Page 1

Cybersecurity Risk: The Driver for IT Modernization

Industry Perspective

Many federal, state and local government agencies are taking unnecessary security risks by operating network equipment beyond the end of supported life. Replacing outdated infrastructure with modern secure technology not only reduces security risks but also improves efficiency, productivity and service delivery in our digitized world. To bring awareness to this issue, and help the public sector address it, GovLoop and Cisco have partnered for this Industry Perspective about modernizing your network and infrastructure. In this report, we interviewed Anthony Grieco, Senior Director of Cisco’s Security and Trust Organization, for his take on the need for government to modernize.

The Digital Transformation Government’s use of digital technology has been growing over the past four decades, both in the office and for delivering services to citizens. But advances in digital networking and the applications riding on them are coming now at speeds and on a scale that are unprecedented.

“What we are seeing today is a pace of growth beyond anything we have seen in the past 40 years. We are experiencing exponential growth in digitization,” said Anthony Grieco, Senior Director of Cisco’s Security and Trust organization. This digital transformation means that technology is not only ubiquitous, it is becoming critical in our lives and in the way we do business. Fifteen years ago it probably did not matter if an e-mail was not delivered, as it wasn’t the primary way to pass information. Today, e-mail, text messaging, online conferencing and collaboration are critical to missions at every level of government. Agencies no longer conduct business at the speed of paper; they operate at the speed of light. Citizens demand the convenience of online interaction with agencies, and expect security and privacy. Access to people, information and resources at any time from any place is no longer a mere convenience. It is a requirement. “Every day we are becoming more fundamentally dependent on this technology,” Grieco said.

Opportunities and Challenges Like many advances, the digital transformation is a two-edged sword, presenting both opportunities and challenges. Coworkers no longer need to be in the same room to provide input and exchange ideas. Business travel no longer is the necessity it once was, and work has become something you do, not a place you go. Data can be stored, retrieved, searched and analyzed on a scale that was not possible a few years ago, adding value to the vast amounts of information now being gathered. Citizens no longer have to travel to government offices to receive services, and workers no longer have to meet face-to-face with citizens to provide help and information. But the cyberthreat landscape also is changing rapidly. Attacks are constant, and threats are becoming more complex and sophisticated. A network breach today is no longer an inconvenience; it can derail operations, disrupt the lives of millions of individuals and undermine trust in our governments. Despite increasing attention to cybersecurity by governments, the U.S. Computer Emergency Readiness Team (US CERT) received 75,087 incident reports in fiscal year 2015, a 12 percent increase from the previous year and 29 percent above fiscal year 2013. These reports do not all represent serious security breaches, but the largest increases were in high-volume network scans and probes. In other words, publicsector networks today are under nearly constant surveillance and attack by adversaries ranging from casual hackers to organized criminal gangs, from terrorist organizations to nation states. Although the digital transformation is expanding the online attack surface, it also can provide improved cybersecurity. Technology is evolving at a rapid pace to counter these threats. A security-driven network refresh to replace outdated equipment can help eliminate vulnerabilities and mitigate risks, and also allow agencies to take advantage of the efficiencies and functionality of new technology to improve both their economy and productivity.



Risks and Consequences of Outdated Infrastructure Hardware and software developers are building on decades of experience to support new capabilities, provide smart infrastructures and leverage the Internet of Things for the secure creation, collection, delivery and use of data on large scales and at high speeds. But both the public and private sectors have invested billions of dollars over the past 40 years in platforms to support services and processes that have become mission-critical. While new features and equipment are being added, the old ones do not disappear. While e-mail and web applications are no longer considered cutting edge, they are relied on every day. The availability of these applications and the networks that support them remain critical to the way we conduct business today. The legacy infrastructure supporting these functions has often been resilient. And to its credit, it often demands little attention. “While many of these devices are still operating functionally,” Grieco said, “people tend to take them for granted, even as our needs and dependence on them increases, and there is a level of complacency.” But with this complacency comes risk. As equipment becomes outdated and reaches its end of supported life, it becomes less efficient, less productive and less secure. Outdated infrastructure does not support modern applications and innovation, and it does not have the resiliency needed to survive today’s threat environment. Modern cybersecurity is about risk management, which requires eliminating and mitigating risks where possible, and knowingly accepting those that remain. But you can’t manage risks that you don’t see.

