Wyden urges government agencies to ditch Flash

Come the end of 2020, it will be time to stick a fork in Adobe Flash. That’s when, if you’ll forgive the mixed metaphor, the malware petri dish will officially be toast.

Unfortunately, that doesn’t mean that government agencies are going to toss Flash into the compost pile

After all, the government doesn’t have an easy time letting go. Take, for example, the zombie-like Windows XP: it’s still in use by US government agencies (and plenty of other people), despite Microsoft having pulled life support away from the operating system back in 2014.

Let’s not go there this time, said Oregon Senator Ron Wyden on Wednesday. The senator suggested in a letter sent to three government agencies, let’s come up with solutions and procedures to mandate removal of Adobe Flash content from all US government websites by 1 August, 2019.

The letter was addressed to officials at three agencies that should be on top of this well before Adobe’s Flash end-of-life date: the National Institute of Standards and Technology (NIST), the National Security Agency (NSA), and the Department of Homeland Security (DHS).

Wyden pointed to the technology’s “serious, largely unfixable cybersecurity issues,” which can “allow attackers to completely take control of a visitor’s computer, reaching deep into their digital life.” It’s bad enough now, he said. After 2020, when Adobe will provide neither technical support nor security updates, the situation will only get worse.

The three agencies provide the majority of cybersecurity guidance to government agencies, Wyden wrote in his letter, and as such, they should be ensuring that government workers are protected from cyber threats. Yet to date, they’ve issued no public guidance, he said, in spite of the looming, critical deadline.

To that end, Wyden would like to see the officials do these three things:

  1. Mandate that government agencies shall not deploy new, Flash-based content on any federal website, effective within 60 days.
  2. Require federal agencies to remove all Flash-based content from their websites by 1 August, 2019. To help them do so, expand the cyber-hygiene scans DHS routinely performs on federal agencies to include Flash content on the agencies’ websites. Also, provide each agency with a list of Flash content on their websites, along with guidance on how to promptly transition away from it.
  3. Require agencies to remove Flash from desktop computers by 1 August, 2019, starting with a pilot program to remove it from a small number of employee desktop computers by 1 March, 2019.

According to web technology survey site W3Techs, only 4.5% of websites are now using Flash: a number that’s, thankfully, considerably less than the 28.5% market share the site recorded at the start of 2011.

But as pointed out by Bleeping Computer, that decline isn’t all that reassuring, given that it refers to “all Internet sites, not just a small portion of Top 10,000 or Top 1 Million sites.”

Given how dangerous Flash is, Wyden’s exhortations make sense. Let’s hope that somebody – a lot of somebodies, at that – are listening at DHS, NIST and NSA. The work to eradicate Flash should have started long ago, but “now” is much better than “never.”