Enlisting white-hat hackers to send phishing emails to agency employees could help these staffers become more fluent in cybersecurity fundamentals, according to one agency top technologist.
When staffers inevitably get caught, they learn a valuable cybersecurity lesson without the real-world consequences, explained Environmental Protection Agency Chief Technology Officer Greg Godbout during Wednesday's ACT-IAC General Membership meeting.
The meeting in Washington, D.C., involved a discussion on the trade group’s Cybersecurity Innovation Initiative. Launched in July, ACT-IAC identified eight of the government’s most pressing cybersecurity challenges and invited the public to submit solutions.
Two days before the open submission period closed, the website for the initiative had received almost 150 proposals, said Dan Chenok, executive director of the IBM Center for the Business of Government and former IAC chair.
The group distilled five key themes out of these proposals, including the fact there is no such thing as too much cybersecurity training and there is a vital need for more effective cybersecurity information sharing, Chenok said during the meeting.
But information sharing can be tricky, Godbout said.
He gave the example of the time he was part of discovering an agency breach involving a piece of software that opened a port allowing anyone access to the site. He and his team didn’t have a place to alert others of the problem. But even if they had, it would have been difficult to trust anyone with the information, he said.
“You don’t have it fixed yet and the more you're sharing to a wider network of people, you're basically running up a flag that you can get behind here; come attack me,” Godbout said. “We've got to figure out some way that that’s a trusted group of people.”
Addressing fundamentals was also a main point of discussion. Rory Schultz, deputy chief information officer at the Agriculture Department, suggested agencies simply remove HTML from their sites to avoid any thoughtless clicks.
“That way, you’ve got to cut and paste if you really want to get to that site,” he said. “I know USDA is considering doing this … It's a way to save people from themselves.”
When it comes to solving the tech talent search, Godbout suggested agencies focus heavily on using competitions to find new recruits. Oftentimes, the best in the field are those least likely to want to go through the government hiring process, he said.
Give servers to everyone who signs up for a challenge and then instruct them to break into it, Godbout suggested. The organizers can then score participants, rank them and release the names of the top 50 contestants so all agencies know whom to hire.
ACT-IAC expects to include all recommendations in a report it will present to the Office of Management and Budget and the Federal CIO Council on Sept. 30.
(Image via deepadesigns/Shutterstock.com)