Classification Concerns Over FISMA Report on Improving Agency Cybersecurity
The Federal Information Security Modernization Act (FISMA) annual report to Congress for full year 2018 indicates considerable success in improving the cybersecurity of federal agencies.
The headline statistics indicate a 12% reduction in the occurrence of cybersecurity incidents from 35,277 in FY 2017 to 31,107 in FY 2018. “However,” adds the report (PDF), “FY 2018 marked the first year since the creation of the major incident designation that no incidents met the threshold.”
A ‘major incident’ is defined as any incident that is likely to result in demonstrable harm to the national security interests, foreign relations, or the economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people. It also applies, with the same criteria, to any breach involving the theft or alteration of PII belonging to more than 100,000 people.
This means that unless actual harm occurs, ‘likely to’ becomes a value judgment by those affected; which in turn means that major incidents could have occurred, but haven’t been classified and reported as such. Would something most people might consider to be major incident within one agency actually “result in demonstrable harm to the national security interests”?
Chris Roberts, chief security strategist at Attivo Networks, picks up on this classification concern. “So, there were no reported ‘major incidents’ in the reporting period,” he said to SecurityWeek.” Frankly, our detection is arguably not in a place where we can accurately state that. What are we defining as a major incident? Would that include airports going offline? Transportation being manipulated? Data being syphoned off on a daily basis? This, to me, would be considered critical and major. But, nope. Nobody turned the lights off on the Eastern seaboard… so I guess part of it depends what the definition of critical actually is.”
The weakness in this method of reporting is that it aggregates general statistics across all the agencies, but then defines major incidents in terms of individual agencies. “Zoom out and look at the harvesting of all of the elements,” continued Roberts, “and you quickly realize that the overall issue is that we’re still a sieve. Therefore, the bigger picture is that we’re still a mess and everyone else, including our adversaries, both foreign and domestic, have all the data.”
Similarly concerning is that FISMA reports the median maturity level of the agencies in the five NIST Cybersecurity Framework functions of identify, protect, detect, respond and recover as ‘consistently implemented’. While this sounds promising, it is only the third of five maturity levels. It does not include ‘managed and measurable’, or ‘optimized’. Without quantitative and qualitative measures on the effectiveness of policies, procedures and strategies, there has to be a question mark on the accuracy of incident reporting.
These concerns aside, FISMA is nevertheless reporting a reassuring reduction in the number of incidents across the majority of attack vectors. Email/phishing attacks are down from 7,328 in 2017 to 6,930 in 2018. Loss or theft of equipment is down from 4,395 to 2,552, and multiple vector attacks down from 601 to 92.
Sean Finnegan, VP federal services at Coalfire, notes this. “Federal agencies have embraced information security continuous monitoring (ISCM) and the continuous diagnostic and mitigation (CDM) program to improve their security posture,” he told SecurityWeek. “The programs serve to reduce threat, increase visibility across the government, improve responsiveness, and streamline reporting. The FY18 Federal Information Security Modernization Act (FISMA) report demonstrates the value in investing in these programs.”
But he still has some concerns over the message given out by these statistics. “It is unlikely there has been a reduction in the number of threat actors, and more probable that the sophistication of attacks has increased, resulting in a smaller volume with the same level of risk. This could be an indication that the government is improving defense of low-level attacks, and threat actors are adapting their tactics to be more focused. It could also be an indication that adversarial attention has changed to more specific targets, such as election systems.”