In a report filed with Congress last week, the White House says the number of cyber-security incidents recorded at US federal agencies in 2019 went down by 8%.
The report was compiled by the White House’s Office of Management and Budget (OMB) and included data about security incidents that took place at tens of government agencies..
Federal agencies have to report cyber-security incidents to the OMB based on public financing rules put in place by the Federal Information Security Modernization Act (FISMA) of 2002.
US government security incidents down by 8%
According to this year’s FISMA report [PDF], US federal agencies said they suffered 28,581 cyber-security incidents in 2019, a number that went down by 8% from 31,107 incidents reported in 2018.
The reduction in cyber-security incidents came after US federal agencies saw fewer incidents stemming from successful phishing attacks, website/web app compromises, and loss of devices — three major categories that accounted for a large amount of all incidents reported each year.
On the other hand, US federal agencies saw a rise in brute-force attacks, attacks executed with removable media (USB devices, external hard drives), and incidents caused by the improper use of a federal agency service or device.
The White House said that the vast majority of incidents did not involve user data, and did not need to be publicly disclosed.
All last year, in only three incidents, user data was involved and required public disclosure of the incident, the report said. The three incidents included:
- January 2019 – The Federal Emergency Management Agency (FEMA) accidentally shared the personal data of roughly 895,000 disaster survivors with a third-party Texas volunteer organization.
- June 2019 – A ransomware attack impacted a license plate reader contractor utilized by the US Customs and Border Protection (CBP) agency, with attackers exfiltrating license plate images and facial images of drivers in their cars.
- December 2019 – FEMA’s National Emergency Management Information System Information Assurance (NEMIS-IA) system shared data about disaster victims in need of temporary shelter with a third-party contractor. The data included personal information for an estimated 2.5 million hurricane survivors.
Audits reveal phishing exposure, bad patching
The FISMA 2019 report also included the results of 71 security audits of High-Value Assets (HVAs) — critical systems employed by various federal agencies.
The HVA assessments consisted of 204 System Architecture Review findings and 244 Risk and Vulnerability Assessment (RVA) findings.
“These assessments revealed that the Federal Government continues to face challenges mitigating basic security vulnerabilities,” the report said.
These “basic security vulnerabilities” included the likes of (1) agencies being vulnerable to basic spear-phishing attacks, (2) poor patch management, (3) reuse of admin passwords, (4) insecure defaults, and (5) policies that allowed weak passwords to be in use.
However, all in all, the White House concluded positively that US federal agencies improved their cyber-security posture and practices last year.
The report cited maturing Security Operations Centers (SOCs) and increased budgeting as some of the primary reasons.
According to the FISMA 2019 report, US federal agencies received almost $17 billion in cyber-security budgets, with most of the funds going to the Department of Defense (DOD) and the Department of Homeland Security (DHS).