Some Legacy IT in Government Is so Old, It’s 'Indefensible,’ Official Says

Nearly three quarters of the federal government’s $80 billion budget for information technology goes toward maintaining existing -- and in some cases -- archaic systems.

In the wake of a massive data breach of government employee files, much of the response from federal officials has focused on locking down access to sensitive data through the use of more secure log-ons.

Meanwhile, the congressional response to a series of hacks of both federal agencies and private corporations has been to renegotiate long-awaited legislation that would make it easier for private companies to share cyberthreat information with the feds.

Why not build a safer computer?

"When you talk to hackers, specifically Russian cyber hackers, what they fear is not that we're going to get our act together on cyber intelligence,” said Robert Bigman,  the former chief information security officer of the CIA. “That doesn't concern them at all. What they are concerned about is that we're going to get our act together on how to secure firmware and operating systems. That's what they talk about . . . We haven't listened to them."

Bigman spoke at the Billington Cybersecurity Summit on Sept. 17.

He pointed to the recently discovered Cisco router vulnerability, in which hackers were able to replace the router’s operating system with a malicious spoof. There’s no indication federal agencies were impacted by the hack, but Bigman said it should be a wake-up call.

“We need to get much more granular in our specifications for how to secure government systems, and we must start an initiative tomorrow on how to build trusted operating systems,” he added.

It’s an issue to which federal officials are attuned. Federal Chief Information Officer Tony Scott, who gave a keynote address at Nextgov’s Prime conference Sept. 9, said he’s concerned the building blocks of many IT systems -- even relatively modern ones -- “are fundamentally using components or pieces that were created and designed in an era when we didn't face the kind of threats that we have today.”

Bigman, who’s now the president of the security consultancy 2BSecure, envisions a Manhattan Project-style effort to create a “UL standard” for the digital age, citing the industry-created, government-sanctioned safety standards for a host of products, including electrical wiring.

“If you want to sell computers to the U.S. government, there are certain attributes it must exhibit from a security perspective,” Bigman suggested as a model. “You have freedom to design how you meet these standards, but you have to meet these standards.”

In many ways, the federal government is already such a model when it comes to adopting cloud computing services. Such services -- depending on the sensitivity of the data they will access -- have to be certified by the General Services Administration’s Federal Risk and Authorization Management Program, known as FedRAMP.

Federal officials agree the aging systems that make up the federal IT infrastructure are themselves security risks.

“We’ve got architectures in various places and hardware and software that is indefensible no matter how much money and talent we put on it,” said Michael Daniel, the White House cybersecurity coordinator, who also spoke at the Billington Cybersecurity event.

Security remains a “bolt-on” rather than something “deeply embedded into the product throughout the whole life cycle,” he added, blaming in part the federal government’s “esoteric” budget process.

“We tend to treat computer systems and other things as these gigantic capital investments like buildings, rather than an investment that you need to continually refresh and treat more like a revolving fund or a maintenance budget,” Daniel said.