The number of attacks against federal networks increased nearly 40 percent last year, while the number of incidents targeting U.S. computers overall was down roughly 1 percent for the same period, according to a new White House report to Congress on federal computer security.
"Malicious code through multiple means," such as phishing and viruses, "continues to be the most widely used attack approach," Office of Management and Budget officials wrote. Phishing scams lure victims with fake e-mails apparently from legitimate organizations, such as banks, that instruct them to submit sensitive information, including passwords, on phony websites.
In fiscal 2010, federal agencies reported 41,776 cyber incidents vs. 30,000 attacks in 2009, the year the Conficker worm installed malicious software on millions of home, business and government computers.
To deal with the growing cyber threat, information technology managers gradually are changing the way they monitor security by installing scanners that automatically detect abnormalities in real time, noted the latest report on agencies' compliance with safeguards codified under the 2002 Federal Information Security Management Act. OMB submitted the annual report to Congress on Feb. 28 and published it online this month.
In the past, departments complied with the law by periodically certifying and accrediting key technology systems. Certification and accreditation involve conducting a series of audits and inventories to identify where government IT assets are located, as well as the security controls protecting those items. Now, 66 percent of information technology assets across major agencies are equipped with automated surveillance tools, according to the FISMA report.
But continuous monitoring for threats, which automated surveillance tools are supposed to facilitate, was one of the weakest execution areas that agency inspectors general highlighted in the report, along with oversight of contractor systems, management of security settings, training and account access.
The report also noted that most agencies are not using mandated smart card technology to control access to computer systems. Only two of the 24 major agencies require personnel to swipe electronic credentials to log on to most equipment. Starting Oct. 1, the White House will penalize agencies that fail to install electronic ID card readers on federal facilities and systems by denying funds for other projects. The 2004 Homeland Security Presidential Directive 12 stipulated federal employees and contractors must have ID badges containing digital fingerprints and photos to enter government buildings and networks.
Agencies did better with traditional certification and accreditation; reporting incidents to the proper authorities; and controlling remote access to federal networks, according to the IGs. The report also indicated general improvement in most privacy procedures.
In addition to transitioning to real-time surveillance this year, managers should be reporting on the results of their scans more frequently in 2011, according to OMB. As of January, agencies are required to electronically transmit monthly summaries of security metrics to "Cyberscope," a data collection application that analyzes the overall security posture of federal IT infrastructure.
"In fiscal 2011, the shift from the once-a-year FISMA reporting process to a monthly reporting of key metrics through Cyberscope will allow security practitioners to have more information than ever before to assist the protection of agency information and information systems," OMB officials wrote. "In the years to come, this reporting will require minimal human interaction and allow immediate remediation of many vulnerabilities."
Last year marked the first time agencies calculated detailed cost information on IT safeguards as part of their budget submissions, revealing that the most expensive component of computer security is people. Civilian agencies spent 74 percent of their IT security funding on personnel.
According to some outside estimates, however, the government has a shortage of 20,000 cyber experts.
Overall, about 16 percent of agencies' IT budgets went toward security, including staff, tools, testing and training. "Making the IT security workforce more productive, more capable and more collaborative offers one of the most significant cost-effective strategies in IT security spending," the report noted.