Agencies don't know where attacks are coming from


Federal agencies have a problem with attribution when it comes to cyber breaches, according to an upcoming White House report mandated under President Donald Trump's cybersecurity executive order.

"It was no surprise to use really in terms of the incident reporting framework….that most agencies didn't have a handle on where the threat was coming from," Joshua Moses, director of cybersecurity performance and risk management at the Office of Management and Budget, said at an Oct. 25 meeting of a federal advisory group. "Nearly a third of the incidents that were reported to Homeland Security last year did not have that associated attack vector, threat vector in the reporting."

There's no timetable for the release of the White House report, and some aspects of the study may be classified under the terms of the executive order. But its findings closely mirror what will be shown in the consolidated Federal Information Security Management Act compliance report due out from OMB in March 2018, Moses said in remarks for the Information Security and Privacy Advisory Board.

The information will be circulated inside the government over the next few months, and will drive plans to improve cybersecurity posture and make hard decisions about what kind of risks are justified based on agency mission and budget and make sure that agency efforts are aligned with the National Institute of Standards and Technology's cybersecurity framework.

"The point here isn't to say, let's provide more money to the lowest performers," Moses explained. "It's, let's make risk-based decisions on what we chose to operate and what we choose not to operate."

Board member Laura Delaney of DHS worried that the survey of agency cybersecurity risk is "a pretty difficult report." Her concern is that the report will rank and rate agency and component performance on cybersecurity risk, but that those rankings will be based on values that are hard to validate, and that those rankings will be lagging rather than leading indicators.

"You get lots of numbers…and the reality is all those numbers really don't mean a whole lot, especially when you're talking about risk," she said. "Usually in the time it takes to produce a report that is across dot-gov that goes up and out through an administration, you're usually [at least] a year behind where you were in the assessment of that risk."

The other downside to risk rankings is that agencies that have been named and shamed in a White House report may not be open to help, Delaney noted. While the White House will issue the rankings, it will be staff from DHS, the General Services Administration and the National Institute for Standards and Technology who will be tasked with helping problem agencies dig themselves out. She suggested that once the first two phases of the Continuous Diagnostics and Mitigation program are implemented governmentwide, OMB and other overseers will be able to observe trend data about how risk and risk acceptance is changing over time, rather than a snapshot based on past reporting.

"It's really difficult the day after a report a report like this comes out to walk into an agency and say 'really we want to help you,'" Delaney said. "You really change the dynamics of a discussion when you are also then reporting rather publically on the risk posture of an agency."

About the Author

Adam Mazmanian is executive editor of FCW.

Before joining the editing team, Mazmanian was an FCW staff writer covering Congress, government-wide technology policy and the Department of Veterans Affairs. Prior to joining FCW, Mazmanian was technology correspondent for National Journal and served in a variety of editorial roles at B2B news service SmartBrief. Mazmanian has contributed reviews and articles to the Washington Post, the Washington City Paper, Newsday, New York Press, Architect Magazine and other publications.

Click here for previous articles by Mazmanian. Connect with him on Twitter at @thisismaz.


  • Telecommunications
    Stock photo ID: 658810513 By asharkyu

    GSA extends EIS deadline to 2023

    Agencies are getting up to three more years on existing telecom contracts before having to shift to the $50 billion Enterprise Infrastructure Solutions vehicle.

  • Workforce
    Shutterstock image ID: 569172169 By Zenzen

    OMB looks to retrain feds to fill cyber needs

    The federal government is taking steps to fill high-demand, skills-gap positions in tech by retraining employees already working within agencies without a cyber or IT background.

  • Acquisition
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA to consolidate multiple award schedules

    The General Services Administration plans to consolidate dozens of its buying schedules across product areas including IT and services to reduce duplication.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.