Though the widely publicized failure of the ObamaCare website (a.k.a Healthcare.gov) back in October of 2013 has all but faded from memory, the public sector’s persistent lag in technological innovation coupled with recent calamitous data breaches means there is no shortage of press fodder for critics. What will it take for the U.S. government to transcend its current dearth of agility and innovation?
The IRS is the latest government entity lambasted for conducting highly risky computing practices. Despite Microsoft’s ending of support for Windows XP and Windows Server 2003 on April 8, 2014 and July 14, 2015, respectively, (read: no more security updates or technical support), the tax agency continues to lurch along its prolonged timeline for system migrations.
According to the IRS’ timeline, Windows Server 2003 upgrades won’t conclude until December 2016. This leaves over a year of running the unsupported, highly vulnerable server operating system to house and support such sensitive data as taxpayer data and payment records.
This information comes to light through a report by the Treasury Inspector General for Tax Administration (TIGTA), a government organization independently overseeing IRS activities. Its findings reveal that the despite spending nearly $140 million on upgrading Windows XP to Windows 7, the IRS still failed to meet the support cut-off of April 2014, with over half of its desktop systems still running XP at the time of the deadline.
Which is disconcerting, to say the least. Security expert Graham Clulely puts it best:
“We all (hopefully) know that continuing to use Windows XP is a risky business. The operating system stopped receiving security patches from Microsoft in April 2014, which means anyone still relying on the platform is at risk of being impacted by vulnerabilities that are being fixed in more modern versions of the operating system. In other words, XP users are living in a state of perpetual zero-day.”
The US Government is still reeling from the OPM data breach—can it withstand another devastating cyber attack? And more importantly, what steps can be quickly taken to bolster security and stave off such attacks? DevSecOps may hold some of these answers.
Like healthcare organizations, government entities are entangled in ad hoc processes and manual efforts when it comes to updating and securing systems and infrastructure. DevSecOps tools like UpGuard—in conjunction with popular automation tools—streamline system upgrades and patch deployments for consistent and secure results. Additionally, UpGuard provides vulnerability assessments using up-to-date vulnerability definitions, giving organizations the ability to accurately gauge the strength of their security models against the latest threats.