Legacy IT, legacy acquisition compound cyber risk

Shutterstock image (by dencg): digital warning sign.

The way the government buys technology can constrain efforts to protect federal systems from cybersecurity threats, says Michael Daniel, the top White House advisor on cybersecurity.

Federal agencies continue to rely on legacy systems that are vulnerable to intrusions and hard to secure. "The burden of legacy in government is a huge one," Daniel said at the Billington Cybersecurity Conference in Washington, D.C., on Sept. 17. Government is struggling with the problem of how to move off of old systems. "We have architectures and hardware and software in places that is indefensible, no matter how much money and talent we put on it. We don't have a good process for moving off," Daniel said.

Security measures are often bolted on to older hardware, software and operating systems, "rather than being deeply embedded in the product," Daniel said.

Compounding the problem are legacy acquisition methods. "We treat computer systems as a gigantic capital investment like a building, rather than investments you need to continually refresh," Daniel said. But moving to a more flexible budgeting and acquisition system, to allow for revolving funds and other more nimble financial instruments, requires new law. "We're going to need some help from Congress. There's a very strong resistance to making some of those shifts among a lot of folks on the Hill," he said.

Daniel also said that efforts by the private sector to modernize IT could yield some insights for government.

"I’m very interested in looking at what industry has done in that space. You can never take what the industry does and just plop it on the government, because that never works. But there are lessons that we can learn from that area," he said, speaking to reporters on the sidelines of the conference. "I think we really do need to look at how we're provisioning cybersecurity across the federal government, particularly on the federal civilian side. It's clear that what we've been doing is not sufficient, and we need to step up our game in that area."

The government is using the aftermath of the Office of Personnel Management hack as an opportunity to do an assessment of its cybersecurity exposure. Daniel said that effort, being led by the Office of Management and Budget and the Department of Homeland Security, is designed to find out if there is an accurate accounting of "all the big pools of information like the big background check database, and do we feel we are taking adequate steps to protect those."

While the effort hasn't discovered anything on the scale of the OPM hack, "because we are looking more and looking with better tools, we are finding more stuff," Daniel said.

About the Author

Adam Mazmanian is executive editor of FCW.

Before joining the editing team, Mazmanian was an FCW staff writer covering Congress, government-wide technology policy and the Department of Veterans Affairs. Prior to joining FCW, Mazmanian was technology correspondent for National Journal and served in a variety of editorial roles at B2B news service SmartBrief. Mazmanian has contributed reviews and articles to the Washington Post, the Washington City Paper, Newsday, New York Press, Architect Magazine and other publications.

Click here for previous articles by Mazmanian. Connect with him on Twitter at @thisismaz.


  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.