A renewed push for secure modernization

Past investments in IT modernization paid big dividends when federal agencies had to adapt their operations to the COVID-19 pandemic, but those modernization roadmaps must keep evolving. As 2021 got underway, the security risks exposed by the SolarWinds breach forced agencies to adapt yet again — as did the political priorities of a new administration.

FCW recently gathered a group of IT leaders to explore how their IT modernization efforts were holding up and where further adjustments were expected. The discussion was on the record but not for individual attribution (see sidebar for the full list of participants), and the quotes have been edited for length and clarity. Here's what the group had to say.

SolarWinds: A wake-up call and an opportunity

The exploit of SolarWinds' Orion IT management software, which was discovered in December 2020, directly affected at least nine federal agencies and made clear the limitations of the Department of Homeland Security's Einstein network protection program. The roundtable participants said the breach also illustrated the urgency government should feel about modernizing legacy infrastructure and systems.

Although the risks that can lurk in the supply chain are definitely a concern, one official said, the SolarWinds exploit showed how legacy IT can too easily let attackers "laterally move across the enterprise."

"We're still talking about that hard shell and the soft squishy interior, and that's got to get fixed," the official said. "It scares me to death on some of the older systems that are out there and what could happen with those older systems that you can only put a hard shell around. Zero trust is not built in through the entire stack, and those applications are at risk."

CIOs and chief information security officers were already well aware of those risks, the group agreed, but SolarWinds served to focus the attention of agencies' senior-most leaders and provided an opportunity to obtain support for fundamental infrastructure modernization.

The scramble to respond to SolarWinds "really hasn't changed our modernization plans," one participant said. "What it's done is just brought it to the forefront again. In an event such as this, leadership now starts to have visibility into what's going on. And so they start to ask questions, and we can actually see where their appetite is to ensure that security stays in the forefront."

"This is a continuance of everything that we've been talking about for years," another participant agreed. "It's just that with the pandemic and being more in the telework approach, we have a lot of folks on our network coming from every direction. SolarWinds just adds to the discussion. Modernization with security is the talk of today."

Some participants said their modernization plans had already evolved or at least taken on greater importance. The SolarWinds incident "heightened how we're looking at our future modernization," one said. "If you move to a zero trust-architected network, you have to modernize your infrastructure. We've got to get off the old technologies."

Additionally, several participants said, the cybersecurity argument was more likely to win funding and executive support than making the case for improved efficiency and future cost savings.

"A lot of times it's easier to say, 'Well, it's security-related,' so then all of a sudden that piques their interest and keeps them engaged," one said.

Working with (and waiting for) the new leaders

To secure executive buy-in, though, agency IT leaders must first get to know those new executives, many of whom are not yet in place.

One participant's agency does not have a CIO at the moment. "The secretary has not been confirmed," that executive said. "There's no deputy secretary. I'm waiting for those detailed discussions to pick up."

At another agency, "political leadership is trickling in, so we've done this sort of canned briefing several times," another official said. "And we'll probably have to do it several more times. We've worked so hard on modernization at the department, and we want to keep it going." There's a fear that the new administration's team will come in predisposed to "go in a completely different direction."

A third official said modernization efforts continue, but "the pace of our releases has slowed down…because we don't want to get ahead of policy. So we are in a little bit of a slower pace — I don't want to call it a maintenance mode —while I'm trying to do that communications job to the new administration so that we can garner that support and push forward."

A fourth participant's agency began planning for such a pause soon after the election and focused on projects that made sense regardless of political priorities or governance changes. "We are pushing forward on some of that unsexy work, those foundational-type modernization efforts," that official said. "No one's going to complain about the decommissioning of a 40-year-old mainframe legacy system. But some of that flashy, sexy work, we did adjust our roadmaps to push that out to May, June, July so that the new leadership can come in, take a look at what we're doing and then point us in the direction that they want to go."

