Government decisions and the passage of new laws are slow moving, which is just one of the reasons outdated laws are governing current technology usage. Where weighty decisions are concerned, careful deliberation can have a positive effect; it’s important to examine various angles of the impacts of new laws or decisions to ensure enthusiasm doesn’t overtake practicality. What may sound wonderful on the surface could turn into a logistical nightmare, or unforeseen obstacles could halt production/implementation/forward progress, causing disruption and the necessity for unallocated big buckets of budget to fix an unanticipated situation.
Mindful scrutiny is advised when considering large-scale or impactful changes, yet analysis paralysis or fear of new or different risks can have adverse effects, namely, spawning standoffs where no forward progress is made. With laws like the DCMA or CFAA still in place today, information security practitioners have, without a doubt, seen how failure to transform outdated laws and processes can be harmful. The same can be said of outdated technology. For reference, just look to the recent WannaCry attack or the 2015 Office of Personnel Management breach. In both cases, outdated technology and failure to update directly caused some of the worst cybersecurity incidents in history (to date).
One Congressman is on a crusade to give government technology a facelift. His mission, if successful, will recast antiquated government systems and processes, allowing departments to fight 21st century cyber fights with 21st century technology. Several critical (and operational) government systems are more than half a century old, meaning that they were definitively not designed or configured to handle today’s predominantly digital, data-obsessed, and internet-connected world. This is not to say that old things don’t have value (Antiques Roadshow illustrates the contrary), but when it comes to technology, latency is rarely a cybersecurity practitioner’s friend.
Representative Will Hurd, who has an intelligence and cybersecurity background—and has even braved DEF CON –introduced the Modernizing Government Technology Act last year. The bill, which died in the Senate after the Congressional Budget Office deemed it too expensive with too little return on investment, was recently updated and sailed through the U.S. House of Representatives last week, receiving bipartisan support.
If passed in the Senate, which is looking likely given the bill’s budget overhauls, the Modernizing Government Technology Act (MGT Act) would allow federal agencies to allocate unused funding to “improve, retire, or replace existing information technology systems to enhance cybersecurity and to improve efficiency and effectiveness.” It would also authorize funds for transitioning outmoded technology to cloud or “other innovative” platforms, and provide support for “adequate, risk-based, and cost-effective information technology capabilities.”
These are all very positive potential steps forward for the government. It’s an unfortunate truth that technology built circa 1960–1990 simply wasn’t constructed to handle today’s cybersecurity threats. Even a crafty and innovative security architect can only do so much with technology that can’t be patched, integrated with modern security tools, or configured to alert on issues. Retrofitting a technology that existed before the internet doesn’t bespeak confidence in its modern-day capabilities.
So, hip-hip-hooray for Representative Hurd and his efforts! Even though this bill, if passed, won’t have a direct effect on private sector entities, government systems do, to a certain extent, have some effect on all U.S. citizens’ lives. Not to mention, while the private sector is generally considered more innovative and quick to act, the “tone from the top” will influence how chief executives and boards of directors think about and decide upon information security. Purse strings and support for security have improved over the years, but many private-sector companies still struggle with and fight to modernize their own technology infrastructures. When it comes down to it, producing a new product line or hiring more sales staff typically win the ROI fight in executives’ eyes. With the passage of the MGT Act, security teams have one more example of why updating old equipment is important.
Before you get too excited about all the dough that could be rolling into your security program (or…not…) because of the MGT Act, don’t forget that the latest and greatest next-gen technology does not a security program make. Current technology absolutely affords improved feasibility for handling modern-day threats than systems developed when disco was fashionable. However, it’s up to the security team—the humans behind the keyboards—to ensure that each new piece of technology has gone through a thorough security evaluation prior to procurement; that new technologies are properly configured upon implementation; that controls are fine tuned as the environment evolves; that systems are patched when necessary; that alerts are promptly tended to, befitting of the criticality; that encryption is applied to all sensitive data (and the organization both knows what sensitive data it has and where it is stored); etc.
A security program is more than the technology which forms the backbone. That said, having adequate tools allows the security team to build the foundation that supports the capabilities which afford the organization to combat today’s threats. You’ll notice I didn’t write “the best or newest tools.” For the reasons mention in the previous paragraph, it’s not necessary for any security team to fight for budget to buy Shiny New Security Solution X if that tech is set up to receive inbound connections from unmonitored ports, or if default administrator passwords are set to “Password1.” Ultimately, it’s up to security teams to perform the necessary actions and create the appropriate procedures and policies that keep the company and its assets secure. All the same, sending a soldier into a gun fight with a pocket knife guarantees an unfavorable outcome for the poorly armed.
Though private sector companies won’t benefit directly from this bill, its existence is a great opportunity for security teams to build an argument—supported by a risk assessment and ROI projections. Present evidence to your executive team of why retiring that 1970s mainframe is necessary, how moving certain data (after careful analysis) to a cloud provider and closing down a physical data center will improve information security efforts and free up security staff’s time for more strategic planning, or why your current VPN and antivirus aren’t comprehensive enough to keep out modern malware and keep your company from becoming the next Ransomware victim.
Use the government’s momentum to build your own. The passage of the MGT Act on its own would be a big “win” for many people across the U.S. If it can spur more companies into modernization, we’ll be better off a year from now than we are today.