In the wake of the Office of Personnel Management hack this year, which reportedly took advantage of a phishing attack to steal credentials used to gain access to highly sensitive personnel records, US federal agencies have been increasing their security training and employee testing around phishing. In addition to the employee awareness campaign launched by the National Counterintelligence and Security Center, more agencies are using security auditing tools that simulate phishing attacks against employees to test whether the employees abide by their information security training. Those who fall for phishing tests are generally either required to take a security refresher class or at worst are publicly called out for their errors in agency e-mails.
But at least one federal chief information security officer thinks that these steps aren’t enough and that repeatedly falling for phishing attempts—fake or real—should have more dire consequences than a slap on the wrist. According to a report from DefenseOne, Department of Homeland Security CISO Paul Beckman said during a panel discussion at a cybersecurity event in Washington last week that he believes it’s time to ban those who flunk Phishing 101 from having access to sensitive government data by revoking their clearances.
“Someone who fails every single phishing campaign in the world should not be holding a TS SCI [top secret, sensitive compartmentalized information—the highest level of security clearance] with the federal government,” stated Beckman. “You have clearly demonstrated that you are not responsible enough to responsibly handle that information.”