It’s just the little things, buried in the bigger things, that disrupt all the other things. Humans have a tendency to take for granted what we expect will always be there. We inherently trust that at least some semblance of consistency will be present in our lives and daily tasks. The light switch will turn on the light. The computer will turn on and not crash. The car will start. When that doesn’t happen, it’s a brief inconvenience but not the end of the world. The FAA just showed us that consistency in the government’s technological infrastructure has serious issues that are years overdue for fixing. And while that may not be the end of the world, it could have a serious impact on millions of people.
For years, cybersecurity experts (myself included) have been warning that the technological infrastructure in the United States is seriously at risk. We have seen some spectacular examples of how straightforward it has been to compromise our systems either by cyberattacks or simply old age. Baltimore, Atlanta, and other major cities have all experienced outages due to ransomware and other cyberattacks. Water treatment plants are incredibly vulnerable due to underfunding to the point where someone almost poisoned an entire town in Florida in 2021 by introducing lye into the system, which a vigilant employee fortunately caught. Russian intelligence hacked most major federal departments by exploiting software commonly used by large organizations. Chinese and Russian intelligence both hacked the White House a few years ago. NASA has been hacked multiple times, clearly indicating gaps in their defensive posture.
On top of this, system failures due to either age or lack of maintenance are also not uncommon amongst the various government entities. For example, New Orleans lacked a hardening of critical communication infrastructure, which turned parts of the city into a scene from a post-apocalyptic movie when Hurricane Katrina hit. Even seventeen years ago, when Katrina landed, corporations were already well ahead of governments in terms of keeping up with their contingency plans. This problem has been persistent.
As of the time of the writing of the first draft of this article, the actual day of the FAA outage, we did not yet have answers as to what exactly happened. We now know it was a problem with the FAA’s database and a corrupt file, but it’s honestly irrelevant in the sense that whether it was a cyber-attack or a glitch in the software or a failure of equipment, every scenario leads to the same overarching cause that the government is notorious for; technology debt.
For those unfamiliar with the term, the simplest explanation of technology debt is that as computer hardware and software age, there comes a point where the costs to maintain the current aging system are more expensive than switching to a newer solution. The more time goes on past that point; the more expensive it becomes to upgrade or replace the in-place solution. Finding and planning for the delicate cost balance between these two options is something that the private sector works very diligently to achieve. Governments, though, move a lot slower. Budgets passed by the House of Representatives are always a contentious process and often can leave many serious issues underfunded or not funded at all.
Infrastructure spending isn’t sexy, but it’s required for a well-functioning society. With an expected $588.9 billion spent in 2023 on technology maintenance and modernization upgrades by all governments worldwide, it’s honestly not enough. The United States alone is roughly one-quarter of the entire global economy, with a $25 trillion GDP. Supplying government technological infrastructure to service over 330 million people is an expensive and major task for all governments within the U.S.A., from local all the way up to federal. This needs a much higher priority than it is being given.
Without a proper budget for technology upgrades and maintenance, the government will continue to face cyber-attacks that’s it’s ill-equipped to handle. Vulnerability management cannot fully be achieved without time, effort and money and this is one of the serious concerns that the cybersecurity community has with governments in general. Many attacks are successful because the attackers exploited a vulnerability in the infrastructure that had been left open without fixing. Equifax, Microsoft Exchange Email servers worldwide, and much more, have all been spectacularly attacked in the last few years thanks to vulnerabilities that went unfixed. The entire nationwide government infrastructure is one massive vulnerability management headache and has clearly not kept up.
Fortunately, we have seen some movement in recent years, with most of the government focused on passing cybersecurity laws to try and bring itself up to code. Hopefully, the elected members of the Executive and Legislative branches understand that this is a never-ending task. Major corporations are in a continual lifecycle renewal for technology as it’s the cost of doing business. As the country’s population grows, so does the need for expanding infrastructure. The growing small town has to increase its local government employee count to provide efficient service, just like a large city has to. This means more computers, more data, more software, more infrastructure, and more cost to maintain and protect.
However, as the situation with the FAA outage , which made my day all the more interesting as I wrote this from Chicago’s O’Hare airport while on a delay, shows us that the United States has serious infrastructure and cyber defense issues. My cybersecurity colleagues in all branches of the federal government have their work cut out for them, given the worldwide shortage of cybersecurity professionals and the reported rising burnout rates of leadership given the onslaught of attacks.
Hopefully, all these “little” things will soon no longer be an issue.
________________________________________________________________________________________________________________________
Nick Espinosa
Nick EspinosaAn expert in cybersecurity and network infrastructure, Nick Espinosa has consulted with clients ranging from small business owners up to Fortune 100 level companies for decades. Since the age of 7, he’s been on a first-name basis with technology, building computers and programming in multiple languages. Nick founded Windy City Networks, Inc at 19 which was acquired in 2013. In 2015 Security Fanatics, a Cybersecurity/Cyberwarfare outfit dedicated to designing custom Cyberdefense strategies for medium to enterprise corporations was launched.
Nick is a regular columnist, a member of the Forbes Technology Council, and on the Board of Advisors for both Roosevelt University & Center for Cyber and Information Security as well as the College of Arts and Sciences. He’s also the Official Spokesperson of the COVID-19 Cyber Threat Coalition, Strategic Advisor to humanID, award-winning co-author of a bestselling book, TEDx Speaker, and President of The Foundation.
