NCSC launches phishing awareness campaign

The National Counterintelligence and Security Center has begun a campaign to warn federal employees and their families of the dangers of spear phishing, becoming the latest organization to publicly recognize the threat of targeted, malicious emails.

If “just a few people don’t click the link, it may save a massive breach in the future,” NCSC Director Bill Evanina said Sept. 9 at a conference hosted by the Intelligence and National Security Alliance and AFCEA. The vast majority of significant breaches in the public and private sectors have started with spear phishing, he added.

The counter-spear phishing initiative is part of a broader four-part security campaign from NCSC whose other components will focus on “human targeting,” social media awareness and travel advisories, Evanina said. 

The campaign will feature short videos, posters and literature on the do’s and don’ts for better cyber hygiene, Evanina. The video shown at the conference featured a fat-fingered, unwitting man in a coffee shop clicking on a spear phishing email. His bank account was promptly drained of funding by a hooded hacker, after which a clean-cut man appeared on the screen to sternly warn the viewer not to follow suit.

Evanina said the target audience for the initiative is all Americans. Forty-seven percent of American adults have been victims of a breach in the last year, he said.

The NCSC initiative is part of the government’s cleanup operation after the hack of the Office of Personnel Management that exposed data on 22 million current and former federal employees, contractors and others. Last week, OPM and the Defense Department awarded a $133 million contract to protect the 21.5 million people whose background check data was compromised in the breach. 

The NCSC initiative is in line with a focus from DOD CIO Terry Halvorsen on dulling the impact of phishing and clamping down on poor cyber hygiene. Halvorsen has warned Pentagon employees and their families of the dangers of phishing in an official memo, and is reportedly kicking off DOD networks users who don’t meet cybersecurity standards.

Earlier at the Sept. 9 conference, Director of National Intelligence James Clapper declared the federal system of conducting background checks to be “broken” and said its flaws were exacerbated by the struggles of previous OPM contractors. The OPM hackers were able to infiltrate agency networks via a contractor, KeyPoint Government Solutions.

“The system we have now doesn’t work and I think the only hope here is … a system of continuous evaluation which would depend heavily on automation,” Clapper said.