Eric M Russell (2/11/2016)
They ten years was their estimate to replace the entire system. It shouldn't take even one year just to upgrade their network and patch security holes. Typical of most government agencies, they're primarily thinking about how to expand their general operating budget and creating jobs for years down the road... not fixing security issues here and now. Government IT is the last place you want to go looking for innovation or best practices.
I have to disagree with you, Eric. While I'm sure the generalization is true in some places, it hasn't been in the places that I've worked at. I've spent pretty much my entire career in government, at one level or another, since 1988. I've seen some cool tech implemented, I've seen some good preemptive work, including unplugging our border router's external connection when I Love You hit. Our upstream connection, the City, got clobbered, we did not.
Best practices? Well, I can't attest to that. Budgets are always pretty tight, and it's hard to work against inertia to get new methodologies implemented. I think it's a case of 'win some, lose some'.
I agree: their network should have been patched within a year. All of the most grievous holes should have been propped up, if not completely repaired, within a year. It definitely takes a long time to do major change, even with buy-in all the way to the top.
-----
[font="Arial"]Knowledge is of two kinds. We know a subject ourselves or we know where we can find information upon it. --Samuel Johnson[/font]