A US senator has written to three key government agencies responsible for federal cybersecurity, urging them to begin the transition process away from Adobe Flash.
Oregon senator, Ron Wyden, wants the Department of Homeland Security (DHS), NSA and NIST to collaborate to end government use of the buggy software before it is “end-of-lifed” in 2020.
“As the three agencies that provide the majority of cybersecurity guidance to government agencies, the National Security Agency, the National Institute of Standards and Technology and the Department of Homeland Security must take every opportunity to ensure that federal workers are protected from cyber-threats and that the government is not intentionally supporting risky online behavior,” he wrote.
“To date, your agencies have yet to issue public guidance for the unavoidable transition away from Flash. A critical deadline is looming — the government must act to prevent the security risk posed by Flash from reaching catastrophic levels.”
Wyden demanded three actions be taken: that no new Flash content is deployed on any federal website, starting from within the next 60 days, that all agencies remove Flash content by August 1 2019 and that they remove Flash from employee desktop computers by the same deadline.
He claimed these efforts could be accelerated by an expansion of DHS cyber hygiene scans of agencies to include Flash content. The department could then provide a list to each agency of all the locations of Flash content on their sites along with guidance on how to transition away from it.
Known vulnerabilities are arguably a bigger preventable risk than eye-grabbing zero days: just 14 of the 19,954 vulnerabilities reported by Flexera in 2017 were zero-days, a 40% decrease from 2016.
Adobe Flash has long been a magnet for hackers and continues to get regular updates each Patch Tuesday, although system administrators often struggle to prioritize and keep up-to-date with the barrage of fixes issued by vendors, most with different update mechanisms.
Wyden is know for his tech literacy, introducing the first net neutrality bill back in 2006, and is a regular champion of cybersecurity and internet freedom on the Hill.