How COVID and SolarWinds are driving secure modernization

When the COVID-19 pandemic hit, agencies’ past investments in IT modernization paid off, but security risks exposed by the SolarWinds breach has forced them to rethink their roadmaps.

A group of IT leaders recently gathered to explore how their IT modernization efforts were holding up and where further adjustments were expected. The roundtable discussion hosted by GCN’s sibling site FCW was on the record, but the quotes -- which are not for individual attribution (see sidebar for the full list of participants) -- have been edited for length and clarity. Here's what the group had to say.

SolarWinds: A wake-up call and an opportunity

The exploit of SolarWinds' Orion IT management software, which was discovered in December 2020, directly affected at least nine federal agencies and made clear the limitations of the Department of Homeland Security's Einstein network protection program. The roundtable participants said the breach also illustrated the urgency government should feel about modernizing legacy infrastructure and systems.

Although the risks that can lurk in the supply chain are definitely a concern, one official said, the SolarWinds exploit showed how legacy IT can too easily let attackers "laterally move across the enterprise."

"We're still talking about that hard shell and the soft squishy interior, and that's got to get fixed," the official said. "It scares me to death on some of the older systems that are out there and what could happen with those older systems that you can only put a hard shell around. Zero trust is not built in through the entire stack, and those applications are at risk."

Some participants said their modernization plans had already evolved or at least taken on greater importance. The SolarWinds incident "heightened how we're looking at our future modernization," one said. "If you move to a zero trust-architected network, you have to modernize your infrastructure. We've got to get off the old technologies."

Additionally, several participants said, the cybersecurity argument was more likely to win funding and executive support than making the case for improved efficiency and future cost savings.

"A lot of times it's easier to say, 'Well, it's security-related,' so then all of a sudden that piques their interest and keeps them engaged," one said.

Post-COVID infrastructure

Although past modernization efforts, especially the government's move to cloud services, made the pandemic-related switch to massive telework feasible, plans for 2021 and beyond are still adapting to a new normal that has yet to be fully defined.

One challenge will be managing the full life cycle of systems and solutions that were deployed on an emergency basis in 2020. Participants cited the Defense Department's Commercial Virtual Remote environment as a prime example. That DOD-wide instance of Microsoft Teams is now being retired in favor of individual but interoperable tenancies for each military service. But countless smaller projects will need to be scrutinized, participants said.

"There have been a number of tools specifically related to dealing with a health pandemic that there's not a clear home for," one executive said. Although active use of some of those solutions will likely end in the coming months, "I'm hoping that the next administration takes a look at what are the digital tools and digital health infrastructure we need to put in place for if and when this happens again.… And our team is not set up to maintain some of these tools forever."

Others pointed to the need to reassess dramatically expanded virtual desktop licenses and extra bandwidth. The agencies that were able to use software-defined wide-area networks and other infrastructure-as-a-service solutions "are saving a lot more money," one official noted, which could give others the evidence they need to make similar moves. Government should have vendors take over low-level legacy infrastructure, "replace it with modern technology and move to an as-a-service solution," that official said. "And then that way you have the ability to expand a contract based on your needs as an agency or a service."

More important than any specific system, however, is ensuring that agency employees who have been scattered and stretched are set up to succeed.

"I think it's really going to be interesting to see how this translates in the future because we have proven that, to a certain extent, knowledge workers are capable of getting a job done outside a physical office," one participant said. "There are tools that can make their lives better, and there are tools that can make security better. So when it comes down to being able to attract talent and keep talent to help the government," the old approach of issuing a laptop and VPN access should give way to "modern technology with security that sits in line in the cloud and you can quickly get to anything."

An argument for agile modernization

The roundtable participants noted that multiyear funding remains one of the biggest obstacles to foundational IT modernization (the discussion took place before the most recent relief bill provided $1 billion for the Technology Modernization Fund), but they also said 2020 demonstrated the value of rapid and incremental improvements.

Traditionally, one official said, IT modernization has been "looked at as this big five- or 10-year program. And what happened [during the pandemic], because it had to happen, is that we were able to modernize in pieces. And I think what we should be learning from this is not only the specific technologies that assisted, but the fact that you can modernize in pieces. You can find technologies that can help in both the near term and long term. It's amazing to see it in action."

A longer version of this article was first posted to FCW, a sibling site to GCN.