Dear US Government, you are making me tired.
In 2011 and 2014 you published memos that said the following:
- “HSPD-12 is a strategic initiative intended to enhance security, increase Government efficiency, reduce identity fraud, and protect personal privacy.” (emphasis mine)
- “Data reported to the DHS US-CERT by Federal agencies shows a preponderance of phishing attacks, and shows the number of phishing attacks is steadily increasing. By elevating this new priority, OMB and NSC staff will combat the number one threat vector affecting Federal systems and information.“
Then in June of 2015, we find out there’s been a data breach at the Office of Personnel Management, “resulting in the theft of approximately 4 million personnel records handled by the office.” Federal employees everywhere were told to be patient, more information would be forthcoming. Just watch for an email from the OPM CIO, they were told. When the email finally came, was it from Donna.Seymour@opm.gov (or even CIO@OPM.gov) and digitally signed using HSPD-12, as one would expect?
Because it wasn’t, countless recipients assumed the email was fraudulent. (I applaud them! Because it’s clear they paid attention to their annual cyber security training.) Here’s a copy of the email, which looks almost like a textbook phishing example:
The first thing we notice is who sent the email. It says OPM CIO, but then the email address is email@example.com. Why would a government agency have a .com email address? Hmmm… phishy.
Before we even get to the salutation, we see two long, ugly URLs full of gibberish. Never a good sign. Need I say it? Phishy.
The salutation is innocuous enough, but immediately after that, we are given a PIN and another long, ugly URL with the words ENROLL NOW in all caps — the Internet equivalent of yelling. If I were a hacker, I would hope that at least a few
victims phish recipients, would take the bait and click on the URL with their new PIN ready to go.
For those that aren’t as quick to bite, I would include some faux explanatory text. Which is exactly what you’ll find next in the email. The first sentence is scary: “…may have exposed your personal information.” That should hook a few more, right?
The email ends with lots of official sounding information about Homeland Security, personal information, and a promise of $1M worth of identity theft insurance.
Apparently the reader is required to infer that the PIN at the top of the email is provided in order to take advantage of said insurance. It never actually gives specific instructions, however. (If you visit the OPM website, which ends in .gov, as one would expect, you’ll find more complete information is available at this (less phishy-looking) URL >> http://www.csid.com/opm.)
Hindsight being 20/20, we know that the email was perfectly legit. But did it really need to look exactly like the emails people are trained to report to their security offices? How many man hours (i.e., dollars) were spent on June 8th drafting, reviewing, and approving “Phishing Threat Advisory” emails about the above? Shortly thereafter, how many man hours (i.e., dollars) were spent drafting, reviewing, and approving the retractions of those advisories?
How much will it cost the government to re-send the emails with personalized PINs to all the people who deleted them thinking they were fraudulent? (Because they were following their training, which instructs people to permanently delete phishing emails after reporting them.) As Facebook commenter Matney Wyatt said, “…the ‘pin’ is needed to access the CSID services that were contracted by OPM. The original email has the ‘pin’ and everyone who received the ‘pin’ has deleted the email. It’s a gamble to assume that this email was ‘left in the delete folder.'”
As a taxpayer, I knew the aftermath of the OPM data breach was going to cost the government a lot of money. Thanks to the email above, however, the aftermath of the aftermath is going to cost even more. If everybody could just follow the policies that are already in place, the “Government efficiency” they promise might actually come to fruition.