Plaintext: Leaving Obsolete Technology Behind
Welcome to Dark Reading in Plaintext, brought to your inbox this week by Deloitte . In this issue of Plaintext, we look at how obsolete technology lingers in organizations long after its expiration date. Ripping them out is not an easy process but can only help boost the organization's defenses. We also consider how the recent Chevron decision from the US Supreme Court will impact cybersecurity enforcement. If you enjoy Plaintext, please share with friends and colleagues !
Leave Old Tech In the Past Where It Belongs. Earlier this month, the Japanese government declared victory in its “war on floppy discs .” Up until last month, there were more than 1,000 regulations which required Japanese businesses to submit documents to the government via outdated storage devices such as floppy disks. That is quite a burden on businesses, considering most of the companies that previously made floppy disks no longer do so. (Sony stopped back in 2011, for example) The Digital Agency has finally scrapped all 1,034 regulations that referenced floppy disks (except for one environmental stricture related to vehicle recycling, per Japan Times ).
Cybersecurity practitioners have long warned that hanging onto outdated, end-of-life software and operating systems expose organizations to potential cyberattacks. Vulnerabilities are no longer fixed in these applications, making them ticking time bombs within the network. Similarly, organizations need to consider that hanging onto older technologies can also be risky . Older technologies may not be able to take advantage of modern security controls, such as using secure network protocols or supporting encryption to protect data in transit and at rest. Older tech is also more likely to be running outdated software (Windows XP is still clinging to its teeny market share ) and may be incompatible with modern security tools, leaving them defenseless.
“We have won the war on floppy disks!" said Japan's Digital Minister Taro Kono. He has also pledged to "get rid of the fax machine" in government.
Organizations can have technical debt while still embracing modern technologies and investing in new tools. Both things can be true at the same time. Technical debt refers to the deferred work as organizations make decisions as to what they can afford to do right now and what needs to wait till later (and later never comes). This adds up quickly and can be hugely detrimental to the security of the organization's technology stack .
It's worth noting (thanks, BBC ) that Japan wasn't the only one hanging onto the floppy disk: Norway’s doctors were using floppy disks in 2015; the United States’ nuclear program coordinated "key strategic forces" with floppies as of 2016; British Airways applied crucial updates to its Boeing 747-400s via floppy disk as recently as 2020 ; and San Francisco’s train system runs on floppies . In some cases the obsolete technology may be a form of defense, such as the fact that having the nuclear program disconnected from digital networks made it harder to be hacked.
Dark Reading in Plaintext is brought to you by Deloitte
Embrace the full potential of cloud cybersecurity
The success of many cybersecurity programs depends on being able to respond to attacks, contain them, and rapidly return to normal operations. See how a robust cloud security framework can help .
US Supreme Court and the Chevron Decision. On June 28, 2024, The Supreme Court overturned the 40-years-old “Chevron doctrine” with its decisions in Loper Bright Enterprises v. Raimondo ?and?Relentless v. Department of Commerce . Previously, courts deferred to government agencies when it came to interpreting ambiguous laws. While security regulations will not disappear, experts say overturning this doctrine will result in more court challenges over regulatory actions. “Existing cybersecurity regulations are more vulnerable to legal challenge, especially where an agency has had to adapt ambiguous or outdated statutes to fit new security practices and threats. Lawsuits against agency cybersecurity rules and enforcement actions are likely to jump,” wrote Harley Geiger , Len Gordon , and Michael A. Muno, litigators specializing in cybersecurity with the law firm Venable LLP . “The new legal landscape will likely have a deregulatory effect on cybersecurity, but the threat of cyberattack will continue to grow.”
This will directly affect enforcement actions by agencies like the Federal Trade Commission (FTC) and critical infrastructure regulators. The Cybersecurity and Infrastructure Security Agency has proposed a rule mandating critical infrastructure organizations report cyber incidents within 72 hours and the White House has suggested implementing new baseline cybersecurity requirements for medical facilities . Both of these initiatives have elements that may need to be reconsidered. Kevin Townsend addressed how federal agencies would be affected in SecurityWeek .
What We Are Reading
领英推荐
What We Heard On-Air
Tune in to our on-demand webinar?“Assessing Software Supply Chain Risk .”
“Authentication and authorization in the world of API is critical.” —Jonathan Care.
From Our Library
Check out some of the latest reports from our?Dark Reading Library .
On That Note
Ever wondered about ransomware negotiators and their techniques? What skills do ransomware negotiators need? What are some real-life incidents that negotiators can discuss? The second episode of Dark Reading Confidential is available now on all the major platforms: Spotify , Apple Podcasts , Amazon Music , and Pocket Cast , to name a few.
Dark Reading in Plaintext is brought to you by Deloitte
The Data Diva | Data Privacy & Emerging Technologies Advisor | Technologist | Keynote Speaker | Helping Companies Make Data Privacy and Business Advantage | Advisor | Futurist | #1 Data Privacy Podcast Host | Polymath
4 个月Dark Reading excellent newsletter. Legacy systems are a huge problem.
IT Specialist at Know Your Company only one
4 个月blessed on. >