Like so many industries worldwide, federal governments are growing more dependent on technologies to grow, evolve and survive. Running government agencies on aging information technology (IT) infrastructure, software and services is increasingly risky with the rise in ransomware attacks. U.S. President Joe Biden’s The American Jobs Plan could spark much-needed change. The massive trillion-dollar bill intends to modernize critical infrastructure ranging from the nation’s aging bridges and roads to federal government IT.
In May 2021, President Biden signed an Executive Order to modernize the federal government’s response to cyberattacks. It included:
- Removing barriers to sharing threat information
- Modernizing federal government cybersecurity infrastructure
- Enhancing software supply chain security
- Establishing a cyber safety review board
- Standardizing the federal government’s playbook for responding to cybersecurity vulnerabilities and incidents
- Improving detection of cybersecurity vulnerabilities and incidents in federal government networks
- Improving federal government’s investigative and remediation capabilities
- Adopting national security systems requirements
President Biden’s Budget of The U.S. Government Fiscal Year 2022 specifies $9.8 billion for cybersecurity, $500 million for technology modernization and mandates to reskill and upskill a workforce that can build, run and secure federal data and IT systems.
These big investments are needed because the status quo is inviting attacks on America every second of every day, according to a 2020 report by the Cyberspace Solarium Commission (CSC).
“The status quo is a slow surrender of American power and responsibility,” the CSC warned.
Federal agencies oversee a complex web of technology whose myriad nodes safeguard national secrets; organize precious human, natural and fiscal resources; provide essential services to citizens; and secure critical assets for American energy, transportation and defense. Unfortunately, that web has become as vulnerable as it is vital to essential services.
Case in point: The May 2021 cyberattack against the Colonial Pipeline, which transports gasoline, diesel and jet fuel over 5,000 miles from Houston to New York. The fact that cybercriminals could shut it down so easily rang serious alarm bells in Washington, where government investment in secure IT systems lags behind many private sector organizations.
There are fewer reasons to keep kicking the can down the road as cyberthreats mature and multiply. But so many fast-moving parts and shifting paradigms in the enterprise computing world can be mind-boggling. Policymakers are turning to IT experts to understand new capabilities, especially from emerging hybrid multicloud IT operations, so they map investment strategies that will help government agencies succeed now and in the future.
The Department of Defense’s (D.O.D.) July 2021 cancellation of the Joint Enterprise Defense Infrastructure (JEDI) contract – a 10-year deal with Microsoft – signaled it was time to embrace a variety of new cloud computing technologies and services rather than rely primarily on one provider.
“With the shifting technology environment, it has become clear that the JEDI cloud contract, which has been long delayed, no longer meets the requirements to fill the D.O.D.’s capability gaps,’’ the Pentagon said in an announcement reported in The New York Times.
Many private sector industry leaders shifted to a hybrid cloud IT operation because it gives them scalability, flexibility, efficiencies, quick access to innovations and layers of security, according to Kanuj Behl, Cloud Architect of Nutanix.
“With the agility and stability that the cloud provides them, they get completely out of the business of managing hardware,” Behl said. “This allows them to rely on software that doesn’t lock them into any one particular provider. Adding the flexibility of multiple clouds gives them the freedom of choice to move applications and workloads where it makes sense, both fiscally and operationally.”
According to Nextgov, President Biden requested $58.4 billion (up from 54.2 billion allocated for 2021) to support IT at civilian agencies in full-year 2022. It “will be used to deliver critical citizen services, keep sensitive data and systems secure and further the vision of digital government,” according to budget documents released in late May 2021. This funding would support a move away from customized IT tools, systems and services toward more standards-based platforms and systems.
In July, the Biden administration introduced a ransomware task force and Stop Ransomware, a federal website to help businesses and government agencies improve their cybersecurity. Efforts are well underway and coalescing, but so much work still needs to be done in short order.
Updating a Legacy
Among federal agencies operating the 10 most critically aged IT systems, only two have fully developed plans to modernize, according to the Government Accountability Office (GAO). These older, legacy systems present a dangerous challenge for cybersecurity and the nation as a whole.
“Legacy systems are hard to secure because the support for them is going out and the computational capability isn’t up there. So when you adopt modern security techniques, it’s harder to [apply] them,” said Ning Zhang, a professor at Washington University in St. Louis who researches vulnerabilities in cybersecurity.
