OMB Cybersecurity Metrics Show Agencies Struggle to Report Effectively

Cybersecurity has been an increasing federal priority for more than two decades, spanning multiple administrations’ national security policy and federal IT modernization agenda. The Office of Management and Budget (OMB), the Cybersecurity and Infrastructure Security Agency (CISA) and individual federal agencies have made various efforts to protect federal IT systems and improve their security processes under persistent pressure from adapting security threats. OMB’s latest Fiscal Year 2020 Federal Information Security Modernization Act of 2014 (FISMA) Annual Report to Congress reflects the continued challenge agencies face in both the variety of threats and their internal processes for classifying and reporting these incidents.

Reported Federal Cyber Incidents

According to the latest OMB FISMA release, agencies reported 30,819 cybersecurity incidents to the U.S. Computer Emergency Readiness Team (US-CERT) in FY 2020 – up 2,238 (+8%) compared to the 28,581 reported in FY 2019, but down slightly from the 31,107 reported in FY 2018. The FY 2020 reported incident rate is just about on par with FY 2016, underscoring the persistent threat. (See chart below.)

Consistent Attack Vector Metrics for FY 2020

While OMB has swapped out over the years a couple of the smaller Attack Vectors that agencies were to report as part of their FISMA submissions, the current list has been consistent since FY 2018. The US-CERT guidelines break down incidents into the following nine Attack Vectors as described:

• Attrition – Employs brute force methods to compromise, degrade, or destroy systems, networks, or services.
• E-mail/ Phishing – An attack executed via an email message or attachment.
• External/Removable Media – An attack executed from removable media or a peripheral device.
• Impersonation/Spoofing – An attack involving replacement of legitimate content/services with a malicious substitute.
• Improper Usage – Any incident resulting from violation of an organization’s acceptable usage policies by an authorized user, excluding the other categories.
• Loss or Theft of Equipment – The loss or theft of a computing device or media used by the organization.
• Web – An attack executed from a website or web-based application.
• Other / Unknown – An attack method does not fit into any other vector or the cause of attack is unidentified.
• Multiple Attack Vectors – An attack that uses two or more of the above vectors in combination.

For FY 2020 these incidents break out across the nine Attack Vectors as follows, with the largest number falling into the Improper Usage category. (See chart below.)

An alternative view of the FY 2020 cyber-incidents is to relate the relative frequency of each Attach Vector to the whole. (See chart below.)

Year-to-year changes from FY 2019 to FY 2020 in the frequency of the top Attack Vectors reveals the areas where agencies continue to experience some of the greatest challenges and where they have gained some ground.

Across the federal government agencies continue to struggle with Improper Usage violations by authorized users as the most frequently reported incident vector. While Improper Usage violations decreased by 5% from FY 2019 to FY 2020, this vector has consistently remained the most frequent vector each year since FY 2018. Given that Improper Usage incidents result from an authorized user’s violation of their organization’s acceptable usage policies (excluding actions captured by other incident categories) this area likely represents an area of opportunity for ongoing user training and education efforts at federal agencies.

E-mail/Phishing, at more than 4,200 incidents in FY 2020, has declined for the third straight year since FY 2017, likely due to a combination of greater awareness, user security training and agency efforts to improve email and web security. In contrast, reported Web-based incidents were up nearly 40% in FY 2020. At 2,753 incidents this vector accounts for 9% of all reported incidents in FY 2020. (See chart below.)

Other than the ongoing challenge of Improper Usage incidents, possibly the most concerning data point in this year’s report is the frequency and increase of the Other/Unknown attack vector, in which an attack method does not fit into any other vector or the cause of attack is unidentified. The Other/Unknown category accounted for 10,102 – or one-third – of the total incidents in FY 2020. This is a 40% increase from the 7,240 incidents reported for FY 2019 and is a major reverse of the trend we have seen for the Other/Unknown category, which had been steadily and significantly decreasing since FY 2016.

In their report OMB acknowledges the jump and promises to keep vigilant: “The prevalence of this attack vector suggests additional steps should be taken to ensure agencies appropriately categorize the vector of incidents during reporting. OMB and CISA will continue to work with agencies to improve the quality of incident reporting data to ensure the vectors of incidents are appropriately categorized.”

FISMA has been in place for nearly twenty years and was most recently been updated in 2014. While some significant progress has been achieved, the persistence of the threats and the evolution of technology sustains the need for agencies to adapt both their security processes and their reporting mechanisms. The recent White House Cybersecurity Executive Order has provisions to address standardizing federal cybersecurity vulnerability and incident response procedures, vulnerability and incident detection, and investigative and remediation capabilities. However, it is unclear if and how these and other new White House efforts may impact FISMA or spur Congress to update the law yet again.