End-User Cybersecurity Violations Continue to Plague Federal Agencies

Cybersecurity has been a top federal priority for more than a decade and has been at the forefront of the Trump Administration’s national security policy and federal IT modernization agenda. The Office of Management and Budget’s latest Fiscal Year 2018 Federal Information Security Modernization Act of 2014 (FISMA) Annual Report to Congress reflects that while agencies continue to struggle with cybersecurity challenges they also are reporting fewer incidents compared to the last fiscal year.

Reported Cyber Incident History

Federal agencies have made numerous concurrent efforts to harden IT systems and improve their security processes in the face of ever-rising security threats. According to the latest OMB findings, agencies reported 31,107 cybersecurity incidents to the U.S. Computer Emergency Readiness Team (US-CERT) in FY 2018 – down 4,170 compared to the 33,484 reported in FY 2017, but up slightly from the 30,899 reported in FY 2016 when US-CERT revised their metrics.* (See chart below.)

 

Attack Vectors for FY 2018 – Changes and Increases

OMB swapped a couple of the Attack Vectors that agencies were to report as part of their FY 2018 FISMA submissions. Impersonation/Spoofing returns as a reported attack vector and Physical Cause – an attack or accident initiated in the physical realm – which was added for FY 2017 is out.

The latest US-CERT guidelines break down incidents into the following nine Attack Vectors as described:

• Attrition – Employs brute force methods to compromise, degrade, or destroy systems, networks, or services.
• E-mail/ Phishing – An attack executed via an email message or attachment.
• External/Removable Media – An attack executed from removable media or a peripheral device.
• Impersonation/Spoofing – An attack involving replacement of legitimate content/services with a malicious substitute.
• Improper Usage – Any incident resulting from violation of an organization’s acceptable usage policies by an authorized user, excluding the other categories.
• Loss or Theft of Equipment – The loss or theft of a computing device or media used by the organization.
• Web – An attack executed from a website or web-based application.
• Other / Unknown – An attack method does not fit into any other vector or the cause of attack is unidentified.
• Multiple Attack Vectors – An attack that uses two or more of the above vectors in combination.

For FY 2018 these incidents break out across the nine Attack Vectors as follows, with the largest number falling into the Improper Usage category. (See chart below.)

 

An alternative view of the FY 2018 cyber-incidents is to relate the relative frequency of each Attach Vector to the whole. (See chart below.)

 

 

Year-to-year changes from FY 2017 to FY 2018 in the frequency of the top Attack Vectors reveals the areas where agencies continue to experience some of the greatest vulnerabilities and where they have seen improvements. Across the government agencies continue to struggle with Improper Usage violations by authorized users. It is noteworthy, however, that every other major Attack Vector except Attrition shows a decline in reported incidents from FY 2017.

Even E-mail/Phishing incidents declined in reported incidents for FY 2018 – the first observed decrease that I can recall – possibly due to implementation of DHS’s Binding Operational Directive (BOD) 18-01 that required agencies to take several actions related to email and web security.

Since there is no FY 2017 incident data reported for Impersonation/Spoofing (when that metric was swapped out for Physical Cause) there is not sufficient data to provide an immediate year-to-year comparison. However, the FY 2016 FISMA report noted 64 such incidents reported government-wide, which is above the 47 incidents reported for FY 2018.

The reduction in reported incidents may bode well for the growth in agencies’ abilities to effectively detect and identify cyber incidents. (See chart below.)

 

For the first year under the current reporting scheme Improper Usage by authorized federal users makes up the single largest incident category at 31% and sustains year-to-year growth of nearly 25%. The challenge of Improper Usage appears to be a trend. The number of these reported incidents nearly doubled from FY 2016 to FY 2017 – from 4,130 to 7,856 – and the FY 2018 count of 9,674 represents growth of more than 130%. Further, Improper Usage continues to rise as a relative proportion of total incidents over the last three fiscal years from FY 2016 to FY 2018 at 13%, 22% and 31% respectively.

Given that Improper Usage incidents result from an authorized user’s violation of their organization’s acceptable usage policies (excluding actions captured by other incident categories) I can only conclude that this must be a point of ongoing frustration for agency cybersecurity staff and represent a focal point for ongoing user training and education efforts at federal agencies.

-----

* For FY 2016, US-CERT revised how agencies were to measure and report cybersecurity incidents by classifying incidents by the method of attack, or attack vector. This reporting methodology has remained consistent going forward, but this limits historical comparison of FISMA data previous to FY 2016.