Insufficient talent and outdated equipment have made it challenging to tackle vulnerabilities. Who will fix it? Congress? Many wonder about the Congress issues as well.
Federal Aging Computer Systems
Many of the cybersecurity flaws were highlighted in a directive from the White House call for federal agencies to fix hundreds of online vulnerabilities. This directive stems from the government’s aging computer system, according to current and former national tech chiefs and industry analysts.
But ongoing efforts to upgrade these systems tend to get choked off by budget restraints. In addition, chronic talent shortages, also revolving door of agency information-technology leaders play a part.
The Biden Administration issued the directive last Wednesday.
The Biden Administration noted that some of the vulnerabilities are from older software versions from Microsoft Corp. or other large technology companies. Agencies might not upgrade these and other apps. Inadequate protection against sophisticated and organized attacks have ravaged public- and private-sector systems over recent years.
Michael Kratsios is the managing director and head of the strategy of Scale AI Inc., a data-management startup. He was formerly the federal chief technology officer under President Trump. Mr. Kratsios stated that this initiative is crucial.
This directive applies to all executive-branch agencies and departments, except the Defense Department, the Central Intelligence Agency, and the Office of the Director of National Intelligence. It lists approximately 290 security flaws that cybersecurity professionals have identified.
The computer flaws pose a “significant risk to federal enterprise.”
Many of the vulnerabilities were discovered this year. Including some with Microsoft Office,” said Chronis Kapalidis. (Principal at the U.K.-based Information Security Forum), a security-management firm whose clients include government agencies and corporations.
He said, “You would think that most organizations have already dealt with that,”
According to the directive, the deadline to address the most severe vulnerabilities is November 17, 2021, and May 3, 2022, for the less serious.
Although discovered years ago, resolution deadlines are still six months away.
According to the (GAO) Government Accountability Office, cyber security unit and IT estimates that the software used across the federal government is approximately seven years old. This includes a Transportation Department system of 35 years that contains sensitive information about aircraft and an Education Department system of nearly 50 years that stores student-loan data.
Many government agencies (in all 50 states and in other countries) have older computer systems.
This makes it difficult for them to manage an IT infrastructure that is complex and expensive. In some cases, they rely on manual processes. Adelaide O’Brien, Research Director at International Data Corp.’s Government Insights unit, stated.
An agency spokesperson stated that the Office of Management and Budget is concerned. However, they recognize that legacy systems pose many challenges for agencies. This includes additional cybersecurity risks.
The directive addresses a wide range of computer vulnerabilities. However, the spokesperson stated that patch deployment could be complex when supporting critical mission operations with legacy infrastructure.
Federal agencies must comply with the Federal Information Security Management Act of 2002. Daniel Castro, vice-president of the Information Technology and Innovation Foundation, Washington, DC, think tank, stated that federal agencies already have to meet specific information security standards under the Federal Information Security Management Act.
Castro stated that Wednesday’s announcement was “a bit surprising.” He and added, “It’s quite shocking that this is a directive.” He said, “It’s telling federal government cybersecurity staff that they must patch IT systems with a known vulnerability.” “Of course they should.”
He suggested upgrading the government’s legacy systems rather than creating new policies. Mr. Castro stated that more recent designs have more features. That many cloud-based systems don’t require users to install patches manually.
Jonathan Alboum is the principal computer digital strategist at the federal government for enterprise-software company ServiceNow. He said that, despite all obstacles, federal agencies are making “valiant steps” to upgrade outdated systems. Mr. Alboum stated that some agencies use the four-year-old Modernizing Government Technology Act, which allows them to reprogram IT budget allocations to finance future modernization projects.
Alboum stated that the new directive issued by the Biden administration will “likely serve to forcibly empower more federal agencies to modernize and improve their cybersecurity posture.”
Sen. Maggie Hassan (DNH) said that she was encouraged by the White House directive. It called cybersecurity a “new frontier” in warfare.
“We also know there is more work to be done,” Ms. Hassan stated. She chairs the Senate Subcommittee on Emerging Threats and Spending Oversight.
Taxpayers have not yet gone on the warpath with their lawmakers about this issue. But it won’t take too many more ransomware attacks to trigger a grassroots revolt.
It is expected the NSA will also take a hand in getting the systems updated.
Image Credit: Michael Judkins; Pexels; Thank you!