Some participants, however, argued that virtually all modernization efforts should fall into the "full speed ahead" category. "If you slow down, you lose altitude," one official said. "Our modernization plan has been in place for a little over two years. We've invested in certain technologies and initiatives, and we're moving forward. The CIO and the CISOs were all circled together and said the best way to keep momentum is keep going. It can't wait on the new administration."

Another participant noted that, regardless of new administration priorities, the increased emphasis on secure modernization will inevitably change agencies' plans. "When you focus on cyber, I think that will turn over a lot of rocks in terms of some of the cyber-hygiene tools and software that we have in place," the official said. "So while I don't think the new leadership has been explicit in terms of modernization, I think that they're at a high level saying, 'Well, we need to think about secure systems.' And I think from that will follow an emphasis on some of the tools that we need to modernize."

Post-COVID: Orphan systems and dispersed workers

The group agreed that the pandemic-driven upheaval of 2020 is not yet in the rearview mirror. Although past modernization efforts, especially the government's move to cloud services, made massive telework feasible, the plans for 2021 and beyond are still adapting to a new normal that has yet to be fully defined.

One challenge will be managing the full life cycle of systems and solutions that were deployed on an emergency basis in 2020. Participants cited the Defense Department's Commercial Virtual Remote environment as a prime example. That DOD-wide instance of Microsoft Teams is now being retired in favor of individual but interoperable tenancies for each military service. But countless smaller projects will need to be scrutinized, participants said.

"There have been a number of tools specifically related to dealing with a health pandemic that there's not a clear home for," one executive said. Although active use of some of those solutions will likely end in the coming months, "I'm hoping that the next administration takes a look at what are the digital tools and digital health infrastructure we need to put in place for if and when this happens again.… And our team is not set up to maintain some of these tools forever."

Others pointed to the need to reassess dramatically expanded virtual desktop licenses and extra bandwidth. The agencies that were able to use software-defined wide-area networks and other infrastructure-as-a-service solutions "are saving a lot more money," one official noted, which could give others the evidence they need to make similar moves. Government should have vendors take over low-level legacy infrastructure, "replace it with modern technology and move to an as-a-service solution," that official said. "And then that way you have the ability to expand a contract based on your needs as an agency or a service."

More important than any specific system, however, is ensuring that agency employees who have been scattered and stretched are set up to succeed.

"I think it's really going to be interesting to see how this translates in the future because we have proven that, to a certain extent, knowledge workers are capable of getting a job done outside a physical office," one participant said. "There are tools that can make their lives better, and there are tools that can make security better. So when it comes down to being able to attract talent and keep talent to help the government," the old approach of issuing a laptop and VPN access should give way to "modern technology with security that sits in line in the cloud and you can quickly get to anything."

Several officials agreed that a better location-agnostic user experience will be crucial to retaining employees and that there are opportunities to broaden the talent pool if agencies will adapt. "We were originally told that no hiring could happen until after the pandemic because you had to come in and give your oath in person and fill out all this paperwork," one participant said. Those obstacles were overcome with videoconferencing and digital signatures. However, most agencies are not yet able to build teams without regard to physical location.

"You need to have a remote workforce, and you can tap into a bigger talent pool," that official said. It takes a modern IT environment and deliberate management changes to virtualize the work environment, but "this is a good opportunity for agencies to think about the expanded talent pool they can get, particularly from the West Coast, if they're willing to let people work remotely."

An argument for agile modernization

The roundtable participants noted that multiyear funding remains one of the biggest obstacles to foundational IT modernization (the discussion took place before the most recent relief bill provided $1 billion for the Technology Modernization Fund), but they also said 2020 demonstrated the value of rapid and incremental improvements.

Traditionally, one official said, IT modernization has been "looked at as this big five- or 10-year program. And what happened [during the pandemic], because it had to happen, is that we were able to modernize in pieces. And I think what we should be learning from this is not only the specific technologies that assisted, but the fact that you can modernize in pieces. You can find technologies that can help in both the near term and long term. It's amazing to see it in action."