Agencies Faced More Than 35,000 Cyber Incidents in 2017, Watchdog Says
But they’re procrastinating on adopting security tools and strategies.
Federal agencies reported more than 35,000 cyber incidents to the Homeland Security Department last year, according to a congressional watchdog.
That figure marks a 14 percent increase in cyber incidents from 2016, but it’s still a significant improvement from 2015, when the government faced more than 77,000 digital threats.
Roughly one in five incidents last year involved violations of agencies’ online use policies, while email and phishing attacks made up another 21 percent, the Government Accountability Office said in a report published Tuesday. Web-based attacks and misplaced equipment accounted for about 23 percent of incidents, and nearly one-third of attacks didn’t fall neatly within any major category.
And while cyber threats remain a persistent problem for federal agencies, investigators found many have yet to adopt government standards and strategies meant to bolster digital security.
Only six of the 23 CFO Act agencies have put in place effective information security strategies, and inspectors general at 17 agencies found security shortcomings in their organization’s financial reporting process, the report said. Only six agencies reported meeting all nine of the White House’s cross-agency priority goals for cybersecurity, and the Office of Management and Budget found only 13 agencies were managing their overall cyber risk.
Seven agencies earned negative marks on four indicators of cyber hygiene: the departments of Agriculture, Commerce, Health and Human Services, State and Veterans Affairs, NASA and the Small Business Administration.
“Until agencies more effectively implement the government’s approach and strategy, federal systems will remain at risk,” investigators wrote.
The two organizations primarily responsible for strengthening the government’s cyber posture also have some room for improvement, according to the report.
Homeland Security is mandated by Congress to help agencies adopt the National Cybersecurity Protection System, a suite of tools that detect and prevent cyber threats. However, GAO found the system is limited in the types of network traffic it can analyze for malicious activity, and while all agencies have rolled out the system to some degree, many don’t use it across their entire network.
Furthermore, nearly every agency told GAO they would like more guidance and training programs from Homeland Security on how to effectively use the system and implement the agency’s Continuous Diagnostics and Mitigation program. None of the agencies have fully implemented the program, the report said.
OMB is also responsible for ensuring organizations adopt the cyber capabilities that are available to them, but investigators said it hasn’t fully reported agencies’ efforts to Congress, as required by law. The office is also late finalizing its Trusted Internet Connection policy, which will offer broad guidance on securing government networks.
A draft of the policy, which was initially scheduled to be completed by October, was released for public comment on Friday.