Lawmaker: If You Think Patching is Tough Now, It’s Going to Get Worse

Sen. Mark Warner, D-Va

Sen. Mark Warner, D-Va Andrew Harnik/AP

Without security standards for the internet of things, the government is leaving open billions of “stupid” vulnerabilities, said Sen. Mark Warner.

In the long run, agencies’ heavy reliance on software patching could create more problems than it solves, according to one tech-savvy lawmaker.

And with billions of internet-connected devices expected to flood government facilities in the years ahead, he said, the situation is only going to get worse.

“[With] those legacy systems, every time you patch, you add a new vulnerability,” Sen. Mark Warner, D-Va., said Thursday on a panel hosted by The Atlantic.

An estimated 80 percent of the government’s $80 billion annual IT budget goes to operating and maintaining legacy systems. In Warner’s eyes, that money would be better spent investing in the future than retrofitting decades-old technology for the modern day.

He decried the executive branch’s failure to roll out a long-term plan to upgrade outdated tech infrastructure. He also shared some of the blame with Congress, citing lawmakers’ largely unsuccessful attempts to create new budgeting options for multi-year IT projects.

While most people recognize overhauling the federal IT ecosystem can’t be done overnight, Warner said a few minor policy changes could go a long way in strengthening agencies’ cyber posture. A good start would be setting security standards for internet of things, he said.

“This one’s so freaking low hanging ... [it’s] such a stupid vulnerability we can easily correct,” Warner said.

Organizations like the National Institute of Standards and Technology have outlined basic principles for protecting internet-connected devices, but today companies have no broad cybersecurity rules they need to abide when putting those devices on the market.

Last year, Warner and Sen. Cory Gardner, R-Colo., introduced legislation that would require “a de minimis” level of security for all IoT technology purchased by government. Under the Internet of Things Cybersecurity Improvement Act, devices must be free of known security vulnerabilities, have the ability to accept software patches and allow users to change passwords.

Because the government is such an enormous market, implementing such standards could push industry to broadly adopt IoT cybersecurity best practices, according to technology experts.

“Let’s actually allow the government to be a little more innovative in its purchases, and not simply buy it from some of the large IT vendors that are more about patching as opposed to innovation,” he said.