“Public Sector Organizations don’t realize the risk associated with leaving legacy equipment in place. Being up-to-date helps you to put into place the risk mitigation you need,” Grieco said. Many government agencies are operating mission-critical systems with equipment that is approaching or has passed its end of supported life. A 2012 survey by the National Association of State Workforce Agencies found that most IT systems supporting unemployment insurance programs are old and based on outmoded programming languages, many dating as far back as the 1970s or 1980s. An analysis of 200 IT systems for the state of Colorado found 77 were more than 15 years old, and a 2014 study of systems by the Texas Department of Information Resources found that 61 percent were classified as legacy — that is, obsolete or inefficient.



These systems were not designed to withstand the threats of today’s online adversaries. During their supported life, vendors routinely issued security patches and updates to protect them against evolving threats. But once unsupported, they lose this protection and obsolete platforms are unable to support current cybersecurity needs. Agencies that continue to operate this equipment not only are missing out on the efficiency and economy of up-to-date technology – they are expending resources to maintain weaknesses in their networks that are vulnerable to exploit.

Cybersecurity Is Not Optional While effective cybersecurity is a top priority for all organizations, maintaining this security is more than a matter of self-interest. Cybersecurity is a requirement under a number of laws and regulations for government, contractors and other organizations that use and store sensitive government information. The foundation for federal cybersecurity is FISMA — originally the Federal Information Security Management Act, now the Federal Information Security Modernization Act. FISMA requires executive branch agencies to maintain cybersecurity programs and routinely assess and certify the security status of all information systems. Underlying this law is a library of guidelines, standards and best practices created by the National Institute of Standards and Technology (NIST) in its 800 series of Special Publications. In early 2016, the White House released the Cybersecurity National Action Plan, which recognizes cybersecurity as “one of the most important challenges we face as a nation.” It establishes a Commission on Enhancing National Cybersecurity and calls for more than $19 billion for cybersecurity in the president’s budget for fiscal year 2017. NIST released a Framework for Improving Critical Infrastructure Cybersecurity in 2014, a set of voluntary guidelines and best practices that has been widely adopted by both industry and government. Yet in spite of these and many more government and industry regulations, many agencies continue to take unnecessary risks by maintaining unsupported and unsecured platforms.

The Security-Driven IT Modernization Reframing the ‘If it Ain’t Broke … ’ Mindset Legacy systems often represent significant capital expenditures that continue to provide a return by supporting mission-critical operations over the years. Appropriations for timely upgrades can be difficult to get when budgets are tight, and there often is a reluctance to tamper with critical systems as long as they are working. Although tech refreshes usually are done on nominal cycles of three to five years, in the real world of government IT the process is not always that straightforward. Not every process or service requires the latest and best equipment. And when a key measure of performance is uptime and availability of critical applications, updates to these systems can have a low priority. “If it’s working, don’t touch it,” is the attitude, Grieco said. Some systems are installed in unique environments that are remote and intended for long lifetimes, such as industrial control systems in critical infrastructure installations and military defense systems. These typically have a longer operational life than more conventional systems. All of these factors contribute to an accumulation of legacy systems over time. But operating these systems beyond the end of their supported life inevitably provides diminishing returns to the enterprise. As the effort to keep them running becomes greater, their vulnerability to attacks also grows. The organization misses out on the efficiency and productivity provided by up-to-date equipment, which is also easier to maintain and provides increased reliability with fewer financial and human resources.

Given the risks of operating an aging, end-of-life infrastructure and the advantages of new trustworthy platforms that have security designed in, there is no reason to risk critical agency data on legacy equipment. Security is no longer a secondary requirement that can be added as an afterthought to information systems. It must be an integral part of the infrastructure, and take advantage of the infrastructure to understand security posture, monitor activity, evaluate threats and respond at machine speeds. Because the network itself is critical to an effective cybersecurity posture, a security-driven refresh of the network can provide the confidentiality, integrity and availability needed for cybersecurity as well as the resilience, functionality and economy needed for good business practices. Cisco has been innovating networking products for more than 30 years and has a large installed base in networks around the globe. As threats to networks have evolved, Cisco responded with a Secure Development Lifecycle to ensure that security is built in to the underlying architecture of solutions and embedded throughout the enterprise. Ensuring this security is a continuous process. As new products are developed and existing products are updated, security is embedded into every platform. “The security landscape is continually evolving. Ten years ago, we didn’t know what things we would need to protect against today,” Grieco said. To keep all of its platforms secure, Cisco keeps them up-to-date as part of its Secure Development Lifecycle program.



