It’s Not Just the Navy, the Entire US Government Uses Outdated Software
It’s common to hear Americans complain that federal agencies don’t work, that they’re sluggish and inefficient. In day-to-day conversations, the Department of Motor Vehicles (DMV) is often the go-to example for terrible experiences.
A Pew Research Center survey from earlier this year found that only 23 percent of Americans trust the federal government to do the right thing “most of the time”—meaning that most people don’t trust the government will do its job well.
Major blunders undermine that trust even more, like when it was revealed earlier in June that due to gaping cybersecurity holes, Chinese hackers were able to siphon sensitive information from the Office of Personnel Management (OPM) on some 18 million current and past federal employees for more than a year.
This week, it was the U.S. Navy’s turn to be jeered, after it was reported that it was still paying Microsoft $9 million per year to use Windows XP—a 14-year old software system that had already stopped receiving security updates for a full year.
The most distressing part of these recent security breaches is that the use of archaic technology is the rule, not the exception, in the U.S. government.
For example, the technology deployed by the government for the management of high-stakes military facilities, are often decades old. In 2014, a tour of a nuclear missile silo in Wisconsin found that the command launches were still run on floppy disks from the 1980s. In 2012, the Army began migrating its tech platforms to Windows 7—from Windows XP, having decided to skip Vista altogether.
Too Big to Move
The behemoth size and byzantine structure of the federal bureaucracy—a characteristic that also plagues mature corporations—curtails technology from being consistently kept up-to-date.
Tim Lynch, owner of the Psychsoftpc computer store, which has supplied technology to federal agencies and the Department of Defense years, said they’re often asked to find replacement parts, like switches and routers, for products that haven’t been made for years.
“There is a belief in these agencies that using new tech would be cost prohibitive so they focus on replacement of existing parts rather than getting new stuff in since they want everything standardized,” said Lynch via email.
He said some agencies are more forward thinking, often their research departments, but overall infrastructure is slow to adapt.
“It takes a great deal of effort to get things past committees to get anything new okayed,” said Lynch.
He also noted that the problem happens in the private sector too. As an example, 95 percent of all ATMs still run Windows XP.
“The larger the organization, the more bureaucracy, [and] the less agile the company in response to new technology,” he added.
What may be more troubling is that many of these vulnerabilities are routinely detected, then ignored.
The recent hacking of the OPM — an attack so devastating that some have called it our “cyber 9/11″— was forewarned by the agency’s inspector general, who urged it in a 2014 report to immediately shut down all computers that did not have the property security authorization, lest the agency provokes a breach with “national security implications.”
The irregular nature of cyberattacks makes it difficult to assess just how much resources should be budgeted to cyberdefense. It’s only clear after an attack that more cybersecurity funding should have been allocated.
“When budgets are cut, they are often cut in the area of cybersecurity. At times, advanced products must be turned off because the agency doesn’t have the budget to run them,” said John Prisco, CEO of Triumfant via email. Triumfant provides security monitoring, detection, and remediation for advanced malware threats to the government and private sector.
It wouldn’t be fair to pin the blame entirely on the government. The large-scale transfer of information into the digital world means that there are more vulnerabilities to exploit than ever, and even private companies—one needs to only look at Sony—aren’t exempt from the trend, much less public ones.
Smaller hacks are becoming so frequent that they’re barely noticed anymore by the public—the Houston’s Astros and even cybersecurity research firm Kaspersky’s Lab were hacked this month—being overshadowed by the theft of millions of credit card numbers in the breaches of companies like Neiman Marcus, Target, Home Depot.
The number of mega-breaches — where more than 1 million records are compromised — has multiplied by a factor of 10 between 2005 and 2014, and is only accelerating. It’s hard for any organization these days to keep ahead of the many security threats—not just the government.