The White House Office of Management and Budget released fiscal 2016 statistics on cybersecurity measures and incidents at U.S. agencies Friday, using new methodologies that make comparison with prior years essentially impossible, but nonetheless saying the government had made progress.
For the first time, agencies were required to report only incidents that affected their operations, and to break those incidents down based on the attack vector used.
“This is a shift from the previous reporting methodology,” wrote Grant Schneider, the acting federal chief information security officer, in a blog post unveiling the findings. He added that the shift meant “that the FY 2016 incident data is not comparable to prior years’ incident data.” But he stressed the new reporting requirement OMB, the Department of Homeland Security and other agencies “to focus on incidents that may impact operations.”
Of the 30,899 incidents that agencies reported, only 16 were determined by agency heads to be “major information security incidents” — a designation that triggers mandatory steps for agencies, including reporting on the breach to Congress.
The largest category of incidents — 11,802, or more than a third of all those reported — was “other,” meaning the attack type was unidentified or didn’t fit into any other category. The next largest, with 5,690 incidents or almost 1 in 5, was loss or theft of computer equipment. Next up was the largest category of hacker attack, with 4,868 incidents reported as web-based or web-application-based attacks. The smallest category was impersonation/spoofing, with just 64 incidents.
The report says it “highlights agencies’ performance improvements” across several key cybersecurity goals and metrics, including:
- Continuous monitoring capabilities — providing situational awareness of the computer hardware and software on the agency’s network, and the way endpoints are configured. To qualify as achieving this goal, the 89 agencies covered in the report each must have 95 percent of their assets in each category monitored. The number of agencies qualifying in some categories more than doubled since fiscal 2015.
- Multi-factor authentication — requiring the use of a special federally issued smartcard known as a Personal Identity Verification, or PIV card, when logging on. To qualify as achieving this goal, agencies have to have a PIV requirement for 100 percent of their privileged users and 85 percent of their non-privileged users. The number of agencies achieving this threshold grew from 27 (100 percent requirement for privileged users) and 24 (85 percent requirement) to 40 in each category.
- Anti-phishing and malware defense capabilities — reducing the risk of being hacked through email and malicious or compromised web sites. To qualify as achieving this goal, agencies have to have implemented a certain number of capabilities across 90 percent of their infrastructure. The number of agencies qualifying more than doubled.
The 2002 Federal Information Security Management Act and its successor, the 2014 Federal Information Security Modernization Act, collectively known as FISMA, require the publication of agency cyber statistics, and mandate the OMB to collect the data to do that.