Like duct-taping airbags to a '65 Mustang
Federal CIO Tony Scott says trying to graft modern security features onto legacy IT systems is like slapping modern safety features onto a classic car: darn near impossible, and ugly.
There would be little room for an airbag among a 1965 Ford Mustang coupe's Rally Pac gauges. (sv1ambo / Flickr)
“This is a 1965 Mustang, a classic American automobile,” said federal CIO Tony Scott, flashing a cherry red muscle car on the projector. “If you are into cars, this is probably one of the cars you would lust after.”
But for all its appeal, the vintage vehicle is lacking in many ways – uncomfortable seats, no airbags – and bringing it up to modern standards, Scott said, is a lot like the challenge facing federal IT departments.
“If you were in charge of trying to make this car modern,” installing anti-lock brakes, airbags and the like, Scott told the audience at the National Institute of Standards and Technology’s eighth Cloud Computing Forum and Workshop on July 7, “and you were told you had to do it with that car and not a new version of that car, you’d find it almost impossible.”
You’d wind up essentially duct-taping many elements on the car, he predicted. It’s a metaphor he has employed before. But he extended it for NIST.
“Even if you could do it, the result would probably be pretty ugly,” Scott said. “You would probably end up with a car that no fan of a ’65 Mustang would want.”
The Mustang modernization is much like the task before federal agencies when it comes to upgrading their IT.
“All of us are being asked to take technology that was designed and largely figured out in the ’80s and ’90s, some of it in the ’60s, and apply security to it,” Scott said. “It’s expensive, hard to do, and the result is not actually all that great. You end up with something that no one really wants.”
Cloud offers an escape from the Frankensteinian conundrum, giving agencies a chance to start fresh with user-centered design, security by design and scalable enterprise services, Scott said.
But it’s not an effortless task.
“Even in the most mature cloud architecture and implementation [nowadays], it still feels a little bit to me like the ’65 mustang example,” Scott noted, saying agencies need to ensure security is built into every single layer – from buildings and networks down to the device and data levels.
Scott also noted that his 30-day cyber security sprint could produce more coherent, not merely more, guidelines.
“We make a lot of rules but we never unmake rules,” Scott said. “Everything we want to do is now some navigation through some really crazy web of rules and regulations.”
Scott said he hopes the sprint, originally sent to agency CIOs on June 11 and now nearing its end, will enable government to “catalogue” the array of security rules and then “normalize and clean up” the “awkward” mess.