SAN FRANCISCO — "Don't click on spear phishing emails" was the main message handed down to Senate staffers this week, who received a 20 minute online tutorial on online safety and security. It was the first-ever tutorial given to Senate staffers on online security, said several of those involved, but didn't cover more than the basic premise "don't be an idiot online."
"There was nothing they taught us that I wouldn't have already known from watching like, the evening news," said one Senate aide, who spoke to BuzzFeed News on condition of anonymity, as they were not approved to speak about the tutorial to the press. "Watch out for fake emails from hackers, don't click on malicious links, basically... don't be an idiot online."
The training came amid mounting concerns that foreign agents have stepped up attempts to hack into the the U.S. government. Earlier this week, the FBI told Arizona officials that voter registration systems in Arizona and Illinois had been targeted by Russian hackers, and earlier this year, a high-profile leak of emails from the DNC was likewise widely attributed to Russian hackers. With each hack, U.S. officials have expressed mounting concern over the state of the government's cybersecurity preparedness.
Three Senate staffers who spoke to BuzzFeed News said that until this week, they had never been offered an official cybersecurity tutorial, and that this week's tutorial was led by the Senate's Office of the Sergeant at Arms (SAA), which serves as the protocol and chief law enforcement office of the Senate. The staffers described the tutorial as being very basic, with the main focus on the detection and prevention of spear phishing emails.
Spear phishing emails, which appear real but which contain malware within innocuous looking files and links, are thought to be the how hackers infiltrated the DNC and DCCC email databases earlier this year, and how private cybersecurity firms say Russia-sponsored hackers infiltrated the State Department and White House last year.
"It technically happened, but it was almost pointless for anyone who already knew what phishing was and understood they shouldn’t click on links in emails from random addresses," said another staffer, who also spoke on condition of anonymity. "Useful for some, sure, but not a huge deal."