old digital infrastructure Devices like routers, network switches, and network-attached storage have long been a silent risk for organizations. In the short term, it’s cheaper and easier to leave those boxes in a forgotten closet. But this infrastructure may contain outdated, insecure configurations, and legacy technology is often not supported by vendors for software patches and other security. As generative AI platforms make it easier for attackers to find and exploit vulnerabilities in targets’ systems, network tech company Cisco is launching an effort to raise awareness of the issue and promote fixes — both for ancient Cisco devices and products from other companies that are still in use.
This initiative, called “Resilient Infrastructure”, includes research and industry outreach as well as technological changes in the way Cisco manages its own legacy products. The company says it’s launching new warnings for its products that are nearing end-of-life, so if customers are running or attempting to add known unsafe configurations, they’ll receive a clear and unambiguous prompt when updating the device. Eventually, Cisco will go one step further and completely remove historical settings and interoperability options that are no longer considered secure.
“Infrastructure globally is aging, and that creates a lot of risk,” says Anthony Grieco, chief security and trust officer at Cisco. “What we have to understand is that this legacy infrastructure was not designed for today’s threat environment. And by not updating it, it is creating opportunities for adversaries.”
Research conducted for Cisco by British consulting firm WPI Strategy looked at the prevalence and impact of end-of-life technology in “critical national infrastructure” of five countries: the United States, the United Kingdom, Germany, France, and Japan. The study found that the UK (followed by the US) faces the greatest relative risk of the group from widespread use of old, outdated technology in key sectors. Japan had the lowest relative risk – thanks to consistent upgrades, decentralization in critical infrastructure and a greater emphasis on “a stronger, more consistent national focus on digital resilience,” the report said.
In general, the research also emphasizes that breaches and other cybersecurity incidents around the world routinely involve attackers exploiting known vulnerabilities that could be avoided by patching or upgrading end-of-life technology.
“The status quo is not free – it actually has a cost that is not being accounted for,” says Eric Wenger, Cisco’s senior director of technology policy. “If we can help elevate this risk to something that is treated as a board-level concern, then hopefully that will help underline the importance of investing here.” As an industry, he says, “we’re not making it hard enough for attackers.”