Phishing-related cybersecurity incidents at federal agencies dropped by one-third in fiscal 2019, according to the Office of Management and Budget’s annual cybersecurity report to Congress.

The report, mandated by the Federal Information Security Modernization Act, found that email-related cybersecurity incidents among federal agencies dropped from 6,930 in last year’s report to 4,388 in FY19. Overall, the federal government saw an 8 percent decrease in cyber incidents, from about 31,100 in FY18 to 28,600 in FY19.

"This FISMA report reflects improvements in areas of focus under the President’s Management Agenda and Federal Agency elements of the National Cybersecurity Strategy,” reported Federal Chief Information Officer Suzette Kent. “It shows Agencies are making significant progress in managing risk and also highlights that focused efforts to secure government mobile devices have been especially important in today’s expanded telework environment.”

Though the decrease is good news for the federal government, spear-phishing continues to be the most significant vulnerability among federal agencies, the report said. Security reviews of agencies’ high-value assets completed by the Department of Homeland Security identified spear-phishing, patch management, administrator password reuse, insecure default configuration and weak password policy as the top five risks faced by federal agencies, respectively.

The report also said DHS conducted 71 security assessments of high-value assets in FY19, up from 61 in FY18. It found 448 cybersecurity issues, up from 356 the previous year.

“These assessments revealed that the Federal Government continues to face challenges mitigating basic security vulnerabilities,” the report said.

Several Cabinet-level agencies experienced significant reductions in incidents related to spear-phishing since the FY18 report. The State Department saw the largest reduction, dropping from 3,082 email incidents in FY18 to 1,043 in FY19. The Department of Health and Human Services saw a drop to 603 in FY19 from 885 in FY18, down significantly from 1,120 in FY17. Phishing incidents at the Commerce Department dropped by half, from 660 in FY19 to 330 in FY18.

Greg Touhill, the former first federal chief information security officer and current president of AppGate Federal, said the results are a positive sign, but warned that adversaries are pivoting to other areas of weakness to infiltrate federal networks.

“They’re just picking other targets,” Touhill said. “They’re phishing at home. They’re phishing on social media. They’re phishing against our weak underbelly with our contracts and our supply chains.”

The Department of Education reported zero phishing incidents — the only Cabinet agency to do so. In the CIO self-assessment, the department wrote that it has employed “increasingly complex phishing scenarios" and improved its spam filtering and anti-phishing policies through its email provider.

The Commerce Department cited an investment in an anti-phishing training tool as one of the CIO office’s main accomplishments in FY19. Overall, federal agencies spent $16.9 billion on cybersecurity in FY19.

The Small Business Administration reported a drastic increase in phishing incidents, with reported incidents rising from 135 in FY18 to 1,100 in FY19. SBA’s section of the report didn’t give any explanation for the rise in incidents. A spokesperson for SBA did not return a request for comment.

Andrew Eversden covered all things defense technology for C4ISRNET. Beforehand, he reported on federal IT and cybersecurity for Federal Times and Fifth Domain, and worked as a congressional reporting fellow for the Texas Tribune. He was also a Washington intern for the Durango Herald. Andrew is a graduate of American University.

More In IT & Networks
Demilitarize civilian cyber defense, and you’ll gain deterrence
By constantly flexing the military’s cyber muscles to defend the homeland from inbound criminal cyber activity, the public demand for a broad federal response to illegal cyber activity is satisfied. Still, over time, the potential adversary will understand our military’s offensive cyber operations’ tactics, techniques and procedures.
In Other News
Biden requests $773 billion for Pentagon, a 4% boost
Defense Department spending would see a 4% increase in fiscal 2023 under a plan released by the White House, significantly above what administration officials wanted last year but likely not enough to satisfy congressional Republicans.
Jackson heading for likely confirmation despite GOP darts
In her final day of Senate questioning, she declared she would rule “without any agendas” as the high court’s first Black female justice and rejected Republican efforts to paint her as soft on crime in her decade on the federal bench.
Jackson pushes back on GOP critics, defends record
Jackson responded to Republicans who have questioned whether she is too liberal in her judicial philosophy, saying she tries to “understand what the people who created this law intended.” She said she relies on the words of a statute but also looks to history and practice when the meaning may not be clear.
Load More