It is well-known in the tech community just how faulty and exploitable Adobe Flash is. Browsers have tried to phase out the application by force via auto-disabling it and also moving to HTML5. Governmental sources have also been waking up to the issue as well, as is evidenced in a recent action by U.S. Sen. Ron Wyden. Sen. Wyden, a Democrat from the state of Oregon, wrote a formal letter to government agency heads of the NSA, DHS, and NIST imploring them to eliminate Adobe Flash.
The letter lays out a plan as follows for ending Flash before its 2020 official phase-out by Adobe:
1. A mandate that prohibits government agencies from deploying “new, Adobe Flash-based content on any federal website effective, within 60 days.”
2. Having all government websites remove Flash content by the deadline of August 1, 2019.
3. Agencies should create a “pilot program” that removes Adobe Flash content from employee computers starting March 2019 and ending no later than August 1, 2019.
Sen. Wyden prefaces his plan by making the case against Adobe Flash, citing research from InfoSec experts that show how dangerous the software is. The senator specifically points to the ability for a malicious actor to infiltrate and gain remote access via Flash exploits as the main grounds for phase-out. He then goes on to state that how illogical it is for agencies based in intelligence like the NSA and DHS to operate with such faulty and hackable software (which makes sense considering the sensitive data that such agencies handle).
One other key point from the letter is Sen. Wyden’s rebuke of the federal government for being so slow to adapt to cybersecurity standards. He conflates the continued use of Flash as on par with the continued use of Windows XP well past its patch support termination. The senator is quite correct on all of these points and the U.S. government would do well to listen to this letter, as well other voices in public and private sectors calling this shift.
In a bureaucracy that is so inept, it is nice for once to see individuals stepping up and attempting to hold the government accountable for its poor cybersecurity practices. Hopefully, this trend will continue to grow as time goes on.
Featured image: Flickr / Phil Roeder