Sen. Ron Wyden sent a letter Wednesday urging government agencies to start abandoning Adobe Flash, an antiquated and vulnerable multimedia software platform that will stop being maintained in nearly two years’ time.
“I write to request that your agencies collaborate to end government use of Adobe Flash in light of its inherent security vulnerabilities and impending ‘end-of-life’ in 2020,” Mr. Wyden, Oregon Democrat, wrote to officials at the National Institute of Standards and Technology, National Security Agency and Department of Homeland Security.
“While Flash will continue to exist past this point, it will no longer receive necessary technical support, significantly magnifying its existing cybersecurity deficiencies,” the senator wrote.
First developed by FutureWave over 20 years ago, Flash was initially used as a graphics and animation tool before becoming one of the internet’s most popular platforms for streaming audio and video the following decade. Macromedia acquired FutureWave in 1996, and by 2004 the company claimed that its proprietary Flash player was installed on more than 98 percent of internet-connected desktop computers.
Flash has been persistently plagued by vulnerabilities that have made the platform particularly prone to hackers, however, and Adobe said last year that it will stop maintaining the platform at the end of 2020, effectively abandoning efforts to fix any flaws existing after that point.
“As the three agencies that provide the majority of cybersecurity guidance to government agencies,” Mr. Wyden wrote, NIST, NSA and DHS “must take every opportunity to ensure that federal workers are protected from cyber-threats and that the government is not intentionally supporting risky online behavior.”
“To date, your agencies have yet to issue public guidance for the unavoidable transition away from Flash. A critical deadline is looming — the government must act to prevent the security risk posed by Flash from reaching catastrophic levels.”
Mr. Wyden concluded his letter by asking the agencies to work together to ensure the government does not deploy any new, Flash-based content on any federal websites, and starts removing existing Flash content from government websites and computers.
Spokespersons for the DHS, NSA and NIST told The Washington Times that the agencies will respond to Mr. Wyden’s letter as appropriate.
The U.S. Computer Emergency Readiness Team (US-CERT), a division of DHS, has warned of cybersecurity risks involving Flash since 2010, and each of the top 10 vulnerabilities targeted by hackers using exploit kits in 2015 related to Adobe Flash, the Solutionary cybersecurity firm concluded in a 2016 report.