Modernizing legacy systems is a major issue in most government agencies and we need policy to support security. Recent legislation, including the President’s Cybersecurity National Action Plan and the MOVE IT Act are helping to address this issue, but the federal sector needs to adopt a more forward-thinking mindset. Many agencies operate on the theory of ‘if it’s not broken, don’t fix it,’ which leaves us with systems that are two or three decades old because they still work. However, simply working is no longer adequate. Even though these systems might still work, their security is woefully outdated and unable to be modernized. Updating, upgrading and in some cases replacing these legacy systems is the only viable answer, and must become an integral part of the overall security program.
The Office of Personnel and Management (OPM) breach, which resurfaced last week with the long overdue release of the 241-page report from the U.S. House Oversight & Government Reform Committee, is the most recent example of how the “if it’s not broken” approach limits an organization’s ability to effectively respond to cyber threats. The basis of the report is that critical errors were made by the agency’s senior leadership that were exacerbated by outdated legacy technology resulting in the exposure of background investigations and fingerprint data on millions of Americans.
{mosads}None of the key findings in this report come as a shock to those in the information security industry. The intense political scrutiny, from investigations to congressional hearings, followed by widespread media reporting, allowed most of us to guess at what happened and how, but having the official report reinforce our presumptions is nice. The problem is that everyone seems more focused on pointing the finger and less on evaluating the key recommendations — which actually make sense.
What we need to be doing now is focusing on the future, and figuring out how to adapt to the modern and interconnected IT landscape which includes public and private cloud, Internet of Things, BYOD, containers, next generation SaaS security and other emerging trends. We’re never going to completely replace legacy technology on our networks with more secure options, especially within the government, but we need to hold agencies accountable for their security programs if we are to protect our most critical infrastructure from nation-state cyber actors and avoid a repeat incident.
A good place to start is by implementing a ‘zero trust’ network, which is the one recommendation that seems to be getting the most attention in the report. Zero trust is a concept that has been around for a while, but has recently become a popular marketing term by a few information security companies. As security moves from a perimeter-centric view to a more amorphous configuration, the need for a zero trust model is increased. Under this model, users, applications, devices, etc. that are inside the network receive no more or less trust that those entities that exist outside the network. This means that while a zero trust network would not prevent a breach, it would at least be contained, allowing for quicker and easier remediation.
In the past, networks were typically designed with a firewall at the perimeter. Anything inside the firewall was trusted, and anything outside, i.e. the internet, was not. This is great for very small networks, but as we’ve learned from experience, this does not scale well and becomes even more complex when the edges of the network start to blur with mobile, cloud and other new technologies. With a zero trust configuration you still have a firewall, in fact a network would have several of them, each one blocking off parts of the internal network from each other. Since no device trusts any other device or application or user, data protection and proper authentication become critical.
One other key recommendation in the Congressional OPM breach report gives actual power to the CIO or CSO to get stuff done. All too often organizations, both public and private, create positions of power over their technology and then forget to actually give those positions any power. This can make those positions convenient scapegoats during a breach or compromise, but does little to improve the overall security posture. By empowering these positions to actually drive change, a greater level of security can be achieved.
The recommendations listed in the report are moving in the right direction, and can easily be applied to all government agencies and private sector organizations but we can’t forget there is no single magic bullet solution. That’s why we need to transform the way we think about cybersecurity technology and focus on a comprehensive approach to security that addresses the challenges of protecting legacy systems while also keeping pace with the increasing complexity of the evolving federal IT environment.
Cris Thomas is strategist for Tenable Network Security.
The views expressed by authors are their own and not the views of The Hill.