Addressing UK’s technical debt is only way to secure country’s digital future

This is a guest blog post by Rob Lay, Director of Solutions Engineering UK&I at Cisco.

The recently announced Cybersecurity and Resilience Bill is a welcome move by the UK government to continue evolving its security strategy. But we are ignoring a critical vulnerability that could undermine all current and future efforts: the digital foundations of our country.

Today, many critical services across the public sector are running on outdated legacy IT equipment. According to a review by the UK government, it is estimated that 28% of central government department systems are running on outdated equipment. In some parts of our critical infrastructure, that number can be as high as 70%. The reality is simple: we are running 21st century services on 20th-century architecture and technology, creating a fallible backdoor for our adversaries.

We must take action if we are to continue securing the UK’s digital future. We are past the point of “it ain’t broke, don’t fix it”. This technical debt is now an exploitable attack surface that we need to get in hand. Recent research from WPI Strategy revealed that the combination of aged systems, highly concentrated infrastructure, and rising cyberattack frequency means the UK is significantly exposed to external threats.

So, what’s the solution? A total rip and replace would lead to significant disruption across public sector services. Instead, we need a careful, disciplined approach that promotes national resilience and aligns with technological need.

You can’t defend what you don’t know you have

A major challenge for public sector technology owners is understanding what they have within their technology portfolio. It is critical that IT teams create a comprehensive, real-time inventory that flags unsupported systems. Doing so will not only grant greater visibility into an organisation’s technology stack, but will also make risk management easier. IT teams will be able to proactively identify systems nearing end of life (EoL) and put a clear plan of action in place to manage associated risks.

This will become increasingly important as technology stacks change and evolve. By having real-time inventories, organisations will be better placed to carry out ongoing lifecycle assessments, examining whether ageing technology needs to be replaced, and if replacements isn’t immediate possible, establishing a clear plan for risk mitigation.

An inventory will also be key to encouraging real-time incident reporting and putting in place mechanisms to do so. IT teams should be encouraged to capture data on EoL technology’s role in data breaches, helping to identify system patterns, and accelerating replacement or, where possible and sensible, remediation.

Responsibility in the boardroom, not the server room

To date, responsibility for IT inventory has largely sat with IT teams. Lifecycle audits have been part of IT’s accountability, and remediation plans are largely led by them. While this is important from a technical perspective, shifting responsibility to the boardroom will create greater incentive to address the risks associated with EoL technology in a serious and urgent manner.

This shared responsibility means we can also reform IT investment models. This is especially pertinent in the public sector where budgets are most often split between capital expenditure (CapEx)—driven by the need to buy new systems and software—and operational expenditure (OpEx), the task of upgrading and maintaining existing systems.

While a clear division in budgets can be useful on paper, in practice it can lead to a disparity in investments. On one hand, public sector organisations may fall into the trap of reducing or raiding OpEx budgets to fund new projects, placing maintenance of EoL technology in jeopardy. On the other hand, some may use the majority of budget to keep existing technology stacks going, with little room to invest in new systems. If we are to adequately avert the risks posed by EoL technology, we must invest in enhancing our technology stacks, rather than aimlessly servicing technical debt that only leaves organisations more vulnerable to cyber threats.

In an ideal world, the public sector IT investment model should be able to support innovation through the acquisition of new technology, while also setting aside enough budget to address replacement and remediation of that which is EoL.

Solving the EoL challenge allows us to go from reactive to proactive

The task of replacing EoL technology across the UK’s infrastructure is no easy feat. Nor is it a ‘one and done’ project; as technology continues to evolve, every iteration of technology will come to its natural end. It is therefore imperative that public sector organisations have a clear plan in place to improve visibility into technology lifecycles with real-time inventories, establish clear assessment and management parameters, and reshape and rethink funding models. Doing so will not only see us move from reactive incident response to proactive risk reductions, significantly curbing the likelihood of cyberthreats against our country’s infrastructure, but will also enable the more effective adoption of new services in the future.