Legacy IT, legacy acquisition compound cyber risk

[InfoSec News <alerts () infosecnews org>]

http://fcw.com/articles/2015/09/17/legacy-it-risk.aspx

By Adam Mazmanian
FCW.com
Sep 17, 2015

The way the government buys technology can constrain efforts to protect 
federal systems from cybersecurity threats, says Michael Daniel, the top 
White House advisor on cybersecurity.

Federal agencies continue to rely on legacy systems that are vulnerable to 
intrusions and hard to secure. "The burden of legacy in government is a 
huge one," Daniel said at the Billington Cybersecurity Conference in 
Washington, D.C., on Sept. 17. Government is struggling with the problem 
of how to move off of old systems. "We have architectures and hardware and 
software in places that is indefensible, no matter how much money and 
talent we put on it. We don't have a good process for moving off," Daniel 
said.

Security measures are often bolted on to older hardware, software and 
operating systems, "rather than being deeply embedded in the product," 
Daniel said.

Compounding the problem are legacy acquisition methods. "We treat computer 
systems as a gigantic capital investment like a building, rather than 
investments you need to continually refresh," Daniel said. But moving to a 
more flexible budgeting and acquisition system, to allow for revolving 
funds and other more nimble financial instruments, requires new law. 
"We're going to need some help from Congress. There's a very strong 
resistance to making some of those shifts among a lot of folks on the 
Hill," he said.

[...]



--
Evident.io - Continuous Cloud Security for AWS.
Identify and mitigate risks in 5 minutes or less.
Sign up for a free trial @ https://evident.io/