recommended reading

Fed Tech

Brought to you by: CDW-G

Sponsor Content What's this?

Want to Stop a Cyberattack? Try a Fake Phishing Scam to Train Your Employees

There’s never been a better time to be a cyberspy attacking the government — or a busier time for anyone whose job is to keep them at bay.

The past two years have included some of the worst data breaches in the country’s history, including hacks at the intelligence community and across several civilian agencies.

As cyberthreats expand and the United States becomes a more tempting target, federal IT workers find themselves in the crosshairs.

“All you need to become a legitimate threat is an internet-connected device, a search engine to access online training, and malicious intent to present a threat to others,” said Gregory Touhill, who was appointed the United States’ first federal CISO in September.

Few agencies are more familiar with this predicament than the Department of Homeland Security. With a network of 250,000 employees and 350,000 users spread across 17 agencies, DHS is a virtual bull’s-eye for the bad guys.

Jeff Eisensmith, the CISO at DHS, says attackers come in all shapes and sizes and with varying levels of finesse. The spectrum runs from political activists and script kiddies (those who hack using existing scripts rather than writing their own) to organized criminals and nation-state saboteurs with the means to launch sophisticated, persistent attacks.

Photo credit: Jonathan Timmes 

In response, DHS deploys a “defense in depth,” following the guidelines contained in the Cybersecurity National Action Plan (CNAP) released by the White House in February 2016.

This means, on top of all other security measures, department employees receive a federally compliant Personal Identity Verification card to access secure facilities and log in to DHS networks. Protection software scans each email message three times to eliminate potential threats, and then sandboxes and examines suspicious attachments for malicious code. Intrusion detection systems filter the flow of network packets looking for anomalies, harden endpoints, and encrypt data on mobile machines. Any new device attempting to connect is quarantined and examined before a security officer will allow it to log on to a network.

DHS also relies on “red team” exercises with the National Protection and Programs Directorate, probing for weaknesses and applying patches before potential enemies exploit them.

“You can’t just rely on one layer,” Eisensmith says. “Everything has to work as a synchronous machine.” But the human element remains the weakest link in building an impenetrable defense.

Going on Phishing Expeditions to Target Users

Eisensmith says the biggest threat to DHS is spear phishing: targeting specific individuals with cleverly crafted emails designed to steal their access credentials.

“With the breach of OPM, credit card and healthcare records, there’s a large amount of information available about us for an attacker to use,” he says. “It would not be difficult to craft a spear phishing attack that’s hard to detect.”

DHS’s solution is to create a savvier workforce. Several times each year, the agencies send faux phishing emails to their employees. Feds who click the links in the emails are pushed to a website where they’re taught how to distinguish between a legitimate message and a malicious one. Employees who continue to be duped receive additional training and may lose some of their access privileges, Eisensmith says.

The system appears to be working. The number of successful spear phishing attacks has declined in the past year, he says — in part because DHS has kept more of them out of employee inboxes and in part because users are better at recognizing them.

“You’ve got to work with the users and help them understand,” he says. “You don’t want to paralyze them into a state of fear, but you want them to develop a healthy sense of paranoia so they think things through before they act.”

Tomorrow’s Cyberattacks, Yesterday’s Technology

Agencies face an additional level of difficulty in fighting cyberthreats because of complex federal procurement processes and lengthy vendor approval procedures, says Avivah Litan, vice president and distinguished analyst for Gartner Research. That makes it harder to deploy the latest and greatest technology.

As a result, defense and intelligence agencies tend to be ahead of their civilian counterparts, she says, largely because they have more money to devote to the cause. And while cyberdefense gets more expensive every year, the cost curve is moving in the opposite direction for attackers, Touhill says.

“The cost to attack networks has decreased over the years, while the cost to defend them has increased,” he says.

Worse, many agencies are saddled with aging, highly vulnerable IT ­systems. Maintaining these legacy machines is expected to consume nearly 80 percent of the federal government’s $82 billion technology budget in this year's budget.

In April, the White House formally proposed a $3.1 billion IT Modernization Fund to replace older systems with more secure modern hardware; at publication time, Congress had yet to approve the spending measure.

"We have too many antiquated computer systems that are increasingly expensive to maintain and difficult to defend,” says Touhill, who resigned in January before the new administration took over. “The time to modernize is now, and the IT Modernization Fund provides the way forward.”

Since the massive OPM breach, which exposed the personal data of some 22 million current and former federal employees, the government has taken repeated steps to shore up its defenses — from kicking off the continuous monitoring of potential attacks to improving how agencies coordinate their response to cyberincidents. But much work remains.

How to Guard Against Phishing Attacks 

Government CISOs are especially conscious of phishing and distributed denial of service attacks, which have created significant security concerns in recent years.

Phishing attacks are growing more sophisticated and complex, Touhill says. To combat that trend, agencies are holding more regular training exercises to respond to the breaches. Some agencies also are segmenting their systems so that even if attackers gain entry to one part of a network, they won’t be able to access all of the information the organization stores.

As an extra precaution, agencies are conducting regular training for administrators to help identify vulnerabilities.

However, Touhill says early notification from employees that something on federal networks may be awry — essentially, the digital equivalent of “if you see something, say something” — is an important indication from users that an attack may be imminent.

“We all need to be focused on the goal of supporting an open and transparent government that protects the people’s information while preserving privacy, civil rights and civil liberties,” Touhill says. “We can only achieve that if we harden the workforce, treat information as an asset, do the right things the right way, continuously innovate and invest wisely, and make informed cyber-risk decisions at the right level.”

This content is made possible by FedTech. The editorial staff of Nextgov was not involved in its preparation.

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

  • Effective Ransomware Response

    This whitepaper provides an overview and understanding of ransomware and how to successfully combat it.

  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.


When you download a report, your information may be shared with the underwriters of that document.