Aging digital infrastructure equipment like routers, network switches, and network-attached storage—has long posed a silent risk to organizations. In the short term, it’s cheaper and easier to just leave those boxes running in a forgotten closet. But this infrastructure may have old, insecure configurations, and legacy tech is often no longer supported by vendors for software patches and other protections. As generative AI platforms make it easier for attackers to find and exploit vulnerabilities in targets’ systems, the network tech company Cisco is launching an effort to raise awareness about the issue and promote improvements—both for ancient Cisco devices and products from other companies that are still in use.
Dubbed “Resilient Infrastructure,” the initiative includes research and industry outreach as well as technical shifts in how Cisco manages its own legacy products. The company says that it is launching new warnings for its products that are approaching end of life, so if customers are running known insecure configurations or attempt to add them, they will receive a clear and explicit prompt when they update a device. Eventually, Cisco will go a step further to completely remove historic settings and interoperability options that are no longer considered safe.
“Infrastructure globally is aging, and that creates a ton of risk,” says Anthony Grieco, Cisco’s chief security and trust officer. “The thing we’ve got to get across is this aging infrastructure wasn’t designed for today’s threat environments. And by not updating it, it’s fostering opportunities for adversaries.”
Research conducted for Cisco by the British advisory firm WPI Strategy looked at the prevalence and impact of end-of-life technology in the “critical national infrastructure” of five countries: the United States, United Kingdom, Germany, France, and Japan. The study found that the UK (followed closely by the US) faces the biggest relative risk of the group from widespread use of outmoded, legacy technology in key sectors. Japan had the lowest relative risk—thanks, the report says, to more emphasis on consistent upgrades, decentralization in critical infrastructure, and “a stronger, more consistent national focus on digital resilience.”
In general, the research also emphasizes that breaches and other cybersecurity incidents around the world regularly involve attackers exploiting known vulnerabilities that could be avoided through patching or upgrading end-of-life technology.
“The status quo is not free—there is actually a cost, it’s just not being accounted for,” says Eric Wenger, Cisco’s senior director for technology policy. “If we can help elevate this risk to something that is treated as a board-level concern, then hopefully that will help to underscore the importance of making an investment here.” As an industry, he adds, “we’re not making it hard enough for the attackers.”
