Every agency knows the federal government is filled with legacy IT systems, and that to modernize technology infrastructure and move into the 21st century, they will need to upgrade or jettison such systems. Many of them are decades old, can no longer effectively receive security patches and do not have the functionality of modern solutions.
However, it is one thing for agency IT leaders to say they want to upgrade legacy systems and another to actually go about doing so. A recent white paper from Accenture Federal Services examining the unique IT modernization challenges agencies offers a window into how.
Based on an exclusive survey of 185 federal IT executives, the report, “Decouple to Innovate,” notes that legacy systems pose cybersecurity risks and hinder innovation. If agencies want to modernize, they need to grapple with their “technical debt,” or the true cost associated with maintaining legacy systems, according to Dave McClure, the principal director of Accenture Federal Services, who leads its CIO leadership agenda. They can also upgrade by embracing Software as a Service cloud models.
How Legacy Systems Hinder Innovation and Security
According to the report, legacy systems leave agencies with a significant risk of a cybersecurity incident or outage. The survey found that 37 percent say outdated technology hinders their ability to protect against cybersecurity threats, and 46 percent separately reported that outages within their legacy systems involved a security breakdown.
As a result, 85 percent of these IT leaders believe that the future of their agencies will be threatened if they don’t update their technology. Legacy systems are putting agencies in danger, according to Accenture, with 58 percent of those surveyed saying their agencies experienced two to three major disruptions or outages over the past decade, with just 4 percent avoiding any discontinuities within that timeframe.
“The primary threats are that legacy systems are usually running on software that is no longer supportable, and you’re totally dependent on a limited skill set in the workforce that can even code in the legacy code that’s there,” McClure says. “That creates vulnerability in and of itself. Second, it’s very poorly documented. It’s been built, in some cases, over three, four, five decades. The codification of what’s been done to the software over that long period of time is often lost or not recorded.”
That has perils: If users go in to modify code and do not know what the code is completely doing, they may wind up causing a system to fail.
Finally, legacy system software is often no longer supported by vendors, and does not receive regular security patches. “It creates an enormous vulnerability in our cyber posture, in that hackers can take full advantage of the fact that they know where this outdated code sits, and then there are easy entry points, despite our best efforts to put up perimeter defenses around those systems.”
Legacy systems hamper innovation because they were built in a different technological era, McClure says. It’s “very challenging” for some of this older software infrastructure to operate in creating new products and services in the environment that exists today, he says, with agile software development, very flexible cybersecurity parameters that can be put around systems, and the ability to spin up cloud services in hours.
“It creates a situation where the agency is operating in such an antiquated environment that the demand for new products and services, the demand for new operating models to deliver services to citizens, the operational processes of the agencies themselves, just simply cannot be addressed with that older model with any kind of efficiency,” he says.
Why Agencies Must Grapple with Technical Debt
Technical debt has many components, according to the white paper. It is made up of principal costs, like financial debt, and interest costs — workaround costs such as staffing, delays and redundant systems that must be maintained because decisions to integrate or retire older systems have been deferred.
There are also liability costs: When systems are fragile and vulnerable, outages, breaches, or data corruption can occur, creating significant costs to patch software, restore systems, or in some instances replace hardware. And there are opportunity costs, which represent borrowing from the future due to the inability to support benefit-producing initiatives today.
The survey results indicated that 83 percent say that technical debt severely limits their ability to be innovative, and 79 percent report that it inhibits their responsiveness to change.
McClure notes that technical debt encompasses costs beyond just traditional operations and maintenance, which make up roughly 71 percent of the federal IT budget.
To get a better handle on their technical dent, agencies need to evaluate their infrastructure and application environment and triage by performing a business impact and cost analysis, McClure says. That should be done on an ongoing basis, he says.
McClure says agencies need a process to begin looking at their infrastructure and apps systematically “and in a very transparent manner, sharing the full costs associated with the current situation” with the agency leaders “who are making decisions about resources in the agencies,” he says.
Not all legacy systems are “evil and bad,” McClure notes, and some can be kept around. They perform what they have been asked to do, and there is not an imperative business priority to remove them. Some of them are backup systems and redundancy for disaster recovery purposes. Agencies cannot replace legacy systems overnight, he says, and so many are moving to hybrid cloud models that mix legacy, on-premises systems with public clouds.
How Agencies Can Upgrade Legacy Systems
To Accenture, “digital decoupling” is a process of using new technologies, development methodologies and migration methods to build new systems that execute on top of legacy systems, the white paper notes. For example, agencies can use open application programming interfaces, agile DevOps and cloud migration factories.
Those factories create a “systematic approach for doing, first of all, this triage application space to determine, from a cost and business impact perspective, what applications are performing well for you, and which are really candidates to replace.” It is a systematic review of applications and infrastructure that helps agencies build a strategy for putting together the skill sets and analysis to begin to set up more agile and SaaS implementations.
Agency leaders need to have a vision and determine “what can give you the biggest bang for your buck in terms of modernization,” McClure says. Legacy systems tend to lock agencies into proprietary databases and do not allow data to be shared on an agencywide basis. Data needs to be extracted from legacy systems, cleaned up, tagged properly and surrounded by web APIs so that developers can use the data to create new applications that provide new value to citizens or internal agency users, according to McClure.
Agencies can also procure cloud-based SaaS services that “literally replace legacy systems.”
“We have that found legacy core systems are less powerful in terms of their retention appeal when you see that there is software and systems in place, written in more modern code, that do the service and preform the computing power more quickly, more efficiently and with fewer service needs,” McClure says.