Study Confirms Conventional Wisdom: Legacy Federal IT Breeds Cybersecurity Risks

It has long been a commonly held view in federal IT circles that legacy systems are inherently insecure, largely because they do not receive regular security patches for outdated software and code. That’s one of the reasons why the Obama administration pushed so hard on IT modernization, and why the Trump administration will likely embrace that approach.

Now, a new academic study bolsters the argument and gives even more ammunition to proponents of updating legacy IT systems within agencies.

Updating older IT systems, shifting to the cloud and putting in place strong data governance rules all help reduce security risks, according to the study.

The Need to Modernize Legacy Federal IT

Roughly 80 percent of the $90 billion the federal government spends annually on IT is dedicated to operations and maintenance of legacy IT systems. Agencies should aim to shift that spending pattern, the study suggests.

The study, “Security Breaches in the U.S. Federal Government,” was published last month in the Social Science Research Network and written by two academics, Min-Seok Pang of the Fox School of Business at Temple University and Hüseyin Tanriverdi of the University of Texas at Austin’s Red McCombs School of Business.

“We find that agencies that invest more in new IT development and modernization experience fewer security breaches than ones that invest more in maintenance of legacy systems,” the study notes. “Outsourcing legacy systems to the cloud also reduces the frequency of security breaches. Our results also find that effective IT governance, risk, and control mechanisms also mitigate security risks of the legacy systems.”

As Fed Scoop reports, the academic article “crunched incident data from the annual reports agencies are required to submit under the Federal Information Systems Modernization Act, or FISMA, and spending data from the Federal IT Dashboard.”

The study found that there is “a significantly negative relationship between the number of security incidents and the stock of new IT systems,” which is measured by the percentage of IT spending on new IT development over total IT investments for the past five years.

For every 1 percentage-point increase agencies make in investments on new IT, there is a 5 percent decrease in security breaches, the study found.

“This effect is consistent across many different types of security breaches,” the report found, including unauthorized access, social engineering and malicious codes.

“A supplementary analysis with security breach data from Privacy Rights Clearinghouse shows that the amount of new IT spending is associated with fewer unintentional breaches of personal information in federal agencies,” the report adds. “Intriguingly, federal agencies that migrate their legacy systems to the cloud suffer from fewer security breaches.”

Additionally, the study found that if agencies put in place “effective IT governance, risk and control (IT-GRC) mechanisms, as evaluated by agency inspectors general audits,” those tools mitigate security risks of the legacy systems.

“This finding indicates that security vulnerabilities caused by unsecure legacy systems could be mitigated by strong IT-GRC mechanisms such as close monitoring of network activities, strict access controls, continuous training of employees, and effective risk management,” the report says.

Momentum for IT Modernization

There is substantial support within government for modernizing federal IT systems. Indeed, the Modernizing Government Technology (MGT) Act is expected to be reintroduced in Congress soon.

Rep. Will Hurd (R-Texas), one of the original bill’s lead sponsors and the chairman of the House Committee on Oversight and Government Reform’s IT subcommittee, said in late March that a modified version of the MGT Act is coming “very soon.”

Hurd also says that he expects President Donald Trump’s formal budget to include a proposal for a centralized IT modernization fund that would be housed in the Office of Management and Budget.

As part of its broader cybersecurity proposal, the Obama administration last year proposed a $3.1 billion IT Modernization Fund (ITMF). The fund was designed to “address an estimated $12 billion worth of modernization projects over 10 years.”

Congress took up the issue, only to see momentum stall at the end of 2016. In September, the House of Representatives passed the MGT Act, which didn’t appropriate any new money, but would have authorized working capital funds at the 24 agencies governed by the Chief Financial Officers Act of 1990. The funds would allow agencies to reprogram funding (with the approval of appropriators) to improve, retire or replace existing IT systems. This would help boost efficiency and effectiveness, transition to the cloud and support IT capabilities that deal with evolving security threats. The bill also authorized a governmentwide revolving fund that the General Services Administration would manage, akin to the ITMF.

And last week, Grant Schneider, the acting federal CISO, spoke about the need to focus on IT modernization to save cost and improve security.

“We have legacy IT challenges that challenge us, again from an efficiency standpoint, from an effectiveness standpoint and most certainly from a security standpoint,” he said at the McAfee Security Through Innovation Summit, according to FedScoop. “We have to have ways to get out of the legacy IT capabilities that we have, without building the next decade’s legacy IT capabilities.”

“I will say we’re very interested in MGT,” Schneider told FedScoop after his remarks. “The White House had an event earlier this week where [House Majority Leader Kevin] McCarthy was at, and he talked a lot about MGT. We’re working with the Hill, we definitely think it is something that we need in order to be able to tackle the legacy IT. And so we’re excited about seeing Congress get it through.”

This content is made possible by FedTech. The editorial staff of Nextgov was not involved in its preparation.