Cybersecurity Risk:

The Driver for

IT Modernization Industry Perspective
Many federal, state and local government agencies are taking
unnecessary security risks by operating network equipment
beyond the end of supported life. Replacing outdated
infrastructure with modern secure technology not only reduces
security risks but also improves efficiency, productivity and service
delivery in our digitized world. To bring awareness to this issue,
and help the public sector address it, GovLoop and Cisco have
partnered for this Industry Perspective about modernizing your
network and infrastructure. In this report, we interviewed Anthony
Grieco, Senior Director of Cisco’s Security and Trust Organization,
for his take on the need for government to modernize.
The Digital Transformation
Government’s use of digital technology has been growing over the past
four decades, both in the office and for delivering services to citizens.
But advances in digital networking and the applications riding on them
are coming now at speeds and on a scale that are unprecedented.
“What we are seeing today is a pace of growth beyond
anything we have seen in the past 40 years. We are
experiencing exponential growth in digitization,” said
Anthony Grieco, Senior Director of Cisco’s Security and
Trust organization.
This digital transformation means that technology is not only
ubiquitous, it is becoming critical in our lives and in the way we do
business. Fifteen years ago it probably did not matter if an e-mail
was not delivered, as it wasn’t the primary way to pass information.
Today, e-mail, text messaging, online conferencing and collaboration
are critical to missions at every level of government. Agencies no
longer conduct business at the speed of paper; they operate at the
speed of light. Citizens demand the convenience of online interaction
with agencies, and expect security and privacy. Access to people,
information and resources at any time from any place is no longer a
mere convenience. It is a requirement.
“Every day we are becoming more fundamentally dependent on this
technology,” Grieco said.
CYBERSECURITY RISK: THE DRIVER FOR IT MODERNIZATION
Opportunities and Challenges
Like many advances, the digital transformation is a two-edged sword,
presenting both opportunities and challenges.
Coworkers no longer need to be in the same room to provide input
and exchange ideas. Business travel no longer is the necessity it once
was, and work has become something you do, not a place you go.
Data can be stored, retrieved, searched and analyzed on a scale that
was not possible a few years ago, adding value to the vast amounts of
information now being gathered. Citizens no longer have to travel to
government offices to receive services, and workers no longer have to
meet face-to-face with citizens to provide help and information.
But the cyberthreat landscape also is changing rapidly. Attacks are
constant, and threats are becoming more complex and sophisticated.
A network breach today is no longer an inconvenience; it can derail
operations, disrupt the lives of millions of individuals and undermine
trust in our governments.
Despite increasing attention to cybersecurity by governments, the
U.S. Computer Emergency Readiness Team (US CERT) received 75,087
incident reports in fiscal year 2015, a 12 percent increase from the
previous year and 29 percent above fiscal year 2013. These reports do
not all represent serious security breaches, but the largest increases
were in high-volume network scans and probes. In other words, public-
sector networks today are under nearly constant surveillance and
attack by adversaries ranging from casual hackers to organized criminal
gangs, from terrorist organizations to nation states.
Although the digital transformation is expanding the online attack
surface, it also can provide improved cybersecurity. Technology is
evolving at a rapid pace to counter these threats. A security-driven
network refresh to replace outdated equipment can help eliminate
vulnerabilities and mitigate risks, and also allow agencies to take
advantage of the efficiencies and functionality of new technology to
improve both their economy and productivity.
3
Risks and Consequences of Outdated Infrastructure
Hardware and software developers are building on decades of
experience to support new capabilities, provide smart infrastructures
and leverage the Internet of Things for the secure creation, collection,
delivery and use of data on large scales and at high speeds.
But both the public and private sectors have invested billions of dollars
over the past 40 years in platforms to support services and processes
that have become mission-critical. While new features and equipment
are being added, the old ones do not disappear. While e-mail and web
applications are no longer considered cutting edge, they are relied on
every day. The availability of these applications and the networks that
support them remain critical to the way we conduct business today.
The legacy infrastructure supporting these functions has often been
resilient. And to its credit, it often demands little attention.
“While many of these devices are still operating functionally,” Grieco
said, “people tend to take them for granted, even as our needs and
dependence on them increases, and there is a level of complacency.”
But with this complacency comes risk. As equipment becomes outdated
and reaches its end of supported life, it becomes less efficient, less
productive and less secure. Outdated infrastructure does not support
modern applications and innovation, and it does not have the resiliency
needed to survive today’s threat environment. Modern cybersecurity is
about risk management, which requires eliminating and mitigating risks
where possible, and knowingly accepting those that remain. But you
can’t manage risks that you don’t see.
“Public Sector Organizations don’t realize the risk
associated with leaving legacy equipment in place.
Being up-to-date helps you to put into place the risk
mitigation you need,” Grieco said.
Many government agencies are operating mission-critical systems with
equipment that is approaching or has passed its end of supported
life. A 2012 survey by the National Association of State Workforce
Agencies found that most IT systems supporting unemployment
insurance programs are old and based on outmoded programming
languages, many dating as far back as the 1970s or 1980s. An analysis
of 200 IT systems for the state of Colorado found 77 were more than
15 years old, and a 2014 study of systems by the Texas Department of
Information Resources found that 61 percent were classified as legacy
— that is, obsolete or inefficient.
4 INDUSTRY PERSPECTIVE
These systems were not designed to withstand the threats of today’s
online adversaries. During their supported life, vendors routinely issued
security patches and updates to protect them against evolving threats.
But once unsupported, they lose this protection and obsolete platforms
are unable to support current cybersecurity needs.
Agencies that continue to operate this equipment not only are missing
out on the efficiency and economy of up-to-date technology – they are
expending resources to maintain weaknesses in their networks that are
vulnerable to exploit.
Cybersecurity Is Not Optional
While effective cybersecurity is a top priority for all organizations,
maintaining this security is more than a matter of self-interest.
Cybersecurity is a requirement under a number of laws and regulations
for government, contractors and other organizations that use and store
sensitive government information.
The foundation for federal cybersecurity is FISMA — originally the
Federal Information Security Management Act, now the Federal
Information Security Modernization Act. FISMA requires executive
branch agencies to maintain cybersecurity programs and routinely
assess and certify the security status of all information systems.
Underlying this law is a library of guidelines, standards and best
practices created by the National Institute of Standards and Technology
(NIST) in its 800 series of Special Publications. In early 2016, the
White House released the Cybersecurity National Action Plan, which
recognizes cybersecurity as “one of the most important challenges we
face as a nation.” It establishes a Commission on Enhancing National
Cybersecurity and calls for more than $19 billion for cybersecurity in
the president’s budget for fiscal year 2017. NIST released a Framework
for Improving Critical Infrastructure Cybersecurity in 2014, a set of
voluntary guidelines and best practices that has been widely adopted
by both industry and government.
Yet in spite of these and many more government and industry
regulations, many agencies continue to take unnecessary risks by
maintaining unsupported and unsecured platforms.

