The federal government spent more than 75 percent of the total budgeted amount for IT for fiscal year 2015 on operations and maintenance investments. The problem? These legacy IT investments are becoming increasingly obsolete. Many departments and agencies rely on outdated software and hardware that is now unsupported by the vendor, which leaves government systems vulnerable to cyberattacks.
To understand how agencies can protect their networks while modernizing, GovLoop sat down with Clark Campbell, Vice President of Public Sector at BDNA, an enterprise technology software company.
“Typically with our customers, more than 50 percent of the hardware and software on their networks has reached end-of life status, which is a hacker’s paradise,” Campbell said. “For example, one of our customers recently found a version of McAfee antivirus that came to end-of-life in 1999. Another one of our customers found Yahoo Instant Messenger Version 1.0 on their network. If hackers can get access through any outdated system, they have access to the entire network.”
He praised U.S. CIO Tony Scott’s proposed $3.1 billion IT Modernization Fund that is dedicated to updating some of these critical network flaws, but said more needs to be done.
Campbell said the first step in correcting the vulnerabilities that legacy systems create is to bring more visibility to the problem. “No one government organization has enough budget on an annual basis to fix this massive problem of outdated systems,” he said. “However, if you establish visibility, you can prioritize the mission-critical systems that might have personally identifiable information (PII). Those are the systems that need to be updated first.”
To create an environment of visibility, agencies need to audit their current infrastructure. Campbell stressed that you cannot have basic cybersecurity if you don’t know what is on your networks. “It might sound surprising, but that basic visibility is something that many federal Chief Information Security Officers are still struggling with,” he said.
BNDA helps agencies achieve unrivaled visibility into their IT networks by aggregating IT asset data from existing infrastructure, continuous diagnostics and mitigation (CDM) and security tools, deduping and normalizing it into a single database, and then enriching it with market intelligence from its comprehensive Technopedia® catalog. It then analyzes that database to alert IT managers about what hardware and software assets they have that are end-of-life, nearing end-of-life, approved and unapproved, and out of configuration.
“Every agency has a list of approved and not approved systems, but what they’re often not aware of is the third bucket,” Campbell said. “That third bucket is full of the assets that you have deployed in your enterprise that’s not on either list yet.”
That increased awareness allows agencies to be proactive about their security needs, but it also allows them to leverage their data more effectively. “There is no lack of data in the federal government, but agencies need to normalize and standardize that data in order to turn it into actionable information,” Campbell said. “Unless you have actionable information, you’re still guessing as to where you need to prioritize your constrained budget dollars.”
Governments are starting to get onboard with the visibility mindset, particularly the Department of Energy. In 2014, the DOE reported publicly that it was hacked via an obsolete version of software. That software held PII for 53,000 current and former DOE employees. To mitigate the impact of that breach, the department now pays $4 million a year in credit monitoring services.
To avoid a similar scenario in the future, DOE turned to BDNA’s enterprise architecture roadmap solution. The solution helps identify IT assets nearing end-of-life, so that aging servers and unsupported software don’t become vulnerabilities.
However, visibility is only the first step. Campbell said he would like see agencies, in 2017, leverage their existing investments in CDM tools and dashboards by making that data actionable.
It’s time to make an investment in visibility so that agencies can move forward effectively.