It has long been a half hope-half joke within the cybersecurity community that the United States’ aging information technology (IT) infrastructure might be more secure than modern IT. Our collective image of hackers as young and somewhat lazy, suggests that when confronted with legacy IT systems, hackers might just decide to move on to more familiar IT environments.
The OPM data breach should have put that idea to rest. The reality is that while having to figure out how legacy systems work might slow hackers down, it isn’t going to stop them. And because these systems are not defensible, the delay does not translate into detection and an opportunity to mitigate for defenders as it would with modern IT.
Tony Scott, chief information officer for the Office of Management and Budget, has realized this and made a big push to modernize federal IT systems. According to Scott, federal civilian agencies spend over seventy percent of their IT budgets on maintaining legacy IT. His proposed IT modernization fund would put $3.1 billion toward replacing legacy IT systems with modern and defensible systems.
The goal of this effort is, to borrow a phrase from Phil Venables, to purchase secure IT products, not security products. Rather than bolting on another perimeter security solution, Scott wants the federal government to engineer systems that are designed with built-in security. It’s a smart approach for the federal government. Unfortunately, the problem of legacy IT systems isn’t exclusively a problem in government.
While the 71 percent figure is high, the private sector is in worse shape. According to Hewlett Packard Enterprise, “roughly 80 percent of IT spend is dedicated to legacy system maintenance plus security and compliance costs.” That number has held fairly constant over the years. The danger right now is that the focus on cybersecurity is taking money away from IT modernization efforts and putting it toward bolt-on cybersecurity.
If cybersecurity is going to continue to be primarily a private sector responsibility, one of the few things government should consider doing is helping to stimulate the replacement of legacy and indefensible IT systems with modern and defensible IT systems in the private sector. While I won’t make any predictions about when the country will next slip into recession, one of the lessons learned from the Great Recession is that we should start planning now for the next round of stimulus.
Tax credits were an effective tool for spurring both green power and associated job growth as part of the stimulus. Tax policy could also be an effective tool for improving cybersecurity, but would require a carefully developed plan that incentivizes investment in IT systems that are both modern and secure. The plan also needs to avoid simply handing out tax credits for investments that companies would have made anyway. This effort should also focus on certain sectors of critical infrastructure that are both under threat and lack the financial resources to make these investments on their own. The electric sector, long burdened by regulated pricing would be a good candidate. Hospitals might be another.
I’ll leave it to experts on tax policy to design a program that would get these incentives aligned with the national interest in securing cyberspace. I’m not an expert in that area. What I do know is that for much of the Obama administration, the only thing the cybersecurity community seemed to agree on was that information sharing was good and regulation was bad. We badly need to start exploring what other public policy tools we can use to address cybersecurity. Tax policy is one of them.