Dec 07 2015

Legacy Federal IT Systems Are a Ticking Time Bomb of Risks

Federal agencies are moving to update their IT systems, but the shift needs more urgency.

Federal CIO Tony Scott has sounded the alarm on the threats posed by continued use of legacy federal IT systems and the need to transition to new, cloud-based architectures. Scott has called the looming problems posed by outdated IT systems at federal agencies “a crisis that is bigger than Y2K.

Archaic IT systems, many of them more than two decades old, cost a great deal to maintain, and also are more vulnerable to cyber attacks. Additionally, Scott has noted that older workers who know the systems (like the 1960s-era COBOL programming language) are retiring, and younger federal managers and rank-and-file employees do not have the requisite knowledge or experience to maintain them. Federal IT professionals acknowledge that they need to update their systems, but say that there are several roadblocks to them doing so, according to a recent report.

Security Vulnerabilities Exposed by Older Systems

Speaking last month at the President’s Management Advisory Board meeting in Washington, Scott said the existing IT systems are not built with security in mind, and making sure they are protected is becoming more expensive and difficult as time goes on.

“There is a lot of modernization that has to take place, and it won’t happen just by people haranguing us to either save money or move faster,” Scott said last month, according to Federal News Radio. “We have to have a theory of operation. We have to have some experiments that will help us figure out what’s the best way to move off some of the legacy architectures, and move more quickly to modernize this core set of applications and infrastructure that we’re all challenged with.”

Scott said that moving to a cloud-based and “more shared infrastructure, shared capability” would be a sound strategy for agencies to pursue. “But it will take some significant transformation and significant rearchitecting of what we have,” he added.

Around three-quarters of the $80 billion the federal government spends on information technology each year is used just to keep legacy systems running, notes NextGov.

The security vulnerabilities posed by legacy IT systems was most dramatically exposed in the hack of the Office of Personnel Management’s systems earlier this year, which exposed the personal information of more than 20 million past and present government employees.

COBOL, an outmoded programming language, is still used widely in many federal agencies, as FedTech reported last year. Many of OPM’s systems use COBOL language and are more than 25 or 30 years old, federal officials have said.

For example, Social Security numbers in OPM’s databases were not encrypted at the time of the breach because "it is not feasible to implement on networks that are too old," former OPM Director Katherine Archuleta testified before Congress in June. Archuleta resigned in July under pressure from Congress in the wake of the security breach, and was replaced by Beth Cobert on an acting basis.

Getting Ahead of the Crisis

Scott has promised to provide federal agencies with guidance and, possibly, incentives to get off legacy systems and upgrade to newer ones, according to Federal News Radio.

However, according to a report released last month by MeriTalk, although federal IT managers say they need that to modernize their systems there is not a lot being done on that front.

The report, which surveyed 150 federal IT managers familiar with their agency’s applications portfolio, found that 92 percent of those surveyed said it is urgent for their agency to modernize legacy applications. According to the survey, the driving factors include security issues (42 percent), time required to manage or maintain systems (36 percent), inflexibility (31 percent) and integration issues (31 percent).

Further, 62 percent said if they do not modernize their legacy applications, mission-critical capabilities will be threatened by risks such as security breaches (52 percent), performance issues (47 percent), increased downtime and service disruptions (40 percent) and a failure to deliver on their agency’s mission (39 percent).

Despite the widespread concern, just half of agencies (53 percent) have a formal application modernization strategy in place today, and only slightly more than one in four (28 percent) have developed a business case around renewing or replacing existing applications.

Why is there such a disconnect between the burning desire to modernize and a lack of steps being taken to actually move away from legacy systems? According to the survey, 45 percent of those surveyed said they lacked the budget to do so, and 40 percent cited concerns about disruptions to mission-critical services. Additionally, 20 percent said they are simply overwhelmed by all of the options they have to move to more modern applications.

Don Sutherland/Wikimedia Commons

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.