Federal Cybersecurity Incident Metrics Indicate Opportunities

Bolstering cybersecurity remains at the top of the federal technology priority list, as the White House’s Office of Management and Budget (OMB), the Cybersecurity and Infrastructure Security Agency (CISA) and other federal agencies continue to make multiple, concurrent efforts to protect federal IT systems and data from persistent threats. OMB’s latest Fiscal Year 2023 Federal Information Security Modernization Act of 2014 (FISMA) Annual Report to Congress reflects the progress made and the enduring challenges that agencies face in both the variety of threats and their capabilities to address them.

Reported Federal Cyber Incidents

According to the latest OMB FISMA release, agencies reported 32,211 cybersecurity incidents to the U.S. Computer Emergency Readiness Team (US-CERT) in FY 2023 – up 2,892 (+9.9%) compared to the 29,319 incidents reported in FY 2022 and just 332 incidents (-1.0%) below the 32,543 incidents reported in FY 2021. The new report restates the FY 2022 reported incidents down 1,340 from the 30,659 total provided in last year’s FY 2022 FISMA report. OMB provides a footnote to the FY 2022 total, “FY 2022 figures reflect a correction to the incident counts and categories,” with no further explanation.

The latest data puts FY 2023 effectively on-par with FY 2021 levels and reverses FY 2022’s downward shift of agencies reporting fewer incidents. OMB comments on the FY 2023 uptick: “These additional incidents were mostly considered "Minor" events under the National Cyber Incident Scoring System (NCISS). Minor events are ‘[h]ighly unlikely to affect public health or safety, national security, economic security, foreign relations, civil liberties, or public confidence.’"

Attack Vector Metrics Remain Consistent

OMB’s categories and definitions of Attack Vectors that agencies are to report as part of their FISMA submissions has been consistent since FY 2018, allowing for some year-to-year comparisons. The US-CERT guidelines break down incidents into the following nine Attack Vectors as described below:

• Attrition – Employs brute force methods to compromise, degrade, or destroy systems, networks, or services.
• E-mail/ Phishing – An attack executed via an email message or attachment.
• External/Removable Media – An attack executed from removable media or a peripheral device.
• Impersonation/Spoofing – An attack involving replacement of legitimate content/services with a malicious substitute.
• Improper Usage – Any incident resulting from violation of an organization’s acceptable usage policies by an authorized user, excluding the other categories.
• Loss or Theft of Equipment – The loss or theft of a computing device or media used by the organization.
• Web – An attack executed from a website or web-based application.
• Other / Unknown – An attack method does not fit into any other vector or the cause of attack is unidentified.
• Multiple Attack Vectors – An attack that uses two or more of the above vectors in combination.

Cybersecurity Incidents Reported in FY 2023

For FY 2023, these incidents break out across the nine Attack Vectors as follows, with the largest number falling into the Improper Usage category and the smallest number in Impersonation/Spoofing.

An alternative view of the FY 2023 cyber-incidents is to relate the relative frequency of each Attach Vector to the whole to provide relative proportions.

FY 2023 Results Point to Improvements and Continuing Challenges

Year-to-year changes from FY 2022 to FY 2023 in the frequency of the top Attack Vectors reveal the areas where agencies continue to experience some of the greatest challenges and where they have made progress.

In FY 2023, Improper Usage (IU) violations by authorized users accounted for the highest number (12,261) and proportion (38%) of reported incidents, up from 36% in FY 2022. IU was consistently the top reported incident from FY 2018-2020 and was the second highest reported vector in FY 2017. OMB concludes that this level of UI incidents “suggests that although agencies have processes or capabilities that detect when a security policy is being violated, many lack automated enforcement or prevention mechanisms.” This statement echoes OMB’s comments on IU violations in their FY 2022 report.

After declining in reported incidents each year since FY 2017, E-mail/Phishing saw a huge increase in FY 2023 of +3,187 incidents (+106%) to reach a total of 6,198 incidents, which accounts for 19% of all reported incidents in FY 2023. For comparison, E-mail/Phishing saw a 2% increase from FY 2021 to FY 2022 and accounted for 10% of cyber incidents in FY 2022, up from 9% in FY 2021. The FY 2023 level suggest both the persistence of this threat and the ability of agencies to detect and classify these instances.

If there is a noticeable bright spot in the FY 2023 data it would be the drastic reduction in the number of incidents falling within the Other/Unknown category, which historically has been among the top two most reported categories. The number of Other/Unknown reported incidents dropped from 11,144 in FY 2022 to 5,687 in FY 2023, a nearly 50% reduction year-to-year. The drop in this category combined with the relative increase in several other categories suggest agencies have improved their effectiveness in detecting and classifying cyber incidents, which is good news indeed.

Only two other categories saw a year-to-year improvement, i.e., decreasing instances and relative proportion: Impersonation/Spoofing and Multiple Attack Vectors, each accounting for well less than 1% of FY 2023 reported incidents. The remaining four categories – Web, Loss or Theft of Equipment, Attrition and External/Removable Media saw year-to-year increases between 47% and 482%, likely related to improved agency classification capabilities. The chart below presents the year-to-year changes both in raw numbers and in percentage change.

Final Thoughts

OMB’s latest FISMA report provides “a mixed bag” of good news and bad news. The reduction in incidents placed in the Other/Unknown category is a positive sign that agencies have improved their ability to detect and categorize cybersecurity attacks. Also, the fact that the vast majority of incidents are classified as “minor” is also positive, even with the overall increase in total reported incidents.

On the downside, the 17% increase in Improper Usage incidents indicates that while agencies can effectively detect such cybersecurity violations, many lack the automated enforcement or prevention capabilities to prevent them. Further, the increase of Web, Equipment Loss and Attrition incidents points to the persistent challenges agencies are facing. This reality may present potential opportunities to obtain solutions from industry . . . if agencies will pursue them.