Modernization boosts cybersecurity anxieties, survey says

When it comes to protecting the government's IT infrastructure from cyberattacks, conventional wisdom has long held that modernization of outdated legacy systems can be a key driver of improved security.

The results of a survey released Sept. 6 challenged that conventional wisdom. The poll, conducted by Unisys found that a majority of federal IT leaders believe modernization efforts have increased, not decreased, their overall security challenges.

When it comes to cybersecurity, 59 percent of respondents said their agencies IT modernization efforts have increased the security challenges they face. Unisys Federal President Venkatapathi Puvvada said the results don't suggest that modern software or architecture are less safe, but rather illustrate the "double-edged sword" of IT modernization efforts.

"It's complex to manage and difficult to staff, that's the reason why respondents can't get their hands around the processes to manage security," said Puvvada.

The chaotic nature of IT transformation may also be a factor, as agencies attempt to simultaneously operate in two worlds: the old IT environment and the new. Tony Sager, senior vice president at the Center for Internet Security, said it's already challenging for federal IT leaders to meet the regulatory reporting requirements of the status quo without the "trauma" that comes from most large scale IT transformations.

"Where I see people stressed is if they see old requirements they're stuck dealing with while trying to change the IT infrastructure at the same time," said Sager.

Of those who said their security issues have increased, more than half (53 percent) cited their IT staff's difficulties supporting and completing the transition from old technologies to new. Increased compliance reporting was the second-most frequently cited reason (42 percent), while "learning new systems" came in at third (41 percent.)

Unisys canvassed 200 current federal IT executives for the survey, with respondents involved in acquisition decision making, management, developing requirements and other modernization functions. The group split evenly between defense and civilian agencies.

Enhanced security was the number one benefit associated with IT modernization, selected by 38 percent of respondents, despite concerns about risks. Puvvada said this contradiction was more a reflection that change and adapting to a new environment can be unpleasant, especially during the transition phase.

"At the end of the day, once people make the journey and see modern systems with new software and equipment that have a lot of built-in security components, they start to see the benefits," he said.

While upgrading and standardizing systems can bring with it more modern and enhanced security, Sager said it can also simplify things for hackers as well.

"When you bring large worldwide enterprise tools to bear, you do consolidate more and create shinier targets for bad guys to go after, but you also have much more opportunity," he said.

While IT modernization has had broad, bipartisan support for years, survey responses indicate that many federal agencies still have a ways to go. When it came to rating their own performance on modernization efforts, fewer than 20 percent gave their agency an "A."

Part of the problem is funding. A bill to jump start cloud transition and modernization, the Modernizing Government Technology Act, remains stuck in the Senate after passing the House through a voice vote in May. The Trump administration released its own plan for IT modernization, but the report is still in the draft phase as the White House seeks comment from industry partners and the public.

Puvvada said the focus of the Trump administration's plan on protecting high-value IT assets combined with the executive order on cybersecurity signed in May provides "a very significant boost" to many of the concerns relayed in the survey.

The backlog of politically appointed leadership positions that have yet to be filled by the administration may also be contributing to agency paralysis. The federal CIO and federal chief information security officer positions have yet to be filled. The Department of Homeland Security needs a new CIO after Richard Staropoli resigned in August, and several other agency CIO posts also are filled on an acting basis.

Sager said that while there was plenty of room for discussion about whether certain positions are necessary, it was just a "fact of life" that better staffing will lead to better coordination on modernization initiatives.

"There's room for disagreement over exactly how many jobs need to be filled…but we do need to move faster on the federal level, I really believe that," said Sager.