Federal cybersecurity incidents increased more than 1,000 percent since 2006
Cybersecurity incidents in the federal government have skyrocketed by more than 1,000 percent in recent years, according to a report from the Government Accountability Office.
The report — submitted as testimony by Greg Wilshusen, director of information security issues at GAO, in a recent congressional hearing — shows that in fiscal year 2014, federal agencies experienced 67,168 cybersecurity incidents involving personally identifiable information. The number of incidents has increased every year since fiscal year 2006, when that number was just 5,503. That’s an upsurge of 1,121 percent in just nine years.
Wilshusen’s testimony and research came as the result of a House Committee on Science, Space and Technology’s Subcommittee on Research and Technology probe into two Office of Personnel Management breaches that have put the personal information of 22.1 million federal employees and others connected to them in background security clearance investigations at risk. The subcommittee was eager to learn whether the two headline attacks could be the tip of a cyber-incident iceberg.
Though the two OPM hacks are perhaps the largest ever to affect the federal government, the number of incidents in 2014 show they were just a blip on the radar by total volume.
The GAO report shows that many other large federal agencies could be at risk, as 19 of the 24 covered by the Chief Financial Officers Act “reported that information security control deficiencies were either a material weakness or a significant deficiency in internal controls over their financial reporting,” it says.
Wilshusen points to three federal initiatives — personal identification verification (PIV) technology, continuous diagnostics and mitigation controls, and the National Cybersecurity Protection System at the Department of Homeland Security, better known as Einstein — that agencies can enlist to boost their cyber readiness for attacks and detect any vulnerabilities.
But as Wilshusen wrote in the report, “no single technology or set of practices is sufficient to protect against all these threats. A ‘defense in depth’ strategy is required that includes well-trained personnel, effective and consistently applied processes, and appropriately implemented technologies,” and “more needs to be done to fully implement it and to address existing weaknesses.”