Federal Cybersecurity Directive Spotlights Aging Computer Systems
Chronis Kapalidis, Principal at the ISF featured in WSJ.
Many of the cybersecurity gaps outlined in a new White House directive that calls on federal agencies to patch hundreds of online vulnerabilities stem from the government’s aging computer systems, current and former federal tech chiefs, lawmakers and industry analysts say.
But ongoing efforts to upgrade these systems tend to get bogged down by budget restrictions, chronic talent shortages and a revolving door of agency information-technology leaders.
As a result, some of the vulnerabilities listed in the directive, issued by the Biden Administration Wednesday, date back years in older versions of software from Microsoft Corp. and other large technology firms. Agencies that haven’t continually upgraded these and other apps may lack protections needed to ward off the kinds of organized, sophisticated and widespread attacks that have crippled public- and private-sector systems in recent years.
Defense Department, the Central Intelligence Agency and the Office of the Director of National Intelligence, lists some 290 known security flaws identified by cybersecurity professionals.
It describes the flaws as carrying “significant risk to the federal enterprise.”
While many vulnerabilities listed were identified this year, it was interesting that some date back several years, including some vulnerabilities with Microsoft Office, said Chronis Kapalidis, principal at the U.K.-based Information Security Forum, a security and risk-management firm whose clients include corporations and government agencies.
“You would expect that most organizations have already tackled that,” he said.
The deadline for addressing the more serious vulnerabilities is Nov. 17, 2021, and the deadline for the less serious ones is May 3, 2022, according to the directive.
Given that some of these vulnerabilities were identified years ago, Mr. Kapalidis said he was surprised that a number of resolution due dates are six months away.
The Government Accountability Office’s IT and cybersecurity unit estimates that software being used across the federal government is about seven years old, on average, including a 35-year-old Transportation Department system that holds sensitive aircraft information and a nearly 50-year-old system used by the Education Department to store student-loan data.
Older systems mean many agencies operate with overly complicated IT infrastructure that is expensive and difficult to protect, in some cases relying on manual processes, said Adelaide O’Brien, research director at research firm International Data Corp.’s Government Insights unit.