White House Report Finds Cybersecurity Gaps at Federal AgenciesBy
Report says 30,899 ‘cyber incidents’ reported to DHS in 2016
Sixteen major breaches included compromised personal data
Despite the U.S. government’s steps to tackle cybersecurity threats, hackers continue to target federal agencies and they experienced tens of thousands of incidents last year, according to a White House report.
The Trump administration released the Office of Management and Budget’s annual report to Congress on federal cyber performance on Friday. Federal agencies weren’t immune to broader trends affecting the general public, as they reported 30,899 “cyber incidents” in fiscal 2016 that led to the “compromise of information or system functionality” to the Department of Homeland Security’s U.S. Computer Emergency Readiness Team, the report disclosed.
“While Federal agencies continued to make progress in strengthening their cyber defenses” last year, “a significant amount of work remains to implement these controls and protect Federal networks and data,” Grant Schneider, the acting U.S. chief information security officer, wrote in a blog post about the report.
The incidents included thousands of email phishing attacks; “improper usage” that violates acceptable policies by an authorized user; loss or theft of a computing device or media; or an attack executed from a website or a web-based application, the report said.
Federal agencies had new reporting guidelines, in which they had to note the method of attack and to specify the impact on them. The Office of Management and Budget also measured their growth in adopting continuous monitoring of computers, servers, hardware and software of agency networks; multifactor authentication credentials; and anti-phishing and malware defense capabilities.
As the government increasingly relies on technology to create, collect, maintain and dispose of personal information, “federal agencies must continue taking steps to analyze and address privacy risks,” the report said.
Of the reported cyber incidents, 16 were “major” -- considered likely to result in harming national security, public confidence, civil liberties, foreign relations or the economy. That included 10 major breaches at the Federal Deposit Insurance Corporation, mostly from employees taking personal information or other sensitive information on removable media.
At the Treasury, there were two major incidents last year: an attacker attempting to generate personal identification numbers based on stolen taxpayer information, and a retiring employee who downloaded a large volume of files onto a pair of thumb drives.
The Department of Health and Human Services -- which reported more than 8,100 incidents last year -- has an ongoing investigation after it reported a major incident in the last week of the 2016 fiscal year, which ended Sept. 30, involving the potential compromise of personal details.
The report also offers individual assessments and incident reports on each federal agency.
Although the Defense Department has advanced in countering cyber threats, “the DoD continues to face significant challenges in increasing its overall cyber capabilities,” the report said, citing U.S. Cyber Command. The Pentagon saw 1,888 incidents last year, with hundreds of phishing, improper usage and loss or theft of equipment incidents.
Parts of the Department of Homeland Security operated 79 unclassified systems with expired authorizations.
“Components have not consolidated all internet traffic behind the Department’s trusted internet connections and have continued to use unsupported operating systems,” the report said of DHS. “At this time, the Department cannot ensure that its systems are adequately secured to protect the sensitive information stored and processed in them.”
Other agencies topping more than 1,000 reported incidents last year included the Departments of State, Justice, Agriculture and Veterans Affairs as well as the Social Security Administration and National Aeronautics and Space Administration, or NASA.
The State Department does not have “an effective organization-wide information security program,” the report said.