This blog is an excerpt from GovLoop's recent industry perspective, Cybersecurity Risk: The Driver for IT Modernization. Download the full perspective here.
Hardware and software developers are building on decades of experience to support new capabilities, provide smart infrastructures and leverage the Internet of Things for the secure creation, collection, delivery and use of data on large scales and at high speeds.
But both the public and private sectors have invested billions of dollars over the past 40 years in platforms to support services and processes that have become mission-critical. While new features and equipment are being added, the old ones do not disappear. While e-mail and web applications are no longer considered cutting edge, they are relied on every day. The availability of these applications and the networks that support them remain critical to the way we conduct business today.
The legacy infrastructure supporting these functions has often been resilient. And to its credit, it often demands little attention.
“While many of these devices are still operating functionally,” Anthony Grieco, Senior Director of Cisco's Security and Trust organization, said, “people tend to take them for granted, even as our needs and dependence on them increases, and there is a level of complacency.”
But with this complacency comes risk. As equipment becomes outdated and reaches its end of supported life, it becomes less efficient, less productive and less secure. Outdated infrastructure does not support modern applications and innovation, and it does not have the resiliency needed to survive today’s threat environment. Modern cybersecurity is about risk management, which requires eliminating and mitigating risks where possible, and knowingly accepting those that remain. But you can’t manage risks that you don’t see.
“Public Sector Organizations don’t realize the risk associated with leaving legacy equipment in place. Being up-to-date helps you to put into place the risk mitigation you need,” Grieco said.
Many government agencies are operating mission-critical systems with equipment that is approaching or has passed its end of supported life. A 2012 survey by the National Association of State Workforce Agencies found that most IT systems supporting unemployment insurance programs are old and based on outmoded programming languages, many dating as far back as the 1970s or 1980s. An analysis of 200 IT systems for the state of Colorado found 77 were more than 15 years old, and a 2014 study of systems by the Texas Department of Information Resources found that 61 percent were classified as legacy — that is, obsolete or inefficient.
These systems were not designed to withstand the threats of today’s online adversaries. During their supported life, vendors routinely issued security patches and updates to protect them against evolving threats. But once unsupported, they lose this protection and obsolete platforms are unable to support current cybersecurity needs.
Agencies that continue to operate this equipment not only are missing out on the efficiency and economy of up-to-date technology – they are expending resources to maintain weaknesses in their networks that are vulnerable to exploit.
Cybersecurity Is Not Optional
While effective cybersecurity is a top priority for all organizations, maintaining this security is more than a matter of self-interest. Cybersecurity is a requirement under a number of laws and regulations for government, contractors and other organizations that use and store sensitive government information.
The foundation for federal cybersecurity is FISMA — originally the Federal Information Security Management Act, now the Federal Information Security Modernization Act. FISMA requires executive branch agencies to maintain cybersecurity programs and routinely assess and certify the security status of all information systems. Underlying this law is a library of guidelines, standards and best practices created by the National Institute of Standards and Technology (NIST) in its 800 series of Special Publications. In early 2016, the
White House released the Cybersecurity National Action Plan, which recognizes cybersecurity as “one of the most important challenges we face as a nation.” It establishes a Commission on Enhancing National Cybersecurity and calls for more than $19 billion for cybersecurity in the president’s budget for fiscal year 2017. NIST released a Framework for Improving Critical Infrastructure Cybersecurity in 2014, a set of voluntary guidelines and best practices that has been widely adopted by both industry and government.
Yet in spite of these and many more government and industry regulations, many agencies continue to take unnecessary risks by maintaining unsupported and unsecured platforms.
Download the full perspective here.