Terry Gerton Cisco has commissioned a new global study that finds that 48% of network assets worldwide are aging or obsolete. That doesn’t surprise me. Does that number surprise you?
Eric Wenger No, it doesn’t surprise me, but it was also important for us to have some sort of a measure because we can’t really make progress against a problem if we really don’t have any sense of how big it is.
Terry Gerton And this study looked at five countries, walk us through that and how they compared.
Eric Wenger Yeah, so the key point here was that we wanted to look across a number of different geographies and then as well sectors within those geographies to see where the problem was most pronounced. And at the ends of the spectrum, we found that the UK was the most problematic of the countries that we looked at, about 92% risk on the score that we had. It was a relative risk score. And then at the other end of the spectrum, Japan came in at about 65%. And this was based on the level of concentration of the sector. In other words, how much of the equipment, of the technology in that particular space is essentially managed in the same way, and then whether or not there is a high percentage of equipment that is beyond its supported lifespan. And so the most concerning of the things that we found was essentially the health care sector in the UK was the riskiest part of this.
Terry Gerton Does the report go into why there’s such a variance in risk tolerance maybe across those different countries?
Eric Wenger Some of it has to do with whether or not you have a programmatic way of thinking about this as a problem and then applying resource and time to trying to address it. And then some of it has do with how the technology is managed and owned.
Terry Gerton The study comes up with a particular definition for end of life technologies. Walk us through that.
Eric Wenger Yeah, so at some point, the technology becomes essentially too old to effectively secure. And you can continue to try to develop patches for it, but it’s a little bit like a sieve where you’re putting your finger over some of the holes. And so it’s fundamentally insecure. And so we at Cisco will produce a published timeline where we say, we’re stopping selling this product. And at that same time, we announce a schedule for how much longer we will provide software support, security patches. Eventually we cease the ability to actually obtain replacement hardware, and then at some point we say that that product is no longer supported in any way, it’s reached its end of life. And that’s a critical time in the aging of a technology because from that point on the technology doesn’t receive any sort of attention from the vendor and becomes increasingly risky.
Terry Gerton So we’ve all heard stories in the U.S. Government of systems that are running on 50-year-old COBOL code. It’s way past its end of life, probably. What does this study tell all of us about how to manage those kinds of systems and the risks that they present?
Eric Wenger Some of this in our daily lives is actually taken care of in a way that is more transparent to us. And we’re accustomed to it. You can’t actually use an old phone. If I have an iPhone or an Android phone and it’s more than a few years, maybe five years, I forget the exact number. It no longer connects to the store. It doesn’t take updates any longer. You start to get warnings that this thing is no longer safe to use. And then to the extent we use those devices in our work lives, you can’t connect to your work network anymore. And so they start to become less functional to you. And it becomes a forcing moment where you make a decision to move on. A lot of this older networking technology actually just sits in a closet. And it continues to do and perform in a way that seems like it’s doing its job. But as this report notes, it becomes increasingly risky. And so what we’re trying to do is draw attention to that problem so people understand that there is another side to the network, which has to do with its ability to be attacked and exploited, even if it looks like it’s doing its job.
Terry Gerton You make a really interesting point there because you’re right, when your phone stops connecting to the network, you’re like, oh, I need to get a new phone. What does it take to get decision makers to understand the risks of this old networking technology so that they’ll go, Oh, I need to invest.
Eric Wenger Yeah, and let’s first talk about how old we’re talking about. So if we look at the very highly publicized campaign that was aimed at critical infrastructure networks, water treatment facilities, electricity distribution grids, where the U.S. government has said that this is a nation-state-sponsored attack, and what they’re doing is prepositioning malware in these locations so that they could eventually disable them if they needed to. The technology, I think there’s three parts to this ecosystem. There are victims, which are the systems that are attacked. There are the vectors, which are the jumping through points where somebody’s going, the villains who are undertaking these activities are trying to get to the victim networks. And in this case, many of those vector systems, the ones that they were jumping through, were old small office and home office routers. How old? The equipment that came from Netgear and Cisco is no longer being sold anymore. I looked back at the Cisco equipment. It was produced somewhere between 2008 and 2020. And at that point, Cisco produced a schedule saying it was no longer going to be supported with software updates as of about 2023. And now we’re talking about 2024, 2025. This equipment has for years now no longer been even capable of being patched. It was originally produced, as I said, in 2008. There’s about a three-year time window that it takes to design, develop, deploy technology. So now we are talking about equipment that comes back from 2005 that’s sitting in networks 20 years later, and I defy you to look around your home, your office, and find equipment that you’re using on a daily basis that is 20 years old that you would rely upon for anything that’s critical.
Terry Gerton I’m speaking with Eric Wenger. He’s senior director for technology policy at Cisco. So this doesn’t feel like a new problem here in federal government. We’ve tried the technology modernization fund, we’ve tried working capital funds, we’ve try direct appropriations, we’ve trying outsourcing software as a service. What is it going to take? What recommendations does the report make in terms of? Enabling decision makers to actually appropriate the funds to make these kinds of hardware investments.
