Legacy systems carry innate vulnerabilities because of their age.
Will Ash is senior director of security for U.S. public sector at Cisco Systems.
Out with the old and in with the new. The phrase is undoubtedly applicable when discussing some of the technologies and systems still being used by U.S. government agencies.
Earlier this year, a Government Accountability Office report cited several examples from agencies using technology more than 50 years old.
» Get the best federal technology news and ideas delivered right to your inbox. Sign up here.
Remember when computers used floppy disks? The Pentagon’s Strategic Automated Command and Control System, which controls U.S. nuclear operations, is running on a computer from 1970s that still uses 8-inch floppy disks.
The Veterans Affairs Department's payroll system is using a version of programming language called Common Business Oriented Language, or COBOL, developed in the 1950s and ‘60s. This same outdated language is also used to track veteran claims for benefits, eligibility and dates of death.
Also, the Treasury Department is using assembly language code, a 50-plus-year-old computer code difficult to write and maintain, to track tax information and refunds for both individuals and businesses.
In addition, programming language like COBOL are so outdated, most universities don’t offer it as part of the curriculum. As a result, agencies using older language now face a shrinking talent pool to find and maintain personnel with the skills needed to use this technology.
Not only do legacy systems present obstacles from an operations standpoint, but they also carry innate vulnerabilities because of their age. There is large pool of legacy systems and technology in government that is at nearing end-of-life or end-of-support. For instance, the Transportation Department’s system to track hazardous material incidents is not only old, it uses an application no longer supported by the manufacturer and that presents security risks.
One of the more notable issues for agencies are the network infrastructure security challenges caused by server applications that aren’t being updated. In many cases, these are big applications agency employees use daily, but the patches being issued aren’t being adopted fast enough, which leaves organizations vulnerable and open doors for malicious actors to enter the network. Further, threat actors today are evolving so quickly that once an agency does patch one vulnerability, it’s highly likely threat actors have already found a workaround to that patch.
Modernizing IT infrastructure is critical to combating today’s threats. Breach campaigns can last for months with actors navigating networks unnoticed for significant time before an actual attack is launched. Legacy systems enable this behavior by giving threats what they want: time to operate.
Investing in updated infrastructure will help close that window and reduce the bad guys’ time to operate. Modern infrastructure offers a foundation for agencies to adopt the latest threat detection capabilities, something that isn’t possible with legacy systems. Maintaining legacy technologies has handcuffed federals agencies from being able to improve security.
On top of these concerns, the growing cost of maintaining legacy systems and technology is a significant problem. The GAO report found agencies spent more than 75 percent of the IT budget for fiscal year 2015 on operations and maintenance as opposed to development and modernization. And a more recent report from IDC Government Insights found that number to be even higher, with some agencies spending upwards of 90 percent of their IT budget on operations and maintenance.
The good news is the need for IT modernization has been getting increasingly more attention. The Modernizing Government Technology Act passed in the House with bipartisan support. The goal of the bill is to create working capital funds from which agencies could apply for funding specific modernization efforts.
Putting aside the details, this is generally a good sign because it means government legislators and chief information officers are recognizing the effect modernization decisions will have on both federal operations and security moving forward.
This is true from an innovation standpoint as well. Cloud-based solutions and shared services models present new opportunities government, but many agencies need to refresh their IT core in order to launch these applications.
Also, all of the exciting opportunities surrounding the internet of things—smart city technologies, the connected battlefield and smart buildings—can’t be realized without updating outdated infrastructure. And the advanced security and real-time capabilities needed to effectively protect these connected environments can’t be deployed without modern, digital ready infrastructure at the core.
The lesson is simple—you can’t put a new addition on a house if the foundation beneath won’t support it. Government modernization has a long way to go, but it sounds like we’re heading down the right path.