The biggest cybersecurity threat facing federal agencies is legacy IT

Improving our cyber posture is among the top priorities for the Trump administration. However, there are still many questions raised as to how they hope to achieve this goal.

As we have seen over the past several years, high-profile hacks are practically the norm. Starting with the OPM data breach in 2015, which affected millions of current and former federal employees to Russia’s efforts to influence our election through hacking of our political parties, cyberattacks have become a constant source of news and frustration in our lives.

There are many new IT initiatives emerging across government. Texas Republican Rep. Will Hurd’s revised Modernizing Government Act has finally been reintroduced. The president announced both a modernization-focused American Technology Council and an Office of American Innovation. A cybersecurity executive order will also be released.

IT modernization and cyber security initiatives must be tied together in a concerted away across all these various well-intentioned initiatives or a great opportunity to truly transform government IT, and protect its data, will be squandered.

Legacy IT leaves the front door open
The biggest concern with legacy IT is that the bulk of today’s cyber spending is focused on preventing attackers from getting in the “house” or the infrastructure layer. Unfortunately, these systems were built years ago — in some cases, decades ago — without the security safeguards that modern technologies have in place.

The issue is that cyberattackers can walk in through the front door and, once in the house, they have the ability to dig even further by penetrating through the application layer — think of this as the “safe,” where the most valuable information is stored.

We start to see the shortcomings of legacy IT when we think about how attackers infiltrate systems and dig for information. For much of legacy, on-premises technology, there are multiple technology stacks that constantly need to be patched and upgraded. This piecemeal approach to cybersecurity is completely unsuitable in today’s world.

If a federal agency could divorce itself from its legacy IT and move toward managing applications in the cloud, it would instantly benefit from dramatically improved cybersecurity. For many agency veterans, it may come as a surprise that storing data in the cloud is more secure than on-premises, but it’s true for a very simple reason. The companies driving Platform-as-a-Service offerings, such as Salesforce, pour millions upon millions of dollars into their platform to ensure their cyber posture is virtually impenetrable. Instead of federal agencies developing their own defenses, why not go with the built-in solution the cloud platform provides?

What should the Trump administration do?

The administration should recognize that modernizing legacy IT needs to be a core component of its cybersecurity efforts, not a separate initiative or an effort that is only about cost-reduction. This will require transformation on a massive scale with concerted leadership by the administration. Specifically:

  1. The administration should mandate significant cuts in IT operating & maintenance spending, which currently eats up more than $70 billion across the federal government each year. During Trump’s first term, the target should be to reduce IT O&M spending by 25 percent. A full 50 percent reduction in overall IT O&M spending should be mandated and targeted for completion within the president’s second term
  2. Achieve these cost-cutting goals by launching an IT Transformation Initiative (ITI) that would require a radical rebuilding of the government’s outdated legacy systems through modern, cloud-based technology and agile development approaches common in the private sector.
  3. Recognize that the need for IT modernization is not solely a CIO or CISO issue – this is an issue that must be taken up by the highest levels of leadership within each agency. If a true IT transformation in federal is to take place, it must come from agency leaders, not just an agency’s technology leaders.
  4. Ensure funding for cybersecurity is leveraged for IT modernization. In my viewpoint, the two are one and the same. You cannot have better cybersecurity capabilities without better technology; and you cannot have better technology if it doesn’t provide better cybersecurity capabilities. These two issues must be considered together for real change to occur.

We have reached critical mass when it comes to cybersecurity and legacy IT because the status quo is not working. My hope is that the new administration, bolstered by bipartisan support for IT modernization, can deliver on a path forward that dramatically modernizes our federal IT applications to improve our nation’s cyber posture.

By: John Low