Eric Wenger Yeah, there are a few critical steps here. One is to have some sense of the size of the problem. And so having an asset registry that allows you to understand what technology you’re using, that you’re relying upon, how critical it is and how old it is, is a key part of this. A second step is for you to have an understanding for the technology that you cannot patch, that is too old to patch. What would be the cost of replacing it? And how does that compare to the risk? And that’s part of the idea of the study is to give us an understanding of the costs associated with staying in place. And then we can compare that to the cost of replacement. For those things that we decide that we don’t have the resources right at this moment to replace, then we need to do something else. We need to think about, how do we apply isolation and segmentation as a strategy, or additional surveillance as a way of applying compensatory controls for those things that we can’t currently afford to replace? And then we need to think about how do we change the dynamic on a going forward basis. This may require new ways of budgeting. We can talk a little bit about how the government spends its money. And consuming technology in different ways. So the government doesn’t typically buy cars anymore. It leases them. And so we can think about technology as a service instead of something that the government buys as a way of helping to make sure that the Government is always relying, especially in critical places, on technology that is still supported by the vendors.
Terry Gerton So the shorthand term, I guess, is technology debt or tech debt. Can we just buy ourselves out of this problem? Are there other things that we need to consider, policies, workforce, integration, strategies that really pull all of this together?
Eric Wenger Well, as we discussed so far, having some transparency about the technology that’s being relied upon is important because you can’t manage what you don’t see. And then thinking about how the government spends its money is another important piece of this. The study also highlights data that comes from the GAO from I think it was 2023 showing that the government at that point was spending $100 billion a year on IT, and about $80 billion of that was on maintenance of technology. And we also know that the older technology becomes, the more expensive it is to maintain it. And so that means that every year a bigger percentage of the government’s budget is consumed on just keeping the lights on for the things that it has and that it has been using. And that crowds out the ability to do things that are innovative, to buy new technology they’re capable of dealing with quantum resistance, deploy new artificial intelligence capabilities. And then in addition to that, the ability to make sure that we’re using technology that is capable of being supported.
Terry Gerton You talked earlier about technology as a service. You just mentioned quantum and AI. Walk us through this new concept that the paper presents, secure by default configuration.
Eric Wenger Yeah, so one of the things we found is over the years we provide mountains of information to our customers to help them to understand how to secure their technology devices. We have hardening guides and we have guidance that we can give them about what they should do. It’s very complicated, and it actually requires a fair amount of knowledge to be able to configure systems correctly. And so what we’ve decided to do is to take the guesswork out and to actually, increasingly ship our devices in a way so that they are scalably secure in a simple way by default. And that means that, for now, we’re going to push out versions of our technology that will warn you when you start to do something that’s insecure. So if you go to use a protocol that we recommend as being deprecated or no longer used, it’ll say, hey, you’re putting this device in an insecure state. Are you sure you want to do that? In the future, we plan to turn some of those insecure options off and make it impossible for you to use the technology in a way that’s going to create these kinds of unacceptable risks.
Terry Gerton So if you’re a CIO or CTO now, you probably know what systems you’ve got out there that aren’t up to modern secure standards, but you can’t just turn them off because you don’t have anything to replace them with. So how should these folks who really are on the front lines of cyber defense think about building a strategy or an investment plan that future proofs their modernization?
Eric Wenger Yeah, so changing the way we buy technology is one way to think about this as we’ve talked about the idea of something like a network as a service or technology as a service is one important strategy. We also, in addition to potentially isolating and segmenting things or applying additional surveillance to things that you can’t immediately replace, there is some hope that artificial intelligence in this space can help us to augment our ability to protect things that are difficult to secure right now. And so we could potentially use artificial intelligence as a way of testing in real time the application of patches to technology, and then see whether or not it creates unacceptable changes to how the systems operate. Much in the way that social networks use A-B testing in real-time to see whether not something changes the way a system works in an unacceptable way, we can actually, in real time, out of band, test the application of a patch. And then we’re also working on the idea of being able to monitor the kernel and to guard against exploits before the vulnerabilities have been written. I think an important statistic that we see in this study has to do with research that was done by Google on the mean time to exploit. If we look back to 2018, it took attackers about 63 days to reverse engineer a patch and we see that timeline accelerating dramatically by 2022, 2023. It takes about five days for that to happen. We can forecast with pretty good accuracy that we’re moving towards not just months or days, but potentially hours. And why does that happen? Because when we put out a patch, Malicious actors can try to see the difference between the system that has been patched and the system is unpatched, figure out what the changes were, and then try to write exploit code that attacks those things.
Terry Gerton There’s a lot of recommendations and lessons learned in this report. If you had to pick only one, what would be the most urgent step that you would advise government technologists to take?
Eric Wenger The most important thing is to know what technology you have. And then from there, then you’re able to figure out how old it is, whether it’s in support, what are your options, where you can go from there. But if you don’t have an idea of what technology are you reliant on, you can’t really make effective decisions.
Copyright
© 2026 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
