During Fiscal Year 2014, US-CERT processed 67,196 cybersecurity incidents reported by CFO Act government agencies, up from the 57,971 incidents reported by CFO Act agencies in FY 2013.
US-CERT receives computer security incident reports from the federal government, state and local governments, commercial enterprises, US citizens and international Computer Security Incident Response Teams (CSIRTs).
“Although the rise in incidents warrants attention, it represents both an increase in total information security events as well as enhanced capabilities to identify, detect, manage, recover and respond to these incidents,” stated the Office of Management and Budget’s (OMB) annual report to Congress on compliance with the Federal Information Security Management Act (FISMA).
“According to data reported to US-CERT … phishing and malicious code continue to present threats to both the federal government and public at large,” the OMB report said, adding that, “These increasingly sophisticated attacks take advantage of flaws in software code or use exploits that can circumvent signature-based tools that commonly identify and prevent known threats. Far too often, adversaries are able to employ social engineering techniques designed to trick the unsuspecting user to open a malicious link or attachment thereby giving the attacker direct access to Federal information and information systems.”
“We have seen notable progress by federal agencies, but there is work to be done,” the OMB audit report stated, pointing out that, “Fiscal Year 2014, in particular, was a pivotal year for federal cybersecurity, marked by sophisticated threat activity and vulnerabilities. Federal agencies reported nearly 70,000 information security incidents in FY 2014, up 15 percent from FY 2013. Strong authentication remains a key challenge. Although overall strong authentication implementation reached 72 percent in FY 2014, this number is partially buoyed by the size and strong performance of the Department of Defense (DOD). When removing DOD from the calculation, only 41percent of civilian CFO Act agencies implemented the use of strong authentication for network access in FY 2014.”
Nevertheless, OMB reported, “agencies are demonstrating a commitment (and even significant progress) to improving in this area. The Department of Commerce saw a dramatic increase in the use of strong authentication from 30 percent to 88 percent as compared to FY 2013, while the Environmental Protection Agency jumped from 0 percent to 69 percent.”
OMB assured that it’s “already taking steps to ensure every CFO Act agency implements administration priorities to advance the overall state of cybersecurity. For example, last fall OMB issued guidance establishing a new process for DHS to conduct regular and proactive scans of federal civilian agency networks to enable faster and more comprehensive responses to major cybersecurity vulnerabilities and incidents. We will be able to gauge the progress of this measure in the annual FY 2015 FISMA report.”
Continuing, the OMB report stated that, “At 16,923 incidents (25 percent of reported incidents) in FY 2014, non-cyber, a category which includes the mishandling of sensitive information without a cybersecurity component, such as the loss of hard copy Personal Identity Information (PII) records, was the most frequently reported incident type by CFO Act agencies. The second most reported category was ‘other,’ which includes incidents such as scans, probes and attempted access, incidents under investigation and incidents categorized as miscellaneous categories such as General Public or Joint Indicator Bulletin. The Other category represented 14,530, or 22 percent of reported incidents. The third most reported category was ‘policy violations,’ which represented 11,614 reported incidents, or 17 percent of total incidents reported.
During FY 2014, US-CERT also processed 2,655 incidents reported by non-CFO Act agencies. At 561 incidents (21 percent of reported incidents), suspicious network activity, which is primarily comprised of incident reports and notifications created from EINSTEIN data, was the largest category of incidents reportedby non-CFO Act agencies in FY 2014,” the report said, noting that, “Equipment, all incidents involving lost, stolen or confiscated equipment, including mobile devices, laptops, backup disks or removable media, was the next most frequently reported incident in FY 2014 with 492 reported incidents, or 19 percent of total incidents. The third most frequently reported incident type was policy violations, which includes the mishandling of data storage and transmission, with 488 reported incidents, or 18 percent of total incidents.”