Not surprisingly, the federal government is a consistent target for cyberattacks and sabotage, whether by nation-states or nefarious, individual bad actors. This makes modernizing IT systems a crucial part of America’s defense.
The GAO reports that legacy systems are “operating with known security vulnerabilities and unsupported hardware and software.”
In the absence of thoughtful change, some of these systems may become susceptible to crippling hacks, making it harder for citizens to access critical government services and federal agencies to execute their missions.
“It’s difficult to embrace new paradigms and modernize since these systems often run mission-critical applications or processes,” according to The Four Pillar of Government IT, a report by data management firm Splunk.
“The cost and risk associated with replacing, retraining, management overhead, budget constraints and a fear of reputational damage associated with any prolonged interruptions has driven agencies to maintain these legacy systems long after official support has expired,” the Splunk report stated.
Without regular updates that keep them current or the ability to integrate with newer software and hardware, legacy systems are costly to maintain – and these mounting bills get passed along to the American taxpayer.
Modernizing in Multitudes
However, there is good news: The GAO has identified at least 94 examples of successful IT modernizations at federal agencies within the last five years.
“When you modernize, things get resolved much better,” Zhang said. “For example, if you have an intrusion detection system with modernized infrastructure, you know what’s happening, how to get people there and how to keep track of it. I think that can be helpful, particularly for complex infrastructures.”
Cloud computing is a core component of the public sector’s plans to modernize its systems. Even though the federal government has had a longstanding directive for all of its agencies to adopt cloud computing, only 56% of federal government offices have cloud-based government IT solutions, according to a survey of government personnel by Maximus and Genesys.
This lack of adoption inspired U.S. Federal Chief Innovation Officer Suzette Kent to propose in 2019 a new, cloud-first approach to government IT based on three pillars: security, procurement and workforce.
“Collectively, these elements embody the interdisciplinary approach to IT modernization that the federal enterprise needs in order to provide improved return on its investments, enhanced security and higher-quality services to the American people,” Kent states in her Federal Cloud Computing Strategy.
Empowering Peace of Mind
Although the financial and operational benefits of private and public cloud IT are widely known, security is a serious and sensitive aspect of cloud implementation in the government, which could explain its slow adoption. There are smart ways to go about it, according to Kent.
“Given the distributed nature of cloud and the growing number of discrete capabilities and deployment models available to choose from, agencies might consider moving or adding security and privacy controls to the data layer itself, improving their overall security and privacy posture, empowering them to fully embrace cloud technologies while granting them peace of mind that the confidentiality and integrity of their data are intact,” Kent stated in the Federal Cloud Computing Strategy.
“The use of automated and assistive technologies such as artificial intelligence and machine learning can help agencies to further improve security.”
Beyond the cloud, another part of the federal government’s IT modernization plan is the Data Center Consolidation Initiative (DCOI), which compels agencies to consolidate their data centers and optimize their operations for more efficient data management.
Splunk’s report points out that agency systems often reside and operate in silos without end-to-end visibility.
“IT administrators need to know how all their cloud solutions are performing and interacting, but it can be difficult to get a clear view of disparate workloads,” stated the Splunk report. “Without clear visibility, one cloud solution may be unnecessarily scaled to provide significant computing or storage, while another solution goes underused.”
By discarding more costly or unnecessary government IT systems and optimizing newer applications, instead, these strategies can help government agencies improve citizen services, secure sensitive systems and save precious taxpayer money.
A strong business case exists for government IT modernization. All that’s needed now are the funds and strategies to achieve it. And going forward, federal government IT teams will need to maintain a continuous improvement mindset to stay ahead of fast-moving cyberattackers.
Editor’s note: Learn more about Nutanix Clusters: Hybrid Cloud Infrastructure available on AWS GovCloud (US) and Cloud in State and Local Government. Also, meet San Mateo County CIO Jon Walton, an avid racecar driver who makes time to chat with residents at local eateries, who says a tight budget is no excuse for being a tech laggard.
Chase Guttman is a technology writer. He’s also an award-winning travel photographer, drone cinematographer, author, lecturer and instructor. His book, The Handbook of Drone Photography, was one of the first written on the topic and received critical acclaim. Find him at chaseguttman.com or @chaseguttman.
© 2021 Nutanix, Inc. All rights reserved. For additional legal information, please go here.