Based on what’s public information so far, we have no reason to believe that the Tax Day computer crash which prompted the Internal Revenue Service to delay its filing deadline was the work of hackers, foreign or domestic.
Even so, we can identify a few things of value to those of us dealing with cybersecurity in government.
First, the system that crashed relied on programming in what’s called Assembly Language. This is 1950s technology for communicating directly with the computers’ hardware. The bright people who are programming computers today are unlikely to encounter it or even know it. A programmer who used Assembly Language soon after leaving college in, say, 1960 is likely to be at least 80 years old.
There’s safety in that fact. The big IRS mainframes in Martinsburg, W.Va., are unlikely to come under attack by a crew of geriatric hackers who know Assembly Language and are ready to get into the guts of it and cause trouble. Today’s computer networks use languages several generations more advanced and are more likely to be attacked by the grandchildren of the Assembly Language generation.
For the IRS, there’s safety of a sort in that, I suppose.
The IRS had not modernized its computers because they had worked. (Most days, at least. Just not on Tax Day.) Getting newer, modern machines, with all of the politicking, budgeting, bidding, installation and custom programming required could take longer than the professional lifetime of an IRS computer scientist. Sluggish planning and acquisition systems frustrate government technologists, extend unnecessary costs and deprive all of us of the benefits that technology brings. (Just ask the Federal Aviation Administration, which began planning its NextGen air traffic management system in 2003, is now seeing some benefits from it and expects full implementation in 2025.)
For those of us dealing with cyber security, this sort of timeline is obviously unacceptable. The threats we and our government and corporate customers confront are so numerous and so capable of modernizing themselves that mere humans can’t keep up with them. Seventeen threats? You’ve had a slow minute. You need really good cybersecurity technology.
Our most modern cybersecurity tools use Artificial Intelligence to monitor threats inside a computer network, rank them by threat level and deal with them. Obviously, sophisticated technology such as this cannot be planned and installed over a decade. Even the time required for bidding on a known system is too long. That means that individual managers inside government must be able to apply their professional expertise, commit to buying what they need now and get it into use quickly. Would Congress, with its history of micromanagement, ever allow them that flexibility? Would the government manager, wrestling with budget shortfalls, sequestration and now rescission (cutting the budget after its approval) dare to make the purchase?
My company sells cyber security technology to corporations and to all levels of government, federal, state and local. I’ve actually met with senior government security managers who will say, “I know we need this and we need it now, but I can’t buy it now and I don’t know when I’ll be able to.” Hackers, of course, do not have these restrictions. They have plenty of time to develop effective threats and many of them (the ones paid by governments) are well funded.
Government security managers are part of the problem. We simply don’t have enough of them and government’s glacial civil service rules make it difficult to hire them before the best candidates are snapped-up by the private sector. I know this because I do the snapping. I may be the CEO, but to sign a top candidate I’ve been known to jump on airplanes and do the recruitment myself, quickly. A government manager, by comparison, must warn the candidate that there will be delays, present several long forms to be filled-out, wait for the long security clearance procedure to be carried out and hope that in a few months time the candidate is still there and will take the job. Often, the answer is no.
Let’s all be glad that hackers apparently weren’t involved in the IRS crash. Unfortunately, they’re a daily threat to agencies throughout government and the way the government works—or doesn’t—is making their jobs easier.
Hitesh Sheth is President and CEO of Vectra Networks, a cyber security firm in San Jose, Calif.