EINSTEIN is the National Cybersecurity Protection System, the goal of which is “to provide the federal government with an early warning system, improved situational awareness of intrusion threats to federal executive branch civilian networks, near real-time identification of malicious cyber activity and prevention of that malicious cyber activity. Following widespread deployment of EINSTEIN 2, a passive intrusion detection system that issues alerts when threats are detected, DHS has begun deploying EINSTEIN 3 Accelerated (E3A), which will provide agencies an intrusion prevention capability with the ability to block and disable attempted intrusions before harm is done. By contracting with major Internet Service Providers, the initial deployment of E3A is focused on countermeasures that will address approximately 85 percent of the cybersecurity threats affecting the federal civilian networks,” OMB said.
To date, DHS’s Office of Cybersecurity and Communications has deployed E3A at 7 departments and agencies. During the balance of FY 2015, DHS “will continue this progress and build on experiences gained in FY 2014 to maintain positive momentum in providing advanced intrusion detection capabilities for government systems.”
The Department of Homeland Security (DHS) is the operational lead for federal civilian cybersecurity, and as such, executes a number of protection programs on behalf of the government. The National Institute of Standards and Technology issues and updates security standards and guidelines for information systems utilized by federal agencies, while OMB, in partnership with the National Security Council (NSC) staff and DHS oversees the successful implementation of agency-specific and government-wide cybersecurity programs.
“Recognizing the continued risk cybersecurity incidents pose to federal information and information systems, OMB, in coordination with NSC staff and DHS, developed the Cybersecurity CAP goal for FY 2012 to FY 2014, which can be viewed on www.Performance.gov,” OMB said. “The Cybersecurity CAP represents the basic building blocks of a strong cybersecurity program.”
Notably, OMB’s FY 2014 FISMA compliance report disclosed that, “Agencies which have the weakest authentication profile allow the majority of unprivileged users to log on with user ID and password alone, which makes unauthorized network access more likely as passwords are much easier to steal through either malicious software or social engineering.”
Sixteen agencies fall into this category, including the Departments of State, Justice, Treasury, Energy, Transportation, Nuclear Regulatory Agency (NRC) and NASA.
“While the substantial number of unprivileged user accounts, of which there are 5,325,374 government-wide, that are able to log on to federal networks with only a user ID and password is concerning,” the report stated, adding that “a potentially more serious issue is the number of privileged network accounts that are able to log on with only a user ID and password. Privileged user accounts, of which there are 134,287 across the federal government, possess elevated levels of access to or control of federal systems and information, significantly increasing the risk to government resources if their credentials are compromised.”
Eighteen “agencies do not require a majority of their privileged network users to log on using two-factor PIV authentication,” including the Departments of Homeland Security, State,Treasury, Justice, Energy, Transportation, NRC and NASA.
“The majority of CFO Act agencies have programs in each of the 11 cybersecurity areas” while 20 “or more agencies have programs in place for incident response and reporting, remote access and/or security training. Programs not in place were more prevalent in the areas of configuration management, identity and access management and risk management, with up to eight agencies not having one or more of these programs.”
DHS is among them, according to its Inspector General’s report on compliance with FISA requirements for intelligence systems, which reported that, “We identified deficiencies in [the Office of] Intelligence & Analysis’s configuration management and US Coast Guard’s continuous monitoring, configuration management, risk management, security training and contingency planning.”
“Now more than ever, the federal government needs to fully implement meaningful security programs that can withstand the serious cyber challenges our nation faces today and will face for the foreseeable future,” responded Tom Carper (D-Del.), ranking member of the Senate Committee on Homeland Security and Governmental Affairs.
“Although some agencies are making significant progress, this report underscores the troubling reality that cyber attacks and intrusions continue to occur at an increasing rate, and agencies need to be better prepared … this report makes it clear that we cannot rest on our laurels. I look forward to learning more about federal agencies’ updated FISMA implementation in the coming weeks. I also look forward to continue working closely with my colleagues … on ways for Congress to help agencies address the very serious cyber threats facing our nation.”
Editor’s note: In the original report, we inadvertently used FISA as the acronym for theFederal Information Security Management Act, rather than FISMA. We apologize for any inconvenience.