Reframing the ‘If it Ain’t Broke … ’ Mindset
Legacy systems often represent significant capital expenditures that
continue to provide a return by supporting mission-critical operations
over the years. Appropriations for timely upgrades can be difficult to
get when budgets are tight, and there often is a reluctance to tamper
with critical systems as long as they are working.
Although tech refreshes usually are done on nominal cycles of three to
five years, in the real world of government IT the process is not always
that straightforward. Not every process or service requires the latest
and best equipment. And when a key measure of performance is up-
time and availability of critical applications, updates to these systems
can have a low priority. “If it’s working, don’t touch it,” is the attitude,
Grieco said.
Some systems are installed in unique environments that are remote
and intended for long lifetimes, such as industrial control systems in
critical infrastructure installations and military defense systems. These
typically have a longer operational life than more conventional systems.
All of these factors contribute to an accumulation of legacy systems
over time. But operating these systems beyond the end of their
supported life inevitably provides diminishing returns to the enterprise.
As the effort to keep them running becomes greater, their vulnerability
to attacks also grows. The organization misses out on the efficiency and
productivity provided by up-to-date equipment, which is also easier
to maintain and provides increased reliability with fewer financial and
human resources.
CYBERSECURITY RISK: THE DRIVER FOR IT MODERNIZATION
The Security-Driven IT Modernization
Given the risks of operating an aging, end-of-life infrastructure and the
advantages of new trustworthy platforms that have security designed
in, there is no reason to risk critical agency data on legacy equipment.
Security is no longer a secondary requirement that can be added as
an afterthought to information systems. It must be an integral part
of the infrastructure, and take advantage of the infrastructure to
understand security posture, monitor activity, evaluate threats and
respond at machine speeds. Because the network itself is critical to an
effective cybersecurity posture, a security-driven refresh of the network
can provide the confidentiality, integrity and availability needed for
cybersecurity as well as the resilience, functionality and economy
needed for good business practices.
Cisco has been innovating networking products for more than 30
years and has a large installed base in networks around the globe.
As threats to networks have evolved, Cisco responded with a Secure
Development Lifecycle to ensure that security is built in to the
underlying architecture of solutions and embedded throughout the
enterprise. Ensuring this security is a continuous process. As new
products are developed and existing products are updated, security is
embedded into every platform.
“The security landscape is continually evolving. Ten years ago, we didn’t
know what things we would need to protect against today,” Grieco said.
To keep all of its platforms secure, Cisco keeps them up-to-date as part
of its Secure Development Lifecycle program.
5
First Things First
Networks are not simple things. Not all elements are the same age or
have the same requirements, and not all assets are equal. A security-
driven network refresh requires an understanding of where your
network is today and where you want it to be. This requires planning.
“You must know what you’ve got in your network,” Grieco said. “That’s
the first step.”
Then build on that awareness to make risk-based decisions about what
to do and when to do it.
Six important first steps include:
• Inventory the network. Networks are organic things that grow and
evolve over time. Unknown and unauthorized devices — “Shadow
IT”— can creep into the infrastructure and legacy equipment can be
forgotten. Discovery is essential to making decisions.
• Perform a risk-based vulnerability assessment. It is not enough
to know the equipment and vulnerabilities. Sensitive information
and critical resources can represent higher risks than secondary
public-facing assets. Identify and prioritize them.
• Patch and upgrade. This is a basic part of good cybersecurity
hygiene.
• Harden the infrastructure with best practices. Replace default
settings to ensure that services and access are appropriately limited,
and then monitor configurations.
• Identify equipment that is approaching its end of supported life.
Products that are not being patched and updated by their vendors
create vulnerabilities in the network.
• Create a risk-based funding plan for the refresh. Make sure that
those things that must be done will be done. Then move on.
6 INDUSTRY PERSPECTIVE
It also is important to raise and maintain executive awareness of
these issues and of the need for funding critical activities. Executive
leadership must understand both the dangers of an outdated
infrastructure and the business advantages of updating.
Making the Business Case
Cybersecurity no longer is an issue restricted to the IT department. It
has moved into the executive suite and the board room as a necessary
business function. Companies can suffer serious financial loss and
damage to brand value in the wake of data breaches. Government
agencies risk the loss of public confidence when personal information
of employees and citizens is exposed. In both the public and private
sectors, breaches can be career-ending events for executives.
But adequate budgets for IT security, maintenance and refresh cannot
be assumed. Chief executives — both public and private — have a
duty to ensure that the funds they control are spent responsibly. IT
and security experts have a responsibility to make the case for these
expenditures.
Investing in a modern, digital-ready network provides solid returns that
make good business sense. The security designed into Cisco platforms
provides cost-effective security, resilience and trustworthiness that
meets cybersecurity requirements. The platforms also support modern
applications and processes that help organizations take full advantage
of mobile computing, the Internet of Things, Big Data, cloud computing
and other emerging technologies that are defining the modern
workplace, marketplace and government.
Organizations often put themselves at risk while struggling to do more
with less. Enabling a digital transformation lets organizations do more,
and do it securely and economically.
How Cisco Can Help

