Lack of talent and outdated equipment have made it difficult to address vulnerabilities. Who will fix it? Congress? Many also wonder about the topics of Congress.
Federal Computer Systems for Aging
Many of the cybersecurity flaws were highlighted in a White House directive for federal agencies to fix hundreds of vulnerabilities online. This directive stems from the aging of the government IT system, according to current and former national chief technology officers and industry analysts.
But ongoing efforts to upgrade these systems tend to be hampered by budget constraints. In addition, the chronic shortage of talent, also the revolving door of the agency’s information technology leaders, play a role.
The Biden Administration issued the directive last Wednesday.
The Biden Administration noted that some of the vulnerabilities they are from older versions of software from Microsoft Corp. or other large technology companies. Agencies may not update these and other apps. Inadequate protection against sophisticated and organized attacks has devastated public and private sector systems in recent years.
Michael Kratsios is the managing director and head of strategy for Scale AI Inc., a data management startup. He was previously the federal chief technology officer under President Trump. Mr. Kratsios stated that this initiative is crucial.
This directive applies to all agencies and departments of the executive branch, except the Department of Defense, the Central Intelligence Agency, and the Office of the Director of National Intelligence. It lists approximately 290 security flaws that cybersecurity professionals have identified.
Computer failures pose a “significant risk to the federal business.”
Many of the vulnerabilities were discovered this year. Including some with Microsoft Office, ”said Chronis Kapalidis. (Director of the UK-based Information Security Forum), a security management company whose clients include government agencies and corporations.
He said: “You would think that most organizations have already taken care of that.”
According to the directive, the deadline to address the most serious vulnerabilities is November 17, 2021 and May 3, 2022, for the least serious.
Although it was discovered years ago, the resolution deadlines are still six months away.
According to the Government Accountability Office (GAO), the IT and Cybersecurity unit estimate that the software used throughout the federal government is approximately seven years old. This includes a 35-year-old Department of Transportation system that contains confidential aircraft information and a nearly 50-year-old Department of Education system that stores student loan data.
Many government agencies (in all 50 states and in other countries) have older computer systems.
This makes it difficult for them to manage an IT infrastructure that is complex and expensive. In some cases, they are based on manual processes. Adelaide O’Brien, research director in the Government Insights unit of International Data Corp., said.
A spokesperson for the agency stated that the Office of Management and Budget is concerned. However, they recognize that legacy systems pose many challenges for agencies. This includes additional cybersecurity risks.
The directive addresses a wide range of computer vulnerabilities. However, the spokesperson stated that patching could be complex when supporting mission critical operations with legacy infrastructure.
Federal agencies must comply with the Federal Information Security Administration Act of 2002. Daniel Castro, vice president of the Information Technology and Innovation Foundation, Washington, DC, think tank, stated that federal agencies already have to comply with specific information security standards under Federal Law. Information Security Management Law.
Castro said Wednesday’s announcement was “a bit surprising.” He added: “It is quite shocking that this is a directive.” He said: “You are telling federal government cybersecurity personnel to patch IT systems with a known vulnerability.” “Of course they should.”
He suggested updating legacy government systems rather than creating new policies. Castro said the newer designs have more features. That many cloud-based systems do not require users to manually install patches.
Jonathan Alboum is the federal government’s chief digital IT strategist for the enterprise software company ServiceNow. He said that despite all the obstacles, federal agencies are taking “courageous steps” to update outdated systems. Mr. Alboum stated that some agencies use the Government’s four-year-old Technology Modernization Act, which allows them to reschedule IT budget allocations to fund future modernization projects.
Alboum stated that the new directive issued by the Biden administration “will likely serve to forcibly empower more federal agencies to modernize and improve their cybersecurity posture.”
Sen. Maggie Hassan (DNH) said the White House leadership encouraged her. He called cybersecurity a “new frontier” in warfare.
“We also know that there is more work to be done,” said Ms Hassan. He chairs the Senate Subcommittee on Emerging Threats and Spending Oversight.
Taxpayers have yet to go to war with their legislators on this issue. But it won’t take many more ransomware attacks to spark a popular revolt.
The NSA is also expected to help update the systems.
Image credit: Michael Judkins; Pexels; Thanks!