by clicking on the page. A slider will appear, allowing you to adjust your zoom level. Return to the original size by clicking on the page again.
the page around when zoomed in by dragging it.
the zoom using the slider on the top right.
by clicking on the zoomed-in page.
by entering text in the search field and click on "In This Issue" or "All Issues" to search the current issue or the archive of back issues respectively.
by clicking on thumbnails to select pages, and then press the print button.
this publication and page.
displays a table of sections with thumbnails and descriptions.
displays thumbnails of every page in the issue. Click on a page to jump.
allows you to browse through every available issue.
GCN : May 2013
CYBEREYE BY WILLIAM JACKSON THE EVOLUTION OF IT can take place at revolutionary speed, and when systems don t keep up with the pace of change they can become vulnerable to serious risks, says retired Lt. Gen. William T. Lord, former Air Force CIO. "I think that the next Achil- les heel is legacy software," Lord said. A combination of unsup- ported software, well-known vulnerabilities and new applications that expose old platforms to networks can create unnecessary complex- ity and open critical systems to threats, he said. Not every piece of old software is a risk, however. "Some of the things we use in our nuclear command and control are so old, but so reliable and unconnected to anything else, that it probably does not pose a threat," Lord said. "But our problem is that most of our legacy systems in government are 20 or 30 years old," and need to be updated. Fixing this installed prob- lem will require more flexible contracting to let government take advantage of smaller, more nimble contractors. Lord, who now is an IT sys- tems and services consultant, is making legacy software something of a crusade in his post-military career, calling it the greatest obstacle to IT progress in government. Defining "legacy software" can be di cult. Some would argue that any software in use can be called legacy, because if you re using it, it s already old. Most would agree that any software still in use that is not supported by its developer or vendor could be classed as legacy. There is a huge installed base of this. A recent analysis by the Web Security company Websense, for example, found that three quarters of govern- ment computers are running unsupported versions of Java (See box). Getting rid of legacy software is even harder than defining it. Wholesale pro- grams can be expensive and often end in failure. The Air Force in 2004 began a pro- gram to replace 240 outdated systems in its Expeditionary Combat Support System with an Enterprise Resources Planning system. A contact was awarded to Computer Sciences Corp. in 2006 and terminated six years and $1 billion later. "The e ort got stopped," Lord said. The problems included "budget doldrums," which complicates almost any kind of project, and the di culty of finding a good time for replacing operational sys- tems. This can be particularly di cult with combat support systems when the combat never stops, Lord said. "In my experience in the Air Force, there was no end to the battle." The skills needed to update, modernize or replace legacy software can come from non- traditional service providers, he said --- smaller software companies that often do not have the resources to compete in the government market. It would help to have major league contractors part- ner with the minor league companies for government contracts, but there often is little government incentive for this. Agencies are supposed to award small and minority- owned business contracts, but accounting policies give con- tracting o cers little credit for acquiring services from small companies through a larger contractor, Lord said. Another problem is a lack of dedicated money for fixing vulnerabilities in old applica- tions. The Air Force sets aside money for hurricane damage, but not for software bugs, so that maintaining old software is di cult. Government needs to real- ize that vulnerabilities are as inevitable as bad weather, Lord said. "We haven t caught up with that kind of thinking."• IS THE NEXT BIG CYBER THREAT LURKING IN GOVERNMENT SYSTEMS? 14 GCN MAY 2013 • GCN.COM WHY IS JAVA SO RISKY? BECAUSE 77 PERCENT OF AGENCIES RUN UNSUPPORTED VERSIONS Only a handful of U.S. government comput- ers are using the latest version of Java while more than three quarters of them are run- ning unsupported versions of the software, which has been a common target for mal- ware since 2010, according to an analysis by the Web security company Websense. There are 52 update versions of Java in use, but as of March, Oracle said it would update only versions of Java 7. That leaves a lot of unsupported versions on government and other computers. JAVA ON THE .GOV DOMAIN 6.38 23% using some version of Java 7 77% percent using unsupported versions of Java 6 or earlier percent using latest update of Java 7