Cisco can partner with customers to help them understand the current
status of their network, decide where they need to be and chart a path
to get there. Consultants can help not only in laying out a roadmap
for a security-driven IT modernization, but in taking full advantage
of modern, trustworthy platforms to achieve the desired business
outcome.

Cisco consultants can also help customers meet and stay in compliance
with applicable regulatory requirements for cybersecurity.

Experts can match security capabilities of modern platforms with best

practices and government regulation to ensure that updated networks
are not only in compliance, but are truly secure.

“It’s all about driving the risk down to enable future growth and
innovation.” Grieco said.

There is no need to take risks with your agency’s data and reputation.

About Cisco About GovLoop

Don’t Risk a Security Breach. Don’t Risk IT.
Are you entrusting your organization’s crucial data to aging, end-of-life
infrastructure? Don’t Risk IT! Cisco security-driven network offerings are
built from concept to completion to include built-in security to protect
sensitive data. Learn more at www.cisco.com/go/dontriskit.
GovLoop’s mission is to “connect government to improve government.”
We aim to inspire public-sector professionals by serving as the
knowledge network for government. GovLoop connects more than
250,000 members, fostering cross-government collaboration, solving
common problems and advancing government careers. GovLoop
is headquartered in Washington, D.C., with a team of dedicated
professionals who share a commitment to connect and improve
government.

For more information about this report, please reach out to

info@govloop.com.

www.govloop.com

@GovLoop

CYBERSECURITY RISK: THE DRIVER FOR IT MODERNIZATION 7

1152 15th St NW, Suite 800
Washington, DC 20005

Phone: (202) 407-7421

Fax: (202) 407-7501

www.govloop.com
@GovLoop