The State Department, with a recent history of email security issues, is looking to phish its own personnel.
The department’s Directorate of Information Assurance, Office of Policy, Liaison and Training issued a request for information earlier this month on ‘Phishing Email Simulation Services and Training,’ looking at the potential of procuring vendor-hosted and -managed ‘Phishing as a Service.’
The idea is that a vendor would create, send and track faux phishing emails in various languages to State’s 190,000 personnel worldwide at their state.gov email addresses. Those workers who fall for the phishing attempts — referred to as ‘violators’ — would be sent to corrective training, according to the RFI.
Potential vendors would also need to generate data on the simulated treats and the violators, such as common threat vectors — like how a successful phishing attempt could give a malicious agent access to other networks or systems.
In late 2014, Russian hackers were able to make it all the way into White House unclassified systems from an entry point in a State Department email server, according to CNN. The perpetrators apparently used a phishing email from a state.gov address to access the State networks, officials said.
And before news broke last year that former Secretary of State Hillary Clinton had used a personal email address for official business, Romanian hacker Guccifer breached a Clinton adviser’s email and released memos sent to a private ‘clintonemail.com’ domain that outlets linked to the secretary. Clinton use of personal email has been a stumbling block during her campaign to be named the Democratic nominee in November’s presidential election.