look like legitimate BBC or CNN articles – that directed users to an authentic-looking Gmail or Twitter login screen for full article access. The fake login forms stole their credentials.

Incidents like this one are the reason ICE also educates personnel on how to fend off social engineering in their private lives. “That conversation on the Metro” subway car with a stranger “is very informative for someone who is looking to cause harm to the agency,” said Alex Ruiz, director of ICE's security authorization and risk management branch. Someone “knowing where you work and what building you’re in” by eyeing an ICE badge hanging from a bag is just as risky “as not securing and locking down your computer.”

ICE officials insist the goal of the bogus emails and calls is to assess employees’ responses, not ridicule them. There are "no repercussions or recourse. The only information we collect is anonymized statistical information so we can measure the outcome. We have to be careful from a government perspective with unions," Mader said.

If employees start to disclose information over the phone, program officials ask that they immediately reset their credentials to get in the habit of reducing the risk should they make the same mistake during a real attack.

The phishing emails teach similar lessons.

If they were to click on the link in the message, “it takes them to a dummy webpage that says, ‘You should not have clicked the link, and this is how you handle it in the future: Contact the service desk, etc.,’” Mader said.

All ICE employees are equally susceptible to social engineering, according to program officials.

Agents investigating virtual currency fraud, for instance, are just as vulnerable as a "a clerk who is handling financial documents regarding a future contract award,” Mader said. By teasing out information from the ICE worker, a company could gain an unfair advantage during the competition for the job, agency officials said.  

The main challenge for the social engineering instructors today is a limited audience.  

Training is not required and some personnel work in different time zones overseas. Covering 5,000, or about 13 percent, of the agency's 40,000-person workforce "doesn’t sound like a lot but most of that has been done in person,” said Maureen Premo, head of the social engineering training program and one of two employees dedicated full-time to the initiative.

To reach personnel abroad, program officials said they might offer recorded sessions through the agency’s virtual university for on-demand viewing.

Tuesday's awards incidentally coincide with National Cyber Security Awareness Month. (ISC)2 Executive Director Hord Tipton said in a statement that “the accomplishments of this year’s GISLA finalists demonstrate the exceptional skill and commitment to excellence that is required to stay one step ahead in this increasingly complex security environment.”


Learn more about cybersecurity in goverment and other federal technology issues at Nextgov Prime on Nov. 20th - 21st. To register (it's free!), visit

(Image via /

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

  • Effective Ransomware Response

    This whitepaper provides an overview and understanding of ransomware and how to successfully combat it.

  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.


When you download a report, your information may be shared with the underwriters of that document.