Navigating the cyber frontier 1 year into the National Cybersecurity Strategy

One year since the release of the National Cybersecurity Strategy, federal agencies have made significant progress towards enacting its vision to defend our nation against increasingly sophisticated cyber threats. However, the wave of recent attacks targeting vulnerabilities in legacy systems makes it clear there is still important work to be done. Modernizing and hardening outdated technology must remain a top priority for agencies looking to fully execute the strategy in the years ahead.

Legacy systems — older systems that run outdated software and hardware — are among the most vulnerable components of our network infrastructure. In 2019, the Government Accountability Office identified 10 critical Federal agencies using dated systems that were in the most need of modernization. Eight of those 10 agencies either did not have documented plans for modernization or the plans were incomplete. As of May 2023, six of those eight agencies have implemented GAO’s recommendations to document and execute modernization plans for their legacy systems. 

However, agencies continue to operate systems well beyond their intended lifespan. The risks posed by these systems are indeed very real. For example, the ransomware attack that disrupted Colonial Pipeline in 2021 successfully exploited the lack of two-factor authentication in a virtual private network. Attacks like these underscores why upgrading legacy technology sits at the heart of the National Cybersecurity Strategy.

As outlined in the strategy, aggressively modernizing legacy systems is critical to manage risk across government networks. This includes transitioning from legacy platforms to modern systems with built-in security, adopting cloud-based infrastructure, enhancing automation to reduce vulnerabilities, and consolidating data centers. By investing in new technology optimized for cyber threat detection and rapid response, agencies can significantly strengthen their security posture.

However, recent high-profile incidents have also revealed potential pitfalls if modernization is not approached holistically. In particular, the strategy emphasizes the dangers of solely focusing on deploying new tools without reviewing the broader technological ecosystem.

Below are key considerations for agencies as they actively leverage the National Cybersecurity Strategy as a guiding framework to balance modernization goals with the unique needs and constraints of legacy environments:

• Prioritize based on business impact: With limited IT resources, agencies should triage modernization of legacy systems based on the potential business consequences of disruption. Upgrading citizen-facing systems that enable critical services can significantly boost resilience.

• Involve both IT and business teams: IT leaders own technology selection and deployment. But deep input from business and program teams is vital to understand operational and workflow impacts. Cross-functional collaboration enables holistic modernization that improves both security and efficiency.

• Develop detailed transition plans: Replacing complex legacy systems can take years. Agencies must plan far in advance to prevent disruptions, outlining contingencies and utilizing managed service providers during transition periods to prevent capability gaps.

• Ensure comprehensive security: Legacy modernization discussions frequently center solely on digital safeguards, yet robust physical security measures are equally vital. Incorporating elements such as stringent entry controls and surveillance systems into upgrade plans is imperative to fortify overall data protection efforts.

• Empower your workforce: New technology is meaningless without personnel who can use it effectively. Agencies must pair modernization with comprehensive training and ensure IT and cybersecurity teams have resources to fully utilize new systems.

• Incorporate lessons learned: Continuous improvement is key. Agencies should conduct after-action reviews of modernization initiatives to identify what worked well, potential risks that materialized, and steps to enhance future efforts.

• Monitor performance: Once in place, new systems and capabilities must be continually monitored. This allows issues like reliability challenges or gaps in threat detection to be rapidly identified and addressed.

The path forward will require agencies to take a holistic, iterative approach that builds on real-world lessons learned. While progress has been made in documenting and executing modernization plans, legacy platforms continue to pose serious risks across government networks and the recent wave of cyberattacks targeting vulnerabilities in legacy systems shows there is still important work ahead to fully enact the vision of the National Cybersecurity Strategy. 

As agencies face the next chapter, they will need to adapt to modernization efforts that balance new technology with training, collaboration, and continuous review. Upgrading legacy systems is ultimately about managing risk and improving resilience so that they’re able to build on early successes and ensure our nation's cyber defenses evolve to meet increasingly sophisticated threats.

CORRECTION: An earlier version of this article misstated the vulnerability at issue in the Colonial Pipeline breach.