[BreachExchange] Cobol plays major role in U.S. government breaches

Fri Mar 17 15:48:57 EDT 2017

http://www.computerworld.com/article/3181809/government-it/
cobol-plays-major-role-in-us-government-breaches.html

New research is turning on its head the idea that legacy systems -- such as
Cobol and Fortran -- are more secure because hackers are unfamiliar with
the technology.

New research found that these outdated systems, which may not be encrypted
or even documented, were more susceptible to threats.

By analyzing publicly available federal spending and security breach data,
the researchers found that a 1% increase in the share of new IT development
spending is associated with a 5% decrease in security breaches.

"In other words, federal agencies that spend more in maintenance of legacy
systems experience more frequent security incidents, a result that
contradicts a widespread notion that legacy systems are more secure," the
paper found. The research paper was written by Min-Seok Pang, an assistant
professor of management information systems at Temple University, and
Huseyin Tanriverdi, an associate professor in the Information, Risk and
Operations Department at the University of Texas at Austin.

"Maybe the conventional wisdom that legacy systems are secure could be
right," said Pang, in an interview. But the integration of these systems
"make the whole enterprise architecture too complex, too messy" and less
secure, he said.

Federal agencies have seen a rapid increase in security incidents, the
paper points out, citing federal data assembled by the Government
Accountability Office. From 2006 through 2014, the number of reported
security incidents increased by more than 1,100 percent, or from 5,503 to
67,168. An incident can cover a range of activities, such as a denial of
service, successfully executed malicious code, and breaches that give
intruders access.

[ To comment on this story, visit Computerworld's Facebook page. ]

One of the largest federal system breaches occurred in 2015, when hackers
gained access to some 18 million records at the Office of Personnel
Management.

Tony Scott, the former federal CIO under President Barack Obama, told
lawmakers at a hearing last year that nearly three quarters of IT budgets
are spent maintaining legacy systems.

"These systems often pose significant security risks, such as the inability
to utilize current security best practices, including data encryption and
multi-factor authentication, which make them particularly vulnerable to
malicious cyber activity," Scott said.

The U.S., overall, has more than 3,400 IT professionals employed to
maintain legacy programming languages, a U.S. House committee was told
after the OPM breach.

If the federal government doesn't modernize its systems, Pang said it may
see more large breaches similar to the OPM hack.

In the absence of modernization, Pang said that effective IT governance
"mitigates security risks of the legacy systems." It also recommended
moving systems to the cloud.

Pang said the government needs to pass the Modernizing Government
Technology Act. That legislation, which was approved by the House last
year, would have boosted IT spending by about $9 billion from 2017 to 2021
had it reached the president's desk.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170317/47961577/attachment.html>