A day after Google took plaintext HTTP for a nice ride in the country, Sen. Ron Wyden (D-Ore.) sent a letter to the director of the NSA, the secretary of Homeland Security, and the director of the National Institute of Standards and Technology asking them to do the same with Adobe Flash on government websites and computers.
Flash has been a key target for attackers for many years thanks to its long list of critical vulnerabilities and its enormous installed base. The software is among the more widely deployed apps in the world and older versions of it that haven’t been updated can be easy prey for many classes of attackers, as readily available exploit kits often include multiple different Flash exploits. Adobe stepped up its efforts to harden Flash several years ago, but the web has transitioned away from Flash-based content and the company plans to end support for the software in 2020.
Wyden, a longtime member of the Senate Select Committee on Intelligence, often is outspoken on security and privacy issues such as encryption, cyber espionage, and cybersecurity policy. In his July 25 letter, he cited Adobe’s planned obsolescence for Flash, as well as its checkered security track record as reasons the federal government should move quickly to remove it from its computers and sites.
“I write to request that your agencies collaborate to end government use of Adobe Flash in light of its inherent security vulnerabilities and impending ‘end-of-life’ in 2020,” he wrote.
“Flash is widely acknowledged by technical experts to be plagued by serious, largely unfixable cybersecurity issues that could allow attackers to completely take control of a visitor’s computer, reaching deep into their digital life. The United States Computer Emergency Readiness Team (US-CERT) has warned about the risks of using Flash since 2010. Adobe Systems, the company that maintains Flash, announced last year that the company will no longer provide technical support, including security updates, for Flash after 2020. At that point, Flash’s existing cybersecurity risks will only be compounded.”
"The government must act to prevent the security risk posed by Flash from reaching catastrophic levels.”
Adobe announced its decision to eventually end updates for Flash in July 2017. All of the major browser vendors have published roadmaps for when they will stop allowing Flash content to run, and many of them already have limited Flash use, forcing users to manually choose to run Flash content.
Wyden chose the recipients of his letter judiciously. The DHS has the primary responsibility for defensive cybersecurity in the United States and the NSA serves both a defensive and offensive role. NIST, meanwhile, is the main technical standards-setting body for the federal government, and many private companies follow those standards, as well. In the letter, Wyden asks the heads of those three agencies to work together to mandate the removal of Flash from government machines and websites by August 2019 and to prevent any new Flash-based content from being deployed within 60 days.
“As the three agencies that provide the majority of cybersecurity guidance to government agencies, the National Security Agency, National Institute of Science and Technology, and the Department of Homeland Security (DHS) must take every opportunity to ensure that federal workers are protected from cyber threats, and that the government is not unintentionally supporting risky online behavior,” Wyden wrote.
“To date, your agencies have yet to issue public guidance for the unavoidable transition away from Flash. A critical deadline is looming--the government must act to prevent the security risk posed by Flash from reaching catastrophic levels.”