Every now and then a pair of stories come along that seem unrelated, but when you put them together, combined you get a bigger picture than of the two separate parts. Last week saw one such example.
The first was a report from systems security specialist Thales e-Security and 451 Research, which said that 65% of U.S. federal agencies have experienced a data breach at some stage in the past, and 34% experienced one in the last year. Even more alarming, 96% of agencies consider themselves vulnerable to a breach, with 48% stating they are very or extremely vulnerable.
And they are not doing a very good job of adopting security measures going forward, either. While 92% of federal respondents said they will use sensitive data in an advanced technology environment this year, such as big data and IoT, 71% believe this will occur without proper security being in place.
Why is it so bad? Well the answer may have come a few days later at a conference sponsored by OSIsoft, a provider of operational intelligence infrastructure. Daryl Haegley, program manager for the Office of the Assistant Secretary of Defense for Energy, Installations and Environment, said that 75% of the Department of Defense computers run Windows XP or older operating systems, as far down the chain as Windows 95.
“A lot of these systems are still Windows 95 or 98, and that’s OK — if they’re not connected to the internet,” Haegley is quoted as saying.
Isn’t that reassuring?
Haegley said he’d like to see another Hack the Pentagon event to examine its critical infrastructure. The event held last year was a bug bounty that revealed 138 previously undisclosed vulnerabilities and cost about $150,000.
Now again, there is no direct link between the disturbingly high number of data breaches and the use of ancient operating systems, but then again, how can there not be? Those operating systems are no longer supported or protected, and as Haegley wryly noted, the only defense they have is not being on the internet.
Just last year it came out that the government was using a backup nuclear control messaging system and that the U.S. Department of Defense runs on an IBM Series 1 computer first introduced in 1976 and uses 8-inch floppy disks, while the Internal Revenue Service’s master file of taxpayer data is written in assembly language code that’s more than five decades old.
Again, the response to that was that the systems were so old they would not be vulnerable to modern day hacks but that is no way to operate. When these systems break, how do you replace or repair them? And that’s just for starters.
Government, like private industry, is prone to leave things alone if they are running smoothly. If it ain’t broke, they won’t fix it. Being out of date isn’t considered being broke — and government budgets are nowhere near what the private sector has, so replacement is often out of the question.
Another reason why these things don’t get migrated is that the government deals with a considerable amount of turnover. People tend to leave sooner, mostly out of frustration with the inability to get things done. They come from the private sector where if an old system needs updating, there might be some battles and some headaches along the way, but eventually the urgency gets recognized.
In government, bureaucracy and regulation stifle any progress. I’ve heard time and again about really bright people going to work for one agency or another, only to leave after 18 months in total frustration and return to the private sector.
I guess I can find some gallows humor in all of this. Here we are on the brink of war with North Korea and it looks like both sides have computer systems from the same era.