Surprise, Surprise! Federal Cybersecurity Incidents are On the Rise!

Cybersecurity is at the forefront of the Trump Administration’s national security policy and federal IT agenda. The Office of Management and Budget’s latest Fiscal Year 2017 Federal Information Security Modernization Act of 2014 (FISMA) Annual Report to Congress reflects that agencies continue to experience a greater volume of threats both external and internal.

Reported Cyber Incidents Continue to Rise

As you may recall, in FY 2016 the U.S. Computer Emergency Readiness Team (US-CERT) revised how agencies were to measure and report cybersecurity incidents by classifying incidents by the method of attack, or attack vector. This reporting methodology remained consistent for FY 2017, but this makes historical comparison of FISMA data beyond FY 2016 challenging at best.

Even with multiple concurrent efforts to harden IT systems, security incidents continue an upward trajectory. According to the latest OMB findings, agencies reported 35,277 cybersecurity incidents to US-CERT in FY 2017, (up 4,378 compared to 30,899 in FY 2016 and more than 77K for FY 2015, under the former reporting method.) (See chart below.)

Attack Vectors for FY 2017 – Changes and Increases

OMB swapped out one of the Attack Vectors that agencies were to report as part of their FY 2017 FISMA submissions. New for FY 2017 is the Physical Cause metric and out is Impersonation/Spoofing, which was defined as an attack involving replacement of legitimate content/services with a malicious substitute.

The latest US-CERT guidelines break down incidents into the following nine Attack Vectors as described:

• Attrition – Employs brute force methods to compromise, degrade, or destroy systems, networks, or services.
• E-mail/ Phishing – An attack executed via an email message or attachment.
• External/Removable Media – An attack executed from removable media or a peripheral device.
• Improper Usage – Any incident resulting from violation of an organization’s acceptable usage policies by an authorized user, excluding the other categories.
• Loss or Theft of Equipment – The loss or theft of a computing device or media used by the organization.
• Physical Cause – An attack or accident initiated in the physical realm.
• Web – An attack executed from a website or web-based application.
• Other – An attack method does not fit into any other vector or the cause of attack is unidentified.
• Multiple Attack Vectors – An attack that uses two or more of the above vectors in combination.

For FY 2017 these incidents break out across the nine Attack Vectors as follows, with the largest number falling into the Other category. (See chart below.)

An alternative view of the FY 2017 cyber-incidents is to relate the relative frequency of each Attach Vector to the whole. (See chart below.)

Year-to-year changes from FY 2016 to FY 2017 in the frequency of the top Attack Vectors reveals the areas where agencies continue to experience some of the greatest vulnerabilities and where they have seen improvements. Across the government Phishing attacks continue to rise and agencies continue to struggle with Improper Usage violations by authorized users. Conversely, agencies have reduced Equipment Loss or Theft and the impacts of Web-based attacks. The reduction in Other non-categorized incidents, while still the largest single incident classification, may bode well for the growth in agencies’ abilities to effectively detect and identify cyber incidents. These five Attack Vectors account for 98% of all reported incidents in FY 2017. (See chart below.)

Implications

The year-over-year doubling in E-mail Phishing attacks is no surprise and remains on ongoing menace. OMB reports that 86 agencies have successfully met their Anti-Phishing Defenses Cross-Agency Priority (CAP) goal target FY 2017, up from 69 in FY 2016 and 29 in FY 2015. That’s progress, but the nature and effectiveness of phishing attacks means that agencies that have not yet hardened their phishing defenses increase the risk across all agencies.

Improper Usage by authorized federal users continues to make up the single largest non-Other category and sustains yearly growth that must be a point of frustration for agency cybersecurity staff. The number of these reported incidents nearly doubled from FY 2016 to FY 2017, reconfirming the notion that authorized users present some of the greatest challenges to cybersecurity.