Latest FISMA Report Reveals Federal Cyber Challenges are Mostly Internal
Published: March 13, 2013
The current season of federal budget uncertainty, exacerbated by sequestration, raises concerns of how federal departments and agencies will allocate funds to implement and improve their information security. As OMB describes in the latest Federal Information Security Management Act (FISMA) report to Congress, agencies continue to be the target of increased attacks. But digging a little deeper reveals that many of the challenges may stem from internal practices rather than external attacks.
The latest OMB FY 2012 FISMA report provides OMB’s FY 2012 assessment on what agencies have achieved in FISMA-related information security in the previous fiscal year. Of particular interest is the number of security incidents that are being reported to the US Computer Emergency Readiness Team (US-CERT). (See chart below.)
From FY 2011 to FY 2012 agencies report an increase of 11%, which is more than the 5% increase they reported from 2010 to 2011 but less than the 40% reported from 2009 to 2010. Reported incidents are up 200% since FY 2008. In an earlier blog I mentioned comments by a former CIA CISO who noted that the counting method used by FISMA actually understates the threat levels, so these numbers are more like baselines than actualities.
A deeper look into the specific types of security incidents and their frequency reveals that the vast majority of these incidents fall into 5 categories:
- Non Cyber – Non Cyber is used for filing all reports of Personally Identifiable Information (PII) spillages or possible mishandling of PII which involve hard copies or printed material as opposed to digital records.
- Policy Violation – This subset of Improper Usage is primarily used to categorize incidents of mishandling data in storage or transit, such as digital PII records or procurement sensitive information found unsecured or PII being emailed without proper encryption.
- Malicious Code – Used for all successful executions or installations of malicious software which are not immediately quarantined and cleaned by preventative measures such as anti-virus tools.
- Equipment – This subset of Unauthorized Access is used for all incidents involving lost, stolen or confiscated equipment, including mobile devices, laptops, backup disks or removable media.
- Suspicious Network Activity – This category is primarily utilized for incident reports and notifications created from EINSTEIN and EINSTEIN 2 data analyzed by US-CERT.
These top 5 categories account for 87% of all incidents reported by federal agencies. Factoring out the Non Cyber category, the remaining top 4 make up nearly 60% of all reported federal security incidents. (See chart below.)
Delving into the data a bit further shows where these incidents are most widely occurring among the 15 departments spending the most on their IT security, according to their FISMA submissions. (See table below.)
While a data comparison among categories and agencies has its limitations, it does lead us to ask further questions and draw some possible conclusions. The most obvious to me is noticing the clustering of incidents within categories that relate to internal behaviors.
Combining the frequency of Policy Violations, lost or stolen Equipment, and Non-Cyber (non-digital) incidents consisting of the physical spillage or mishandling of PII in paper form drives home that there appears to be much left to do in the area of cybersecurity training for IT users at these departments. If the Malicious Code category accounts for much in the way of code insertion through unsafe user practices then that incident frequency too underscores the ongoing training need. OMB notes in the report that federal agencies spent less than 1% of their IT security budgets in FY 2012 on training. In previous FISMA reports training accounted for roughly 2.5% in FY 2010 and FY 2011, but according to OMB, the DOD portion of the data for those years was incomplete so adjusting for DOD might show that 1% is consistent across all of these years.
The sheer number of departments in the top 15 above that list Policy Violations and/or Equipment incidents in their top 2 or 3 for frequency suggests that some of the greatest information security challenges facing federal agencies are internal – whether through lack of awareness or training or through outright disregard for approved security practices. In a fiscally constrained environment where return on investment for each dollar is scrutinized agencies might actually save money that they would spend on cleaning up security mistakes by users if they could more effectively prevent many of these incidents in the first place.