This article was originally published in Search Security on July 27, 2018.
Sen. Ron Wyden (D-Ore.) is once again advocating in favor of better cybersecurity for the U.S. government in a new letter asking that all government domains stop Adobe Flash use.
Adobe Flash has long been under fire from the infosec community for security risks, and major web browsers have been moving away from the platform in favor of HTML5, leading Adobe to announce that the end-of-life date for Flash will come in 2020.
“Agencies and any organization with digital assets will need to work closely with their third parties to enforce security policies, police what code is being executed in their digital ecosystems with the help of continuous, real-time scanning, and root out unauthorized actors and code.”
Sen. Wyden addressed the letter to Kirstjen Nielsen, secretary of the Department of Homeland Security (DHS); Walter Copan, undersecretary of Commerce and director of the NIST; and Paul Nakasone, director of the NSA and commander of U.S. Cyber Command, advocating that the government stop Adobe Flash use.
Wyden asked that these three agencies collaborate to stop Adobe Flash use in government “in light of its inherent security vulnerabilities and impending end-of-life.”
“The federal government has too often failed to promptly transition away from software that has been decommissioned. In just one example, agencies were forced to pay millions of dollars for premium Microsoft support after they missed the deadline to transition away from Windows XP at its end-of-life in 2014, even though the technology’s last major update had been six years prior,” Wyden wrote in the letter. “The U.S. government should begin transitioning away from Flash immediately, before it is abandoned in 2020.”
Chris Olson, CEO and founder of The Media Trust, a digital media risk management company based in Maclean, Va., noted that the reason government agencies tend to fail at these transitions is due to budgets.
“Government budgets are strapped. As a result, they tend to retain legacy systems, software, and machines that take time to patch and update. The budget issue is worse for state, municipal, and other local government entities,” Olson wrote in an email. “The situation won’t change anytime soon, so agencies should continuously scan their websites and mobile apps in real-time for any unauthorized actors and activities.”
Wyden noted that DHS, NIST and the NSA “provide the majority of cybersecurity guidance to government agencies,” but none have issued public guidance calling for agencies to stop Adobe Flash use.
Wyden suggested a three-step plan to stop the deployment of new Flash-based content within 60 days, remove Flash from some agency computers by March 2019, and then require the removal of all Flash content from websites by August 2019.
Olson applauded the multistaged approach to having government agencies stop Adobe Flash use.
“Flash is just the tip of the iceberg. There are a growing number of other attack vectors, including HTML5, a variety of content management systems, browsers, etc. Any organization will need to keep up with the various developments that are being nurtured in the underground economy of cybercrime,” Olson wrote. “Agencies and any organization with digital assets will need to work closely with their third parties to enforce security policies, police what code is being executed in their digital ecosystems with the help of continuous, real-time scanning, and root out unauthorized actors and code.”