recommended reading

Some Legacy IT in Government Is so Old, It’s 'Indefensible,’ Official Says

White House Cybersecurity Coordinator Michael Daniel

White House Cybersecurity Coordinator Michael Daniel // Ann Heisenfelt/AP

Nearly three quarters of the federal government’s $80 billion budget for information technology goes toward maintaining existing -- and in some cases -- archaic systems.

In the wake of a massive data breach of government employee files, much of the response from federal officials has focused on locking down access to sensitive data through the use of more secure log-ons.

Meanwhile, the congressional response to a series of hacks of both federal agencies and private corporations has been to renegotiate long-awaited legislation that would make it easier for private companies to share cyberthreat information with the feds.

Why not build a safer computer?

"When you talk to hackers, specifically Russian cyber hackers, what they fear is not that we're going to get our act together on cyber intelligence,” said Robert Bigman,  the former chief information security officer of the CIA. “That doesn't concern them at all. What they are concerned about is that we're going to get our act together on how to secure firmware and operating systems. That's what they talk about . . . We haven't listened to them."

Bigman spoke at the Billington Cybersecurity Summit on Sept. 17.

He pointed to the recently discovered Cisco router vulnerability, in which hackers were able to replace the router’s operating system with a malicious spoof. There’s no indication federal agencies were impacted by the hack, but Bigman said it should be a wake-up call.

“We need to get much more granular in our specifications for how to secure government systems, and we must start an initiative tomorrow on how to build trusted operating systems,” he added.

It’s an issue to which federal officials are attuned. Federal Chief Information Officer Tony Scott, who gave a keynote address at Nextgov’s Prime conference Sept. 9, said he’s concerned the building blocks of many IT systems -- even relatively modern ones -- “are fundamentally using components or pieces that were created and designed in an era when we didn't face the kind of threats that we have today.”

Bigman, who’s now the president of the security consultancy 2BSecure, envisions a Manhattan Project-style effort to create a “UL standard” for the digital age, citing the industry-created, government-sanctioned safety standards for a host of products, including electrical wiring.

“If you want to sell computers to the U.S. government, there are certain attributes it must exhibit from a security perspective,” Bigman suggested as a model. “You have freedom to design how you meet these standards, but you have to meet these standards.”

In many ways, the federal government is already such a model when it comes to adopting cloud computing services. Such services -- depending on the sensitivity of the data they will access -- have to be certified by the General Services Administration’s Federal Risk and Authorization Management Program, known as FedRAMP.

Federal officials agree the aging systems that make up the federal IT infrastructure are themselves security risks.

“We’ve got architectures in various places and hardware and software that is indefensible no matter how much money and talent we put on it,” said Michael Daniel, the White House cybersecurity coordinator, who also spoke at the Billington Cybersecurity event.

Security remains a “bolt-on” rather than something “deeply embedded into the product throughout the whole life cycle,” he added, blaming in part the federal government’s “esoteric” budget process.

“We tend to treat computer systems and other things as these gigantic capital investments like buildings, rather than an investment that you need to continually refresh and treat more like a revolving fund or a maintenance budget,” Daniel said.

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats


Close [ x ] More from Nextgov

Thank you for subscribing to newsletters from
We think these reports might interest you:

  • It’s Time for the Federal Government to Embrace Wireless and Mobility

    The United States has turned a corner on the adoption of mobile phones, tablets and other smart devices, outpacing traditional desktop and laptop sales by a wide margin. This issue brief discusses the state of wireless and mobility in federal government and outlines why now is the time to embrace these technologies in government.

  • Featured Content from RSA Conference: Dissed by NIST

    Learn more about the latest draft of the U.S. National Institute of Standards and Technology guidance document on authentication and lifecycle management.

  • A New Security Architecture for Federal Networks

    Federal government networks are under constant attack, and the number of those attacks is increasing. This issue brief discusses today's threats and a new model for the future.

  • Going Agile:Revolutionizing Federal Digital Services Delivery

    Here’s one indication that times have changed: Harriet Tubman is going to be the next face of the twenty dollar bill. Another sign of change? The way in which the federal government arrived at that decision.

  • Software-Defined Networking

    So many demands are being placed on federal information technology networks, which must handle vast amounts of data, accommodate voice and video, and cope with a multitude of highly connected devices while keeping government information secure from cyber threats. This issue brief discusses the state of SDN in the federal government and the path forward.

  • The New IP: Moving Government Agencies Toward the Network of The Future

    Federal IT managers are looking to modernize legacy network infrastructures that are taxed by growing demands from mobile devices, video, vast amounts of data, and more. This issue brief discusses the federal government network landscape, as well as market, financial force drivers for network modernization.


When you download a report, your information may be shared with the underwriters of that document.