Federal Cybersecurity Incidents Were Up 25% in FY2013

Published: May 05, 2014

Cybersecurity

More than a decade after the implementation of the Federal Information Security Management Act (FISMA) federal departments struggle to implement effective cybersecurity measures in the face of internal and external threats to security. An annual Office of Management and Budget report on cybersecurity reveals an environment where incidents are up 25% from the previous year, amidst a mix of advances and retreats among federal agencies.

The latest FY 2013 FISMA report to Congress provides OMB’s FY 2013 assessment on what agencies have achieved in FISMA-related information security in the previous fiscal year.  Of particular interest is the number of security incidents that are being reported to the US Computer Emergency Readiness Team (US-CERT). (See chart below.) 



From FY 2012 to FY 2013 agencies report an increase of about 25%, which is more than the 11% increase they reported from 2011 to 2012. In fact, the FY 2012-13 change is the largest year-to-year increase since FY 2009-10, which saw a nearly 40% increase. Overall, reported incidents are up more than 250% since FY 2008 and over 1000% since 2006.

A deeper look into the specific types of security incidents and their frequency reveals that the vast majority of these incidents fall into 5 categories: (See chart below.) 

  • Non Cyber – Non Cyber is used for filing all reports of Personally Identifiable Information (PII) spillages or possible mishandling of PII which involve hard copies or printed material as opposed to digital records.

  • Policy Violation – This subset of Improper Usage is primarily used to categorize incidents of mishandling data in storage or transit, such as digital PII records or procurement sensitive information found unsecured or PII being emailed without proper encryption.

  • Malicious Code – Used for all successful executions or installations of malicious software which are not immediately quarantined and cleaned by preventative measures such as anti-virus tools.

  • Equipment – This subset is used for all incidents involving lost, stolen or confiscated equipment, including mobile devices, laptops, backup disks or removable media.

  • Other – An aggregate of several low-frequency types of incident reports, such as unconfirmed third-party notifications, failed brute force attempts, port scans, or reported incidents where the cause is unknown.

 


These top 5 categories account for more than 86% of all incidents reported by federal agencies.  Factoring out the Non Cyber category, the remaining top 4 make up nearly 77% of all reported federal security incidents. A full two-thirds of the incidents are related to what could be characterized as internal behaviors – policy violations, PII mishandling, equipment loss, etc.  The remaining one-third fall into an external threat bucket, like malicious code insertions, phishing attacks, port scans, denial of service and brute force attacks.

Within the context of annual FISMA reporting this mix of internal and external threats to cybersecurity is not new. However, it continues to underscore the need for ongoing security training of general IT users at federal departments so that users do not introduce vulnerabilities through their behavior. It also underscores the need for more effective security policy or greater automation of its enforcement.