First Things First Networks are not simple things. Not all elements are the same age or have the same requirements, and not all assets are equal. A securitydriven network refresh requires an understanding of where your network is today and where you want it to be. This requires planning. “You must know what you’ve got in your network,” Grieco said. “That’s the first step.” Then build on that awareness to make risk-based decisions about what to do and when to do it. Six important first steps include: •

Inventory the network. Networks are organic things that grow and evolve over time. Unknown and unauthorized devices — “Shadow IT”— can creep into the infrastructure and legacy equipment can be forgotten. Discovery is essential to making decisions.

Perform a risk-based vulnerability assessment. It is not enough to know the equipment and vulnerabilities. Sensitive information and critical resources can represent higher risks than secondary public-facing assets. Identify and prioritize them.

Patch and upgrade. This is a basic part of good cybersecurity hygiene.

Harden the infrastructure with best practices. Replace default settings to ensure that services and access are appropriately limited, and then monitor configurations.

Identify equipment that is approaching its end of supported life. Products that are not being patched and updated by their vendors create vulnerabilities in the network.

Create a risk-based funding plan for the refresh. Make sure that those things that must be done will be done. Then move on.



It also is important to raise and maintain executive awareness of these issues and of the need for funding critical activities. Executive leadership must understand both the dangers of an outdated infrastructure and the business advantages of updating.

Making the Business Case Cybersecurity no longer is an issue restricted to the IT department. It has moved into the executive suite and the board room as a necessary business function. Companies can suffer serious financial loss and damage to brand value in the wake of data breaches. Government agencies risk the loss of public confidence when personal information of employees and citizens is exposed. In both the public and private sectors, breaches can be career-ending events for executives. But adequate budgets for IT security, maintenance and refresh cannot be assumed. Chief executives — both public and private — have a duty to ensure that the funds they control are spent responsibly. IT and security experts have a responsibility to make the case for these expenditures. Investing in a modern, digital-ready network provides solid returns that make good business sense. The security designed into Cisco platforms provides cost-effective security, resilience and trustworthiness that meets cybersecurity requirements. The platforms also support modern applications and processes that help organizations take full advantage of mobile computing, the Internet of Things, Big Data, cloud computing and other emerging technologies that are defining the modern workplace, marketplace and government. Organizations often put themselves at risk while struggling to do more with less. Enabling a digital transformation lets organizations do more, and do it securely and economically.

How Cisco Can Help Cisco can partner with customers to help them understand the current status of their network, decide where they need to be and chart a path to get there. Consultants can help not only in laying out a roadmap for a security-driven IT modernization, but in taking full advantage of modern, trustworthy platforms to achieve the desired business outcome. Cisco consultants can also help customers meet and stay in compliance with applicable regulatory requirements for cybersecurity. Experts can match security capabilities of modern platforms with best practices and government regulation to ensure that updated networks are not only in compliance, but are truly secure. “It’s all about driving the risk down to enable future growth and innovation.” Grieco said. There is no need to take risks with your agency’s data and reputation.

About Cisco

About GovLoop

Don’t Risk a Security Breach. Don’t Risk IT.

GovLoop’s mission is to “connect government to improve government.” We aim to inspire public-sector professionals by serving as the knowledge network for government. GovLoop connects more than 250,000 members, fostering cross-government collaboration, solving common problems and advancing government careers. GovLoop is headquartered in Washington, D.C., with a team of dedicated professionals who share a commitment to connect and improve government.

Are you entrusting your organization’s crucial data to aging, end-of-life infrastructure? Don’t Risk IT! Cisco security-driven network offerings are built from concept to completion to include built-in security to protect sensitive data. Learn more at

For more information about this report, please reach out to @GovLoop



1152 15th St NW, Suite 800 Washington, DC 20005 Phone: (202) 407-7421 Fax: (202) 407-7501 @GovLoop

Cybersecurity Risk: The Driver for IT Modernization  
Cybersecurity Risk: The Driver for IT Modernization