WASHINGTON — An ominous email message landed in the inboxes of a small group of U.S. Army employees last month, warning of a security breach in their federal retirement plans and urging them to log in and check their accounts.
The email was a fake — a classic spear phishing expedition looking for unwitting victims willing to share their personal financial information.
But the perpetrator was not a criminal hacker. It was an Army combat commander, acting on his own authority to test whether anyone on his staff would fall for the trick. In the process of sussing out internal vulnerabilities, though, the commander sowed panic across the government: Employees forwarded the email to thousands of friends and colleagues at the Defense Department, the FBI, Customs and Border Protection, the Labor Department and other agencies.
Even the Pentagon’s Chief Information Office, which oversees computer networks across the military, was unaware of the phony email.
The embarrassing play, a security awareness test of the sort that’s become increasingly common practice at private companies and federal agencies, tested the limits of how far the government should go with quality control to protect against cyberthreats. Testing security by suggesting problems with federal employees’ nest eggs? In hindsight, all agree that should be off-limits.
Account-holders saw the words “Thrift Savings Plan Alert: Passcode Reset” in the email’s subject line, sent from the account services department at “tspgov.us.” Puzzled by the message and wondering if it was legitimate, they shared it over and over and flooded the Thrift Savings Plan’s call center with anxious queries. Information technology staffs scrambled to figure out whether it was real.
It was close to three weeks from when the email was sent until it was traced to the Army command. Now, Defense officials said they will require more oversight of security tests that try to trip up employees.
At the Thrift Savings Plan, the small agency near Union Station that holds the 401(k)-style portfolios of most federal workers, officials are furious that their trusted brand was tampered with, no less by the government’s largest employer.
“While I can see how that particular test served the interests of the Department of Defense,” executive director Greg Long said, “that’s not my concern. Anything that causes our participants to question whether their account is safe and secure damages our interest.”
Federal agencies conduct routine cybersecurity training. But the constantly evolving and sophisticated attacks make them difficult to defend against. To reinforce this urgency, a growing number of agencies are sponsoring their own phishing attacks, experts said.
In some cases, if the employee takes the bait, the link or phony attachment delivers a short security message or even locks out the user.
Agencies collect data on the success of the “attacks” and develop metrics about what techniques work with whom. Some private companies dock managers’ pay if their employees repeatedly fall for the pranks.
“Every agency should be doing it,” said Jacob Olcott, a former counsel for the Senate Commerce committee who now works for Good Harbor Consulting, a cyber-risk-management company.
The upside to the Army-TSP episode: No one clicked on the fake site, which was shut down. No personal or account information was compromised, but federal employee unions are furious that their members, who watched their investments plummet in the financial crisis, were put in such a position.
“It’s big old DOD and you’ve got little TSP,” said Matthew Biggs, legislative director of the International Federation of Professional & Technical Engineers, which represents Defense workers. “The big government bullies are just pushing us around and using us as guinea pigs.”
J. David Cox Sr., president of the largest federal union, the American Federation of Government Employees, said in a statement, “We are strong advocates of cybersecurity, but DoD should be much more prudent in the future in deciding how they test federal employees.”
Spear phishing emails are among the biggest weapons of choice for hackers trying to gain entry into computers inside and outside government. They use what Internet security experts call “bait,” usually a legitimate-looking email, to get their victims to provide log-in or account information or visit a malicious site that will upload malware to the computer.
Future phishing tests will be approved by the Chief Information Office, the official said.