Why Did Federal Agencies See Fewer Breaches in 2018?White House Report: No 'Major' Breaches Reported; Incidents Down 12 Percent
In 2018, federal agencies did not sustain a “major" data breach that affected more than 100,000 individuals or caused "demonstrable harm" to the government, national security, foreign relations or the economy, according to a new White House report. And the total number of incidents declined 12 percent.
The report notes, however, that federal agencies remain susceptible to cyberattacks and more risk mitigation work is needed. "The federal government must continue to act to reduce the impact that cybersecurity incidents have on the federal enterprises," the report states.
Meanwhile, some security experts warn that attackers may have shifted to target local and state agencies and government contractors, rather than federal agencies.
OMB Report’s Findings
The report prepared by the U.S. Office of Budget and Management, which was released by the White House this week, found that federal agencies experienced 31,000 “cyber incidents” in 2018, a 12 percent decline from 2017. Federal agencies sustained five “major” data breaches in 2017, according to the report.
OMB prepares annual cyber incident report on behalf of Congress as required by the 2014 Federation Information Security Modernization Act.
In 2018, the federal government spent nearly $15 billion on cybersecurity, with agencies such as the U.S. Defense Department ($8 billion), and the Department of Homeland Security ($1 billion), spending the most, the report shows. That spending total, however, does not include classified cybersecurity spending within agencies such as the CIA and the National Security Agency.
The report notes that all agencies have started to increase their cyber awareness and have adopted new tools, such as frameworks to increase the use of threat intelligence and to help prioritize where money is spent on specific cybersecurity initiatives.
More federal agencies also are taking advantage of the National Cybersecurity Protection System, which includes the U.S. government's intrusion detection and prevention program known as Einstein, according to the report.
While that might help explain some of the decrease in cyber incidents at federal agencies last year, another factor could be that attackers have started to focus their attention on other targets, says Terence Jackson, CISO of the security firm Thycotic Software.
"One reason for the drop is due to attackers focusing on local and state agencies, which have been an easier target to infiltrate," Jackson tells Information Security Media Group. "There have also been successful attacks leveraged against government contractors. The malicious actors are targeting the weaker links in the supply chain."
In the most recent development, some 22 units of local government in Texas recently fell victim to a coordinated ransomware attack (see: Texas Says 22 Local Government Agencies Hit by Ransomware).
Gee Yoo, the CEO of threat intelligence firm Resecurity, agrees that ransomware is an increasing threat to governments at all levels, with these types of attacks gaining in sophistication and the amount of damage that they can cause.
"We are seeing growth in ransomware attacks on government sectors, some of them includes previously unknown attack vectors and zero-day vulnerabilities in supply chain or system or application components," Yoo says.
Federal agencies have been investing in continuous monitoring as well as continuous diagnostic and mitigation programs to help mitigate cyber risks, says Sean Finnegan, vice president of federal services at cyber risk management firm Coalfire.
But Finnegan warns that attackers could switch methods and use more targeted and stealthier campaigns. He also notes that voting systems remain tempting target as well.
"The attack tactics, techniques and procedures are evolving; it is always possible we could see significant exploit events soon,” he says. “Federal agencies must remain focused on proactive measures while both government and the industry identify innovative and cost-effective methods to thwart attacks."
Phishing Remains a Concern
The Office of Budget and Management report found that federal agencies continue to be targeted by phishing attacks as well as social engineering schemes. Over 6,900 cyber incidents in 2018 involved phishing, the report notes, calling for the use of better training and technology to mitigate that risk.
" By implementing specific security standards that have been widely adopted in industry, DHS [Department of Homeland Security] determined that the federal enterprise as a whole could enhance the integrity and confidentiality of internet-delivered data, minimize spam, and better protect users who might otherwise fall victim to phishing emails seemingly from government-owned system," the report states.
In addition to phishing attacks, the report notes that unauthorized access to government IT systems by employees is another concern, with over 9,600 incidents in 2018.
(Managing Editor Scott Ferguson contributed to this report.)