If You're Going to Set a Cyber Trap, Don't Do This
The Energy Department's IG found many problems with a planned "gotcha" exercise.
If you go to a conference, be wary of charging stations for mobile devices. If you’re an agency setting up a cyber sting, be sure to follow the rules.
An Energy Department cyber office decided to test conference goers at the 2016 Cyber Conference in Atlanta with fake charging machines designed to download data from any devices that connected. Instead, the exercise showed gaps in oversight of the department’s cyber assessment policies and incident response, according to a recent inspector general report.
“We are concerned about the lack of coordination among Department elements and the related OCIO response to the potential threat that such devices could have posed,” the report said.
» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.
As the Cyber Conference approached, the Office of Cyber Assessments saw an opportunity to see whether people would plug in their government-issued or personal devices into charging stations—well, data collection boxes that looked like charging stations. The office wanted stats, like how many people plugged in, so the faux charging devices only pulled device name, serial number, manufacturer and model number.
The office, part of the larger Office of Enterprise Assessments, is allowed to make unannounced assessments at sites, called red team exercises, but the IG said it failed to coordinate with a “trusted agent” who also played a role in planning the conference. (For what it's worth, the Office of Enterprise Assessments disagreed this test was a red team exercise, but the IG said it was.)
Who did plan the conference? The Office of the Chief Information Officer. A few hours after the Office of Cyber Assessments personnel set up the charging stations, a conference planner found them and OCIO officials had them moved first to a planning office and then to another storage area the next morning. Officials from both offices got together to discuss the matter and return the devices.
Then, the Office of Cyber Assessment personnel set them up at the conference. Again. And a conference planner found them. Again.
The IG report noted a miscommunication between the offices about whether the testing could continue. But the IG wasn’t happy with the OCIO’s initial response, which should have included contacting security or law enforcement.
“Considering the charging stations were of unknown origin and appeared to target conference attendees, notification that the devices had been discovered to security personnel may have been a prudent action to ensure there was no threat to public safety,” the report said.
The IG determined the Office of Cyber Assessments wasn’t operating with malicious intent but had little oversight from the Office of Enterprise Assessment and recommended reviews of cyber assessment policies. The IG also recommended the acting chief information officer review policies related to identifying and responding to security threats.