Federal agencies fended off more than 77,000 attacks on government networks last year, 10 percent more than encountered in 2014, according to a new report from the Office of Management and Budget.
The annual Federal Information Security Modernization Act (FISMA) report analyzed the government’s cybersecurity posture between Oct. 1, 2014, and Sept. 30, 2015, breaking down the number of incidents by category, measuring the progress of new initiatives and offering suggestions to boost information security.
The relatively small uptick in the number of incidents — compared with a 15 percent increase from 2013 to 2014 — shows the cybersecurity threat continues to grow, even as agencies put new tools in place to detect, block and mitigate malicious traffic.
“The increasing number and impact of these incidents demonstrate that continuously confronting cyber threats must remain a strategic priority,” the report states.
A breakdown of incidents by category shows the most identified threat vector — other than “other” — has nothing to do with technology. “Non-cyber” incidents accounted for 12,217 incidents last year, in which personally identifiable information was leaked through “hard copies or printed material as opposed to digital records.”
The next two categories at the top of the list were “policy violation” — in which data was transferred without being properly secured — at 10,408 and “equipment” — where a device or removable media was lost or stolen — at 9,502.
“Malicious code” came in at third, with 7,466 reported incidents.
The FISMA audit notes the increased threat due to phishing attacks, which are underrepresented in the reported data. While phishing is the “primary method for exploiting federal systems and data,” US-CERT categorizes incidents based on how the actual threat affected the system, not the method used to deploy that threat.
Most departments are meeting OMB-established goals for anti-phishing defense, though 10 agencies fell below the goal of 90 percent coverage on at least five of seven metrics. Low scores from EPA (zero percent), SBA (zero percent) and NASA (8 percent) brought the governmentwide average to 74 percent.
Inspectors general from across the government told OMB that agencies need to do better, specifically in the areas of configuration management, identity and access management and risk management.
“To address this challenge, the federal government must take action to combat increasingly sophisticated and persistent threats posed by malicious actors,” the auditors said.
The report notes some of the new initiatives from the last year meant to boost cybersecurity, including OMB’s increased roll in working with agencies to ensure a base level of security and the 30-day sprint to improve strong authentication in the wake of the OPM breach.
Auditors also pointed to the administration’s new Cybersecurity National Action Plan (CNAP), announced with the president’s 2017 budget proposal.
However, “Despite unprecedented improvements in securing federal information resources during FY 2015, malicious actors continue to gain unauthorized access to and compromise federal networks, information systems and data,” the report states.