Federal Cybersecurity Incidents Continued Double-Digit Growth in FY2015

The FY 2015 Report to Congress on the Federal Information Security Modernization Act (FISMA) provides OMB’s assessment on what agencies have achieved in FISMA-related information security in the previous fiscal year.  Of particular interest is the number of security incidents that are being reported to the US Computer Emergency Readiness Team (US-CERT). (See chart below.) 

From FY 2014 to FY 2015 agencies report an increase of about 10%, which is the lowest yearly total increase since the reported 3% from FY 2010 to FY 2011. That said, the 10% bump shows a continued tempering over the last few years that saw a 25% increase from FY 2012-13 and a 15% jump from FY 2013-14. Apparently, gone are the days of 40-80% yearly growth rates that we saw from FY 2006 to 2010. Overall, reported incidents are up 85% since FY 2010 and over 1,300% since 2006.

Of the total 77.2K incidents reported in FY 2015, 12,294 (16%) were classified as Non-Cyber, which is used for filing all reports of personally identifiable information (PII) spillages or possible mishandling of PII, which involve hard copies or printed material as opposed to digital records. The remaining 64,889 (84%) are what we typically think about as cyber-related, fitting among specific types of security incidents under the definitions provided by US-CERT and falling into 6 categories by varying proportions: (See the list and chart below.)

• Policy/Usage Violation – Policy Violation is used to categorize incidents of mishandling data in storage or transit, such as digital personally identifiable information (PII) records or procurement sensitive information found unsecured or PII being emailed without proper encryption. Improper Usage categorizes all incidents where a user violates acceptable computing policies or rules of behavior. These include incidents like the spillage of information from one classification level to another.
  
  
• Unauthorized Access – UA is when an individual gains logical or physical access without permission to a federal agency network, system, application, data or other resource.
  
  
• Malicious Code – All successful executions or installations of malicious software, which are not immediately quarantined and cleaned by preventative measures such as antivirus tools.
  
  
• Scans, Probes, Attempted Access – For the purposes of FISMA reporting, a separate superset of multiple subcategories has been employed to accommodate several low-frequency types of incident reports, such as unconfirmed third-party notifications, failed brute force attempts, port scans, or reported incidents where the cause is unknown.
  
  
• Social Engineering/Phishing – Social Engineering is used to categorize fraudulent web sites and other attempts to entice users to provide sensitive information or download malicious code. Phishing is an attempt by an individual or group to solicit personal information from unsuspecting users by employing social engineering techniques, typically via emails containing links to fraudulent websites.
  
  
• Suspicious Network Activity – This category is primarily utilized for incident reports and notifications created from EINSTEIN data analyzed by US-CERT.
  

 

Implications

These 6 categories account for more than 84% of all incidents reported by federal agencies, large and small. Having factored out the Non-Cyber category, 34% of the remaining “true cyber” category incidents are related to what could be characterized as internal behaviors – policy violations, PII mishandling, equipment loss, etc.  The remaining two-thirds fall into an external threat bucket, like malicious code insertions, phishing attacks, port scans, and brute force attacks.

This mix of internal and external threats to cybersecurity is not all that unusual for annual FISMA reporting. A consistently high level for Policy and Usage Violations continues to underscore the need for effective security policy and ongoing security training of general IT users at federal departments so that users do not introduce vulnerabilities through their behavior. OMB does report a jump in incidents of Suspicious Network Activity and Scans, Probes, and Attempted Access, which underscores the need for increasingly advanced network monitoring and greater automation of security functions.