Securing Critical Infrastructure by Tackling Technical Debt
As policymakers confront new cybersecurity challenges from emerging technologies like AI and quantum computing, an urgent threat hides in plain sight—end-of-Life (EoL) technology beyond its supported lifespan. Headlines focus on novel threats and futuristic defenses, while outdated network equipment and software in critical infrastructure already pose a clear and present danger. This is demonstrated by high-profile nation-state sponsored campaigns targeting unpatchable technology—such as Volt Typhoon. Addressing this threat requires urgent and focused attention, beginning with a common understanding of the size and scope of the problem.
When technology reaches the scheduled EoL, vendors stop providing security patches or support. Continued reliance on unsupported technology creates a significant and growing risk of exploitation.
Available estimates suggest that globally, nearly half of business network infrastructure assets were aging or already obsolete at the beginning of this decade. To date, there has been inadequate data to effectively assess how this exposure varies across critical sectors and national markets, or to compare the risks of failing to manage “technical debt” against the costs of replacement investments.
New Research Fills a Critical Gap
WPI Strategy’s report, “Update Critical: Counting the Cost of Cybersecurity Risks from End-of-Life Technology on Critical National Infrastructure,” highlights this growing global challenge and offers recommendations for policymakers and private sector leaders. Commissioned by Cisco, this research provides a novel approach to comparative analysis of EoL risk across key markets (US, UK, France, Germany and Japan) and critical sectors including healthcare, energy, water, manufacturing, and finance.
The findings are staggering. In the U.S., 80% of federal IT spending goes to operating and maintaining existing—often legacy—systems, increasing risk to critical infrastructure. Some 60% of EU cyber breaches in 2022-2023 exploited known vulnerabilities for which patches existed but were not applied, underscoring that basic cyber hygiene remains a fundamental challenge. The report examined countries and sectors, with healthcare consistently emerging as particularly vulnerable. It found that proactively tackling EoL technology offers a clear, strategic route to significantly raise cyber resilience across critical sectors—and that by addressing vulnerabilities before they are exploited, we can better protect essential services and citizens.
Practical Policy Recommendations
As governments and the private sector consider how to best allocate resources and securely deploy AI, the report offers several actionable recommendations:
- Asset Management as Foundation: All critical infrastructure operators should maintain live technology asset registers that identify equipment approaching or at end-of-life status. You can’t manage what you can’t see.
- Clear Lifecycle Management Assessments: Operators should continually assess whether aging technology should be replaced or, if replacement isn’t immediately feasible, require documented risk mitigation plans with specific timelines.
- Enhanced Incident Reporting: Where incident reporting mechanisms exist, ensure they capture data on EoL technology’s role in breaches. This transparency creates accountability and helps identify systemic patterns.
- Reform IT Investment Models: In the public sector, technology funding is typically divided into two separate budgets: one for buying new systems (capital expenditure) and another for maintaining existing ones (operational costs). This approach can lead to most of the budget being used just to keep current systems running, leaving little room to invest in new technologies. To address this, governments should consider whether subscription or consumption-based models offer cost efficiency and security benefits.
The Path Forward
This research is particularly relevant not only during Critical Infrastructure Security and Resilience Awareness Month but also as nations invest in quantum-resistant encryption and AI infrastructure—and work to more efficiently deliver services to citizens. These initiatives will falter if built on foundations riddled with obsolete, unpatched technology and where budgets are consumed maintaining aging systems rather than remediating them. Equipment quietly running in server rooms may not show up on balance sheets, but from a security standpoint, they are shadow liabilities.
This research provides policymakers and the private sector with both the evidence base and practical frameworks to address this challenge systematically. By improving visibility into technology lifecycles, reforming funding models, and establishing clear management requirements, we can shift from reactive incident response to proactive risk reduction—tackling vulnerabilities before they can be exploited.
To that end, Cisco is focused on ensuring governments and organizations have the secure, resilient, and data-ready infrastructure needed to harness AI and defend against evolving cyber threats. Cisco is driving resilient infrastructure through a new effort that Cisco SVP and Chief Security & Trust Officer Anthony Grieco announced today to increase the default security of our own products by removing capabilities that become recognized as insecure and introducing new security features that strengthen the security posture of network infrastructure as well as provide better visibility into the activities of threat actors. Cisco is also calling on customers, partners, and other organizations to evaluate their high-risk behaviors and update outdated technologies to tackle technical debt and improve infrastructure resilience as we unlock this AI era.
