President Trump’s cybersecurity strategy hinges on modernizing legacy computer systems that sap resources and hold back agencies from updating security policies. The approach views cloud-based services not only as more flexible and less costly, but also as inherently more secure.
“It’s not always a fact that IT modernization and cybersecurity have to go hand in hand,” said Jeanette Manfra, acting deputy undersecretary for Cybersecurity and Communications for the National Protection and Programs Directorate in the Department of Homeland Security (DHS). “But that is very important and something this administration recognized immediately: that the lack of modernization is itself a big vulnerability for the government.”
Combining hundreds of federal networks into one or more virtualized networks is one part of that strategy. But just as essential is replacing aging infrastructure that’s both expensive to operate and difficult to protect. Manfra said the government must graduate from today’s perimeter-focused security approach, which focuses primarily on protecting the network, to a data-centered approach designed to protect the information assets residing on that network.
That’s hardly a new concept to security experts, but it reflects a massive cultural shift for government. Retired Air Force Maj. Gen. Dale Meyerrose, a former chief information officer for the director of national intelligence. Now an information security professor and consultant, Meyerrose said protecting the network is a lost cause; it’s best to assume the enemy is already inside your network.
“Every industry sector has a time lag between the infiltration of the evil-doers into your enterprise and their discovery,” Meyerrose said in March at the Cyber Resilience Summit in Reston, Va. The video game industry is the most skilled at rooting out infiltrators, he said, finding intruders in less than a week, on average. The worst? “The United States Government,” he continued. “The average time between infiltration and discovery is almost two years.”
The security paradigm is broken because the focus is in the wrong place, Meyerrose said. “The evil-doers don’t want your network. They want the stuff that’s in your network.”
By definition, cloud-based services blur the lines of conventional perimeter security, forcing CIOs and chief information security officers (CISOs) to focus on securing organizational data, as opposed to protecting the system itself. Legacy systems weren’t necessarily built with the Internet, remote access and external links in mind. Cloud, on the other hand, exists solely because of that global connectivity.
This is the opportunity at hand, DHS’ Manfra said at the Institute for Critical Infrastructure Forum June 7: “The promise of modernization is that it also allows us to modernize our security processes.”
Michael Hermus, DHS chief technology officer, agrees. “Software-defined infrastructure really helps us in this modernization journey towards a better security posture, towards being able to adapt to changing needs,” he said. Legacy systems lack the flexibility to respond to rapidly changing threats or situations, but virtualized networks and architectures are infinitely – and almost instantly – reconfigurable. “If the infrastructure is flexible enough to meet those changing needs, you are going to be in a much better security posture.”
Legacy IT problems aren’t unique to government. Large institutions like banks, power companies, airlines, insurers and the like also operate using what some call “Frankenstein networks,” amalgamations of legacy systems, often with modern frontends, that make change challenging. Take insurance giant Aetna, for example, where Jim Routh is the chief security officer. Although the private sector has different financial incentives and opportunities, many of the issues are similar.
“The reality is that fragile systems are the most expensive to maintain,” Routh said. “And often fragile systems aren’t even core business systems, because they don’t get a lot of attention. So a new capability that actually has security designed into it is actually much more cost-effective from an economic standpoint than keeping these legacy systems around.”
His recommendation: “Take legacy systems that are the most expensive to operate and divide it into two categories: the ones that get a lot of attention and support core business needs, and those that aren’t part of the core business. Then take the ones that aren’t part of the core business and decommission them.”
Hermus said DHS applies a decision framework across the organization to make a similar evaluation. “We’re creating a framework that can identify systems that need to be updated or modernized” based on existing best practices, such as Gartner’s TIME model, which stands for Tolerate, Invest/Innovate/Integrate, Migrate/Modernize and Eliminate. “Having a consistent framework for evaluating your assets, that’s something we all need to consider, particularly at the large enterprise level.”
Christopher Wlaschin, CISO at the Department of Health and Human Services (HHS), says his agency also applies an organizational framework to prioritize modernization needs. The agency spent $12 billion on IT last year across 11 divisions that include the Food and Drug Administration, the Centers for Medicare and Medicaid Services and the National Institutes of Health, among others.
“If the definition of a Frankenstein network is mismatched parts cobbled together over a central nervous system, I think, yeah, HHS has that,” he said. The 11 operating divisions all have unique threat and risk profiles and substantially different users and needs. The objective is to move toward as many shared services as possible where that makes sense and, where it doesn’t, to replace proprietary systems with cloud solutions where that makes sense.
“The challenge is the immensity of the problem,” said Mark Sikorski, vice president of Homeland Security Solutions at systems integrator General Dynamics Information Technology. “Everything is interconnected. Modernizing one system affects all the others. Determining where your greatest vulnerabilities are – and then prioritizing them – is just the first step. The next is to carefully assess each decision so you understand the downstream impact on the rest of the enterprise ecosystem.”
Get that wrong and the complexity can quickly snowball.
“You have to decide if you want to take the ‘Big Bang’ approach and modernize everything at once, or go very slowly, carefully untangling the knot of legacy systems without disrupting anything,” Sikorski added. “If you do that, you’ll pay a premium for maintaining an increasingly outdated environment. Like the old TV commercial says, you can pay now, or pay later. But you can’t avoid paying forever.”