But OMB Report Says ‘High-Value Assets’ Need Better Protection
U.S. federal agencies reported 8% fewer cybersecurity incidents in 2019 compared to the previous year, according to a report to Congress by the White House’s Office of Management and Budget.
In 2019, government agencies reported over 28,500 cybersecurity incidents, compared to more than 31,000 security incidents in 2018, according to the annual report mandated by the Federal Information Security Modernization Act of 2002, better known as FISMA. A similar report a year ago noted a 12% decline in incidents in 2018, compared to 2017. (see: Why Did Federal Agencies See Fewer Breaches in 2018?).
But FISMA’s 71 security audits of “high-value assets” – the critical systems that government agencies use – showed that many of these systems remain susceptible to common attacks, such as spear phishing. The audits also showed that these assets are prone to poor patch management, password reuse, insecure default configuration and weak password policies, according to the report.
The FISMA report also found that agencies had not identified an attack vector for close to 25% of all security incidents.
“The attack surface continues to expand as agencies are increasingly interconnected with the internet of things, and attack techniques are growing in sophistication,” Sean Finnegan, vice president for federal programs at Coalfire, tells ISMG. “It’s imperative the government and agencies are actively evaluating the sources and vectors.”
Why Are Incidents Dropping?
The recently released 2019 report found several reasons for the drop in security incidents, including increased spending on cybersecurity by agencies as well as more adherence to government-created security initiatives, such as Einstein – an intrusion detection and prevention program administered by the Department of Homeland Security and the U.S. Cybersecurity and Infrastructure Security Agency.
“The decline in incidents is correlated with the continued maturation of agencies’ information security programs,” the 2019 FISMA report states.
Several other factors contributed to the decline in incidents.
For example, 72 agencies met the highest rating of “managing risks” as part of their assessment in 2019, according to the report, up from 62 agencies in 2018 and only 33 in 2017. OMB says the improvement in ratings demonstrates that federal agencies are continuing to improve their security postures.
The report also notes that federal agencies got better at detecting and stopping attacks, such as phishing and website and web app compromises. Plus, they improved efforts to help ensure that fewer employees lost government-issued devices.
Agencies spent nearly $17 billion on cybersecurity in 2019, the report notes. But a big chunk of that spending was by two agencies: The Department of Homeland Security spent about $2.6 billion, while Defense Department spent about $8.5 billion.
The reported decline in cybersecurity incidents “is positive for the stance of federal cybersecurity overall and multiple programs, like Einstein, having a potential positive impact on the threat landscape,” Chris Pierson, CEO of cybersecurity firm BlackCloak, tells Information Security Media Group.
Three Major Incidents
The OMB report describes three major security incidents in 2019 that affected federal agencies.
In December 2019, DHS found that the Federal Emergency Management Agency had continued sharing sensitive personally identifiable information of over 2.5 million hurricane survivors with a third-party contractor providing temporary shelter to victims, even after it was no longer necessary, the report says (see: FEMA Exposed 2.3 Million Disaster Victims’ Private Data).
In another incident involving FEMA, Homeland Security found in January 2019, personally identifiable information of about 895,000 disaster survivors was shared with a third-party volunteer organization without authorization, according to the report.
And a ransomware attack on a contractor that made license plate readers used by the U.S. Customs and Border Protection led to images of travellers and their license plates being stolen in June 2019. The contractor had taken unauthorized copies of the images on their company network (see: US Border License Plate and Traveler Photos Exposed).
Managing Editor Scott Ferguson contributed to this report.