The White House’s Office of Management and Budget (OMB) stated that the federal agencies reported fewer cybersecurity incidents, representing an 8% decrease in 2019 compared to the previous year.
According to the annual report from the Federal Information Security Modernization Act (FISMA), released by the White House, government agencies in the U.S. reported 28,581 security incidents, compared to the 31,107 incidents reported in FY 2018.
The FISMA report also included the results of 71 security audits of High-Value Assets (HVAs), critical systems deployed in various federal agencies. It stated that several critical systems used at government entities remain susceptible to cyberthreats like spear-phishing attacks. It is also found that these systems have poor patch management, password reuse, insecure default configuration, and weak password policies.
Top Attacks Reported in 2019
Agencies had not identified an attack vector for close to 25% of all security incidents. “These assessments revealed that the Federal Government continues to face challenges mitigating basic security vulnerabilities,” the report said.
Major Security Incidents
According to the report, three major categories accounted for most of the incidents reported each year. The federal agencies witnessed a rise in brute-force attacks, security incidents executed with removable media (USB devices, external hard drives), and incidents caused by the improper use of a federal agency service or device. The three incidents include,
- In January 2019, the Federal Emergency Management Agency (FEMA) inadvertently shared personally identifiable information (PII) of around 895,000 disaster survivors with a third-party volunteer organization without authorization
- In June 2019, a ransomware attack impacted a license plate reader contractor used by the U.S. Customs and Border Protection (CBP) agency Attackers exfiltrated license plate images and facial images of drivers in their cars
- In December 2019, DHS found that the FEMA continued sharing sensitive information of over 2.5 million hurricane survivors with a third-party contractor providing temporary shelter to victims, even after it was no longer necessary
Experts stated that the U.S. federal agencies improved their cybersecurity practices last year. According to the report, the agencies received over $17 billion in cybersecurity budgets, with most of the funds going to the Department of Defense (DOD) and the Department of Homeland Security (DHS).