The Obama administration proposes to spend $3.1 billion next year to seed a fund designed to improve cybersecurity by modernizing federal information systems.
See Also: Unite & Disrupt: Mitigate Attacks by Uniting Security Operations
The funding is part of a White House legislative proposal that would establish a board of government IT security experts - headed by the federal CIO - to identify the highest-priority IT modernization projects.
"Ultimately, retiring or modernizing vulnerable and inefficient legacy IT systems will not only make us more secure, it will also save money," Federal CIO Tony Scott says in a White House blog.
Scott's boss, Shaun Donovan director of the Office of Management and Budget, says federal civilian agencies spend nearly three-fourths of their IT budgets maintaining legacy IT systems. "These systems may pose security risks, such as the inability to utilize current security best practices, including data encryption and multifactor authentication," Donovan wrote in an April 8 letter to Vice President Joseph Biden, as president of the Senate, and House Speaker Paul Ryan.
Vulnerabilities, Risks Remain Unresolved
"These systems may also pose operational risks, such as rising costs and inability to meet mission requirements," Donavan said. "Absent immediate action, the cost to operate and maintain legacy systems will continue to grow, while security vulnerabilities and other risks will remain unresolved."
Former CIA CISO Robert Bigman says implementing more modern systems would enable federal agencies "to take advantage of more contemporary IT and security capabilities" not available until recently. As an example, he cites segmenting sensitive applications in the cloud. "Buying this as a service can also include - for a few more dollars - better configuration security, better auditing, better identification and authentication and better encryption," says Bigman, president of the IT security consultancy 2BSecure. "These services were not readily available even three years ago."
Many government stakeholders use mobile devices and cloud computing, says Tom Patterson, chief trust officer at integrator Unisys, which works with the federal government on a number of IT security programs. "That new environment is very difficult to address from a security perspective if you have old equipment," he says. "Having servers sit inside of a room, and putting walls around them, doesn't compute in today's modern environment. You need a different approach, a fresh approach to security. The good news is that if you use modern, advanced technologies instead of trying to drag forward your old concepts into the new world, you can save money and lower your risks at the same time."
Modernization Challenges
Some federal agencies already are attempting to launch IT modernization projects. The Department of Veterans Affairs, for instance, is seeking to nearly double its cybersecurity budget in the fiscal year that begins Oct. 1 to $370 million, in part, to carry out an inspector general's recommendation to replace or upgrade legacy systems, VA CIO LaVerne Council says (see OIG: VA Must Address InfoSec Weaknesses).
Bent Arronte, VA deputy assistant inspector general, in testimony before Congress last month contended "the diversity in applications adversely affected facilities and management's ability to consistently remediate IT security deficiencies agencywide."
But despite OMB's recommendation to increase Department of Labor IT modernization funding, Congress cut the department's modernization budget by $4.1 million in fiscal 2014 and $15.4 million in fiscal 2015. "This lack of funding has directly impacted the ability of DoL to improve its IT security posture, including but not limited to the identity access management project," Labor Department Assistant Inspector General Elliot Lewis wrote in a memo last summer (see 3 InfoSec Woes Plaguing Federal Agencies).
Senator Expresses Concern
Agencies' use of legacy systems that provide less security is a problem recognized by Sen. Tom Carper, the Delaware Democrat who is ranking member of the Senate Homeland Security and Governmental Affairs Committee, the panel that provides federal government IT security oversight. Carper called on the administration to improve the acquisition process to make it easier for federal agencies to acquire the latest information systems that can be more easily secured.
"Flaws in the federal acquisition process can limit the tools agency network defenders can obtain," Carper wrote last week to Donovan, the OMB director. "Because the techniques our adversaries use against us online are always evolving, deploying innovative products and services is critical to staying ahead of the threats we face online. Financial institutions, power companies, retailers and other private critical infrastructure owners are able to quickly reap the benefits of the many new and innovative cyber defense products put on the market each year. Yet it is not clear that federal agencies are similarly able to rapidly acquire new and innovative cybersecurity solutions."
Agencies Repay Modernization Investments
Federal CIO Scott says the $3.1 billion in the Information Technology Modernization Fund would be seed money to fund $12 billion in modernization projects over 10 years, noting that agencies would eventually repay money they receive to modernize their IT so the program would be self-sustaining. The agencies could make the required reimbursement from any appropriation available for IT activities, according to a summary of the proposed legislation.
"By establishing a central fund that agencies must apply to and compete for, the legislative proposal will provide strong incentives for agencies to develop comprehensive, high-quality modernization plans," Scott says. "Additionally, stable funding allows for long-term thinking and shorter development times, rather than costly one-off fixes."
The board to oversee the funding initiative would be chaired by the administrator of OMB's Office of Electronic Government, also known as the federal CIO, with another permanent member being a senior official from the General Services Administration, the federal agency that oversees the acquisition of IT wares and services. Other members of the Information Technology Modernization Board would include representatives from the National Institute of Standards and Technology and Department of Homeland Security as well as three other federal employees - appointed by the OMB director - who primarily have expertise in IT development, financial management, cybersecurity and privacy and/or acquisition.
"By collecting modernization proposals from many agencies, the board can identify opportunities to replace multiple legacy systems with a smaller number of common platforms - something that is difficult for agencies, acting on their own with limited insight into other agencies' operations, to do," Scott says. "As a result, the ITMF will facilitate a transition to common platforms and re-engineered business practices across government. This will both reduce risks and save money."