By Patrick Marshall

Blog archive
Ghost in a data center

Is the next big cyber threat lurking in government systems?

The evolution of IT can take place at revolutionary speed, and when systems don’t keep up with the pace of change they can become vulnerable to serious risks, says retired Lt. Gen. William T. Lord, former Air Force CIO.

“I think that the next Achilles’ heel is legacy software,” Lord said.

A combination of unsupported software, well-known vulnerabilities and new applications that expose old platforms to networks can create unnecessary complexity and open critical systems to threats, he said.

Not every piece of old software is a risk, however. “Some of the things we use in our nuclear command and control are so old, but so reliable and unconnected to anything else, that it probably does not pose a threat,” Lord said. “But our problem is that most of our legacy systems in government are 20 or 30 years old,” and need to be updated.

Fixing this installed problem will requires more flexible contracting to let government take advantage of smaller, more nimble contractors. Lord, who now is an IT systems and services consultant, is making legacy software something of a crusade in his post-military career, calling it the greatest obstacle to IT progress in government.

Defining “legacy software” can be difficult. Some would argue that any software in use can be called legacy, because if you’re using it, it’s already old. Most would agree that any software still in use that is not supported by its developer or vendor could be classed as legacy. There is a huge installed base of this. A recent analysis by the Web Security company Websense, for example, found that three quarters of government computers are running unsupported versions of Java.

Getting rid of legacy software is even harder than defining it. Wholesale programs can be expensive and often end in failure. The Air Force in 2004 began a program to replace 240 outdated systems in its Expeditionary Combat Support System with an Enterprise Resources Planning system. A contact was awarded to Computer Sciences Corp. in 2006 and terminated six years and $1 billion later. “The effort got stopped,” Lord said.

The problems included “budget doldrums,” which complicates almost any kind of project, and the difficulty of finding a good time for replacing operational systems. This can be particularly difficult with combat support systems when the combat never stops, Lord said. “In my experience in the Air Force, there was no end to the battle.”

The skills needed to update, modernize or replace legacy software can come from non-traditional service providers, he said — smaller software companies that often do not have the resources to compete in the government market. It would help to have major league contractors partner with the minor league companies for government contracts, but there often is little government incentive for this.

Agencies are supposed to make small and minority-owned business contracts, but accounting policies give contracting officers little credit for acquiring services from small companies through a larger contractor, Lord said.

Another problem is a lack of dedicated money for fixing vulnerabilities in old applications. The Air Force sets aside money for hurricane damage, but not for software bugs, so that maintaining old software is difficult. Government needs to realize that vulnerabilities are as inevitable as bad weather, Lord said. “We haven’t caught up with that kind of thinking.”

Posted by William Jackson on Apr 09, 2013 at 9:39 AM


  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

  • Comment
    Pilot Class. The author and Barbie Flowers are first row third and second from right, respectively.

    How VA is disrupting tech delivery

    A former Digital Service specialist at the Department of Veterans Affairs explains efforts to transition government from a legacy "project" approach to a more user-centered "product" method.

  • Cloud
    cloud migration

    DHS cloud push comes with complications

    A pressing data center closure schedule and an ensuing scramble to move applications means that some Homeland Security components might need more than one hop to get to the cloud.

Stay Connected

Sign up for our newsletter.

I agree to this site's Privacy Policy.