FCWPerspectives
A renewed push for
secure modernization
With the SolarWinds breach as a catalyst and new leadership across government, agencies are rethinking their roadmaps
Past investments in IT modernization paid big dividends when federal agencies had to adapt their operations
to the COVID-19 pandemic, but those modernization roadmaps must keep evolving. As 2021 got underway, the security risks exposed by the SolarWinds breach forced agencies to
adapt yet again — as did the political priorities of a new administration.
FCW recently gathered a group of IT leaders to explore how their IT modernization efforts were holding up and where further adjustments were expected. The discussion was on the record but not for individual attribution (see page 48 for the full list of participants), and the quotes have been edited for length and clarity. Here’s what the group had to say.
SolarWinds: A wake-up
call and an opportunity
The exploit of SolarWinds’ Orion IT management software, which was dis- covered in December 2020, directly affected at least nine federal agencies
and made clear the limitations of the Department of Homeland Security’s Einstein network protection program. The roundtable participants said the breach also illustrated the urgency gov- ernment should feel about modernizing legacy infrastructure and systems.
Although the risks that can lurk in the supply chain are definitely a con- cern, one official said, the SolarWinds exploit showed how legacy IT can too easily let attackers “laterally move across the enterprise.”
“We’re still talking about that hard shell and the soft squishy interior, and that’s got to get fixed,” the official said. “It scares me to death on some of the older systems that are out there and what could happen with those older systems that you can only put a hard shell around. Zero trust is not built in through the entire stack, and those applications are at risk.”
CIOs and chief information secu- rity officers were already well aware of those risks, the group agreed, but SolarWinds served to focus the atten- tion of agencies’ senior-most leaders and provided an opportunity to obtain support for fundamental infrastructure modernization.
The scramble to respond to the SolarWinds breach “really hasn’t changed our modernization plans,” one participant said. “What it’s done is just brought it to the forefront again. In an event such as this, leadership now starts to have visibility into what’s going on. And so they start to ask ques- tions, and we can actually see where their appetite is to ensure that security stays in the forefront.”
“This is a continuance of every- thing that we’ve been talking about for years,” another participant agreed. “It’s just that with the pandemic and being more in the telework approach, we have a lot of folks on our network com- ing from every direction. SolarWinds just adds to the discussion. Moderniza- tion with security is the talk of today.”
Some participants said their mod- ernization plans had already evolved or at least taken on greater importance. The SolarWinds incident “heightened how we’re looking at our future mod- ernization,” one executive said. “If you move to a zero trust-architected network, you have to modernize your infrastructure. We’ve got to get off the old technologies.”
Additionally, several participants said, the cybersecurity argument was more likely to win funding and execu- tive support than making the case for improved efficiency and future cost savings.
“A lot of times it’s easier to say, ‘Well,
46
March/April 2021
FCW.COM