COMMENTARY: Federal agencies running antiquated infrastructure are increasingly vulnerable to cyber risks because of technical debt (tech debt), particularly from end-of-life (EoL) and end-of-support (EoS) systems.
The recent downsizing across the federal government that's dominated the news since the Trump administration took office in January has reduced the people resources available to manually track and maintain these EoL/EoS systems to reduce cyber risk.
So, now more than ever, federal agencies need a way to manage and reduce tech debt proactively.
[SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Read more Perspectives here.]
This issue gets particularly exacerbated for EoL and EoS systems that no longer receive security updates and patches. Consequently, as these systems age, they become more susceptible to exploitation, thereby amplifying the risks associated with tech debt.
Despite more stringent regulations, many organizations must prioritize tech debt and the resultant cyber risks in their tech upgrade plans. Historical cyberattacks, like those involving Log4Shell and WannaCry, have predominantly targeted EoL software, highlighting the severe risks that neglected tech debt can present.
These types of attacks can have devastating consequences, both operationally and financially, by increasing an organization’s vulnerability to cyber threats.
According to the Qualys Threat Research Unit, 20% of federal agency assets contain high-risk EoS software, an alarming stat because nearly half of the Cybersecurity and Infrastructure Security Agency’s (CISA) Known Exploitable Vulnerabilities (KEV) listed in the KEV list are present in EoS software. This research indicates that many federal systems run on outdated software, making them prime cyberattack targets.
This begs the question: What can we do to reduce tech debt within federal agencies?
First and foremost, we must foster collaboration between IT and security teams to mitigate the vulnerabilities within outdated technological infrastructures and address tech debt within federal agencies.
Traditionally, chief information officers (CIOs) and chief technology officers (CTOs) have managed tech debt in government and private sector IT departments. However, the escalating cyber risks associated with this debt require the involvement of chief information security officers (CISOs). The CISOs role has become more important, mainly because EoS software vulnerabilities are four times more likely to be compromised in a hack.
Second, by leveraging the appropriate cyber risk management measures and strategies, agencies can proactively manage their tech infrastructure, particularly around tech debt. Moreover, a comprehensive and coordinated effort between IT departments, security teams and senior management is not just a strategic recommendation, but a necessity in the face of escalating cyber threats. Adopting such a comprehensive approach, which involves all government and partner stakeholders, will enhance the capabilities of federal agencies to protect against and respond to quickly evolving cyber incidents, ultimately ensuring that they remain resilient in an increasingly digital government.
Prioritize high and critical vulnerabilities
Federal IT and cybersecurity teams possess crucial cyber risk data that can significantly enhance tech debt management. This data includes:
How to reduce tech debt
Suppose CISOs and SecOps leaders are not tracking the cyber risks associated with EoL/EoS statuses and sharing this information with IT departments. In that case, they must start this process right away. Essential recommendations to achieve this include:
Ignoring tech debt has security and “sunken costs” implications, which are equally important. Consider that unused software can expand the attack surface unnecessarily, and also creates more work to maintain, leading to inefficiencies and licenses being purchased unnecessarily.
As the federal government navigates the challenges of a significantly streamlined workforce, addressing technical debt has become a pressing priority. By proactively managing and reducing tech debt, agencies can ensure a more robust and efficient technological infrastructure for the future.
This strategic approach can enhance cyber resilience, and also fosters federal tech innovation, equipping the government to better face evolving cyber challenges. Tackling tech debt now has become crucial to securing a safer and more innovative digital landscape in government agencies and for their private sector partners.
Kunal Modasiya, senior vice president, product management, GTM and Growth, Qualys
SC Media Perspectives columns are written by a trusted community of SC Media cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
