Wyden asks federal agencies to ditch Adobe Flash

The senator wants agencies charged with issuing federal cybersecurity guidance to get Flash off of government systems before 2020.
flash zero-day
(logo from Wikicommons/remixed by Greg Otto)

Sen. Ron Wyden has called on federal agencies to stop using Adobe Flash, multimedia software that has consistently proven vulnerable over the years.

Adobe will stop providing security updates for Flash in 2020, and Wyden, D-Ore., wants agencies charged with issuing federal cybersecurity guidance to get Flash off government systems before then.

“At that point, Flash’s existing cybersecurity risks will only be compounded,” Wyden wrote in a July 25 letter to the heads of the Department of Homeland Security, National Security Agency, and National Institute of Standards and Technology. “The federal government has too often failed to promptly transition away from software that has been decommissioned.”

The missive asks DHS, NIST, and the NSA to work together to produce a policy, effective within 60 days of its issuance, that bans the use of new Flash-based content on federal websites.


For Wyden, agencies should not just refrain from deploying Flash but also rid existing Flash-based content from their websites by August 1, 2019. To that end, Wyden asked DHS to “promptly expand the routine cyber-hygiene scans” it does of agency assets to include Flash content. He also called for the letter’s recipients to help produce an inventory of Flash content on each agency’s website, along with guidance to eradicate it.

Further, Wyden is proposing that agencies clear their desktops of Flash, staring with a “small number” of them via a pilot, and then all agency desktops by August 1, 2019.

“A critical deadline is looming,” Wyden wrote, referring to the end of technical support for Flash in 2020, and “the government must act to prevent the security risk posed by Flash from reaching catastrophic levels.”

Flash’s over two-decade history has been plagued by vulnerabilities, and popular web browsers’ abandonment of the software in recent years has hastened its demise.

Flash accounted for eight of the 10 vulnerabilities used in exploit kits over nine months in 2015, according to cybersecurity company Recorded Future. In May 2018, security researchers disclosed a vulnerability that they deemed a high risk to large and medium-size government organizations.


You can read Wyden’s full letter below.

[documentcloud url=”” responsive=true height=500]

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts