recommended reading

Some Legacy IT in Government Is so Old, It’s 'Indefensible,’ Official Says

White House Cybersecurity Coordinator Michael Daniel

White House Cybersecurity Coordinator Michael Daniel // Ann Heisenfelt/AP

Nearly three quarters of the federal government’s $80 billion budget for information technology goes toward maintaining existing -- and in some cases -- archaic systems.

In the wake of a massive data breach of government employee files, much of the response from federal officials has focused on locking down access to sensitive data through the use of more secure log-ons.

Meanwhile, the congressional response to a series of hacks of both federal agencies and private corporations has been to renegotiate long-awaited legislation that would make it easier for private companies to share cyberthreat information with the feds.

Why not build a safer computer?

"When you talk to hackers, specifically Russian cyber hackers, what they fear is not that we're going to get our act together on cyber intelligence,” said Robert Bigman,  the former chief information security officer of the CIA. “That doesn't concern them at all. What they are concerned about is that we're going to get our act together on how to secure firmware and operating systems. That's what they talk about . . . We haven't listened to them."

Bigman spoke at the Billington Cybersecurity Summit on Sept. 17.

He pointed to the recently discovered Cisco router vulnerability, in which hackers were able to replace the router’s operating system with a malicious spoof. There’s no indication federal agencies were impacted by the hack, but Bigman said it should be a wake-up call.

“We need to get much more granular in our specifications for how to secure government systems, and we must start an initiative tomorrow on how to build trusted operating systems,” he added.

It’s an issue to which federal officials are attuned. Federal Chief Information Officer Tony Scott, who gave a keynote address at Nextgov’s Prime conference Sept. 9, said he’s concerned the building blocks of many IT systems -- even relatively modern ones -- “are fundamentally using components or pieces that were created and designed in an era when we didn't face the kind of threats that we have today.”

Bigman, who’s now the president of the security consultancy 2BSecure, envisions a Manhattan Project-style effort to create a “UL standard” for the digital age, citing the industry-created, government-sanctioned safety standards for a host of products, including electrical wiring.

“If you want to sell computers to the U.S. government, there are certain attributes it must exhibit from a security perspective,” Bigman suggested as a model. “You have freedom to design how you meet these standards, but you have to meet these standards.”

In many ways, the federal government is already such a model when it comes to adopting cloud computing services. Such services -- depending on the sensitivity of the data they will access -- have to be certified by the General Services Administration’s Federal Risk and Authorization Management Program, known as FedRAMP.

Federal officials agree the aging systems that make up the federal IT infrastructure are themselves security risks.

“We’ve got architectures in various places and hardware and software that is indefensible no matter how much money and talent we put on it,” said Michael Daniel, the White House cybersecurity coordinator, who also spoke at the Billington Cybersecurity event.

Security remains a “bolt-on” rather than something “deeply embedded into the product throughout the whole life cycle,” he added, blaming in part the federal government’s “esoteric” budget process.

“We tend to treat computer systems and other things as these gigantic capital investments like buildings, rather than an investment that you need to continually refresh and treat more like a revolving fund or a maintenance budget,” Daniel said.

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats

JOIN THE DISCUSSION

Close [ x ] More from Nextgov
 
 

Thank you for subscribing to newsletters from Nextgov.com.
We think these reports might interest you:

  • Modernizing IT for Mission Success

    Surveying Federal and Defense Leaders on Priorities and Challenges at the Tactical Edge

    Download
  • Communicating Innovation in Federal Government

    Federal Government spending on ‘obsolete technology’ continues to increase. Supporting the twin pillars of improved digital service delivery for citizens on the one hand, and the increasingly optimized and flexible working practices for federal employees on the other, are neither easy nor inexpensive tasks. This whitepaper explores how federal agencies can leverage the value of existing agency technology assets while offering IT leaders the ability to implement the kind of employee productivity, citizen service improvements and security demanded by federal oversight.

    Download
  • Effective Ransomware Response

    This whitepaper provides an overview and understanding of ransomware and how to successfully combat it.

    Download
  • Forecasting Cloud's Future

    Conversations with Federal, State, and Local Technology Leaders on Cloud-Driven Digital Transformation

    Download
  • IT Transformation Trends: Flash Storage as a Strategic IT Asset

    MIT Technology Review: Flash Storage As a Strategic IT Asset For the first time in decades, IT leaders now consider all-flash storage as a strategic IT asset. IT has become a new operating model that enables self-service with high performance, density and resiliency. It also offers the self-service agility of the public cloud combined with the security, performance, and cost-effectiveness of a private cloud. Download this MIT Technology Review paper to learn more about how all-flash storage is transforming the data center.

    Download

When you download a report, your information may be shared with the underwriters of that document.