How COVID and SolarWinds are driving secure modernization
When the COVID-19 pandemic hit, agencies’ past investments in IT modernization paid off, but security risks exposed by the SolarWinds breach has forced them to rethink their roadmaps.
Chief Digital Services Officer, Department of Housing and Urban Development
Chief Information Security Officer, Americas, Zscaler
Deputy Assistant Commissioner for Category Management, General Services Administration
Deputy CIO for Architecture, Engineering, Technology and Innovation, Department of Energy
Chief Information Security Officer, Department of the Air Force
Executive Director, Cyberspace Solarium Commission
Deputy Director, Defense Digital Service
Director of Pre-Sales Engineering, U.S. Public Sector, Zscaler
Deputy Federal CIO, Office of Management and Budget
CIO, Federal Communications Commission
Director, Cloud Adoption and Infrastructure Optimization, Centers of Excellence, General Services Administration
Deputy Chief Data Officer, U.S. Citizenship and Immigration Services
Note: FCW Editor-in-Chief Troy K. Schneider led the roundtable discussion. The Feb. 8, 2021, gathering was underwritten by Zscaler, but both the substance of the discussion and this recap are strictly editorial products. Neither Zscaler nor any of the roundtable participants had input beyond their Feb. 8 comments.
A group of IT leaders recently gathered to explore how their IT modernization efforts were holding up and where further adjustments were expected. The roundtable discussion hosted by GCN’s sibling site FCW was on the record, but the quotes -- which are not for individual attribution (see sidebar for the full list of participants) -- have been edited for length and clarity. Here's what the group had to say.
SolarWinds: A wake-up call and an opportunity
The exploit of SolarWinds' Orion IT management software, which was discovered in December 2020, directly affected at least nine federal agencies and made clear the limitations of the Department of Homeland Security's Einstein network protection program. The roundtable participants said the breach also illustrated the urgency government should feel about modernizing legacy infrastructure and systems.
Although the risks that can lurk in the supply chain are definitely a concern, one official said, the SolarWinds exploit showed how legacy IT can too easily let attackers "laterally move across the enterprise."
"We're still talking about that hard shell and the soft squishy interior, and that's got to get fixed," the official said. "It scares me to death on some of the older systems that are out there and what could happen with those older systems that you can only put a hard shell around. Zero trust is not built in through the entire stack, and those applications are at risk."
Some participants said their modernization plans had already evolved or at least taken on greater importance. The SolarWinds incident "heightened how we're looking at our future modernization," one said. "If you move to a zero trust-architected network, you have to modernize your infrastructure. We've got to get off the old technologies."
Additionally, several participants said, the cybersecurity argument was more likely to win funding and executive support than making the case for improved efficiency and future cost savings.
"A lot of times it's easier to say, 'Well, it's security-related,' so then all of a sudden that piques their interest and keeps them engaged," one said.
Although past modernization efforts, especially the government's move to cloud services, made the pandemic-related switch to massive telework feasible, plans for 2021 and beyond are still adapting to a new normal that has yet to be fully defined.
One challenge will be managing the full life cycle of systems and solutions that were deployed on an emergency basis in 2020. Participants cited the Defense Department's Commercial Virtual Remote environment as a prime example. That DOD-wide instance of Microsoft Teams is now being retired in favor of individual but interoperable tenancies for each military service. But countless smaller projects will need to be scrutinized, participants said.
"There have been a number of tools specifically related to dealing with a health pandemic that there's not a clear home for," one executive said. Although active use of some of those solutions will likely end in the coming months, "I'm hoping that the next administration takes a look at what are the digital tools and digital health infrastructure we need to put in place for if and when this happens again.… And our team is not set up to maintain some of these tools forever."
Others pointed to the need to reassess dramatically expanded virtual desktop licenses and extra bandwidth. The agencies that were able to use software-defined wide-area networks and other infrastructure-as-a-service solutions "are saving a lot more money," one official noted, which could give others the evidence they need to make similar moves. Government should have vendors take over low-level legacy infrastructure, "replace it with modern technology and move to an as-a-service solution," that official said. "And then that way you have the ability to expand a contract based on your needs as an agency or a service."
More important than any specific system, however, is ensuring that agency employees who have been scattered and stretched are set up to succeed.
"I think it's really going to be interesting to see how this translates in the future because we have proven that, to a certain extent, knowledge workers are capable of getting a job done outside a physical office," one participant said. "There are tools that can make their lives better, and there are tools that can make security better. So when it comes down to being able to attract talent and keep talent to help the government," the old approach of issuing a laptop and VPN access should give way to "modern technology with security that sits in line in the cloud and you can quickly get to anything."
An argument for agile modernization
The roundtable participants noted that multiyear funding remains one of the biggest obstacles to foundational IT modernization (the discussion took place before the most recent relief bill provided $1 billion for the Technology Modernization Fund), but they also said 2020 demonstrated the value of rapid and incremental improvements.
Traditionally, one official said, IT modernization has been "looked at as this big five- or 10-year program. And what happened [during the pandemic], because it had to happen, is that we were able to modernize in pieces. And I think what we should be learning from this is not only the specific technologies that assisted, but the fact that you can modernize in pieces. You can find technologies that can help in both the near term and long term. It's amazing to see it in action."
A longer version of this article was first posted to FCW, a sibling site to GCN.
Troy K. Schneider is editor-in-chief of FCW and GCN, as well as General Manager of Public Sector 360.
Prior to joining 1105 Media in 2012, Schneider was the New America Foundation’s Director of Media & Technology, and before that was Managing Director for Electronic Publishing at the Atlantic Media Company. The founding editor of NationalJournal.com, Schneider also helped launch the political site PoliticsNow.com in the mid-1990s, and worked on the earliest online efforts of the Los Angeles Times and Newsday. He began his career in print journalism, and has written for a wide range of publications, including The New York Times, WashingtonPost.com, Slate, Politico, National Journal, Governing, and many of the other titles listed above.
Schneider is a graduate of Indiana University, where his emphases were journalism, business and religious studies.
Click here for previous articles by Schneider, or connect with him on Twitter: @troyschneider.