Blog archive
What’s worse: Living with legacy systems or replacing them?

What’s worse: Living with legacy systems or replacing them?

The recent revelation of a breach at the Office of Personnel Management, which could have resulted in the theft of personal information of millions of government employees, also points up the broader problem government has with legacy systems -- whether it’s worth spending the money to secure them.

Not that securing the OPM’s systems would have done much good in this case --  according to the Department of Homeland Security Assistant Secretary for Cybersecurity Andy Ozment, the systems were not directly penetrated.  Instead, attackers obtained OPM users’ network credentials and got to the systems and data from the inside.

Donna Seymour, the OPM’s CIO, told a recent House Committee on Oversight and Government Reform  that the department was implementing database encryption, but that some of legacy systems were not capable of accepting encryption.

Some of the OPM’s systems are over 20 years old and written in COBOL, she said, which would require a full rewrite to include encryption and other security such as multi-factor authentication.

This is a government-wide problem. Many of the financial and administrative systems that are central to the agencies’ daily operations use the nearly 60-year old COBOL. Most agency CIOs have targeted those systems for replacement, but it’s not a simple rip-and-replace job -- any mistake could have a severe impact on the agency’s ability to fulfill its mission.

For that reason, many agencies have chosen to maintain those systems for now, but that’s not cheap, either. The OPM itself said last year that maintaining its legacy systems could cost 10-15 percent more a year as people with the right kind of expertise retire. And throughout government, legacy systems account for over two-thirds of the annual IT spend.

That expertise is unlikely to be replaced. Colleges aren’t turning out COBOL-trained coders anymore, and, with COBOL way down the list of popular languages, that won’t change. Agencies could bring in consultants to rewrite the code. But, again, not cheap.

And COBOL is unlikely to disappear anytime soon. Because of its ubiquity and utility, many organizations will continue to use COBOL until it’s pried out of their cold, dead hands. Meanwhile, old mainframe companies that have recently refocused on the cloud continue to update their COBOL tools to keep pace with current IT trends.

It’s not as if problems with legacy systems were the only reason for the breaches at OPM. Lawmakers also berated agency officials for their lack of attention to security governance issues that had been brought up years ago and were highlighted yet again last year in an OPM Inspector General report.

But the legacy issues are real and, according to some reports, extend even to “legacy” security systems such as signature-based firewalls, intrusion prevention systems and other widely installed devices that are just not capable of stopping modern, fast, sophisticated and chameleon-like threats.

However, at least the situation with the federal government is probably not as bad as that of a public school district in Grand Rapids, Mich., which is still running the air conditioning and heating systems for 19 schools using a Commodore Amiga -- as in the 1980s-era personal computer that was popular for home use -- because a replacement system reportedly will cost up to $2 million.

At least, we hope not.

Posted by Brian Robinson on Jun 19, 2015 at 10:55 AM

inside gcn

  • digital model of city (

    Why you need a digital twin

Reader Comments

Mon, Jul 27, 2015 fletzie Maryland

I totally disagree. It is not the COBOL or even the mainframes since they are when not connected to the internet, among the safest of repositories for data. The number one cause of data loss is people and not instituting safe handling of data. In addition, when the security of data traveling over the networks and internet is not secured, then these can lead to being able to gain entry to saved data. Yes old hardware, but more likely network hardware and not the mainframes themselves if they have been update and secured. Stop beating up on COBOL and start making everyone who has access to the data accountable for their piece!

Thu, Jul 9, 2015 Kevin Boyer Chicago, IL

You don't always have to choose between upgrades and living with old systems. Modern web/mobile UX can be built agnostic to the legacy systems and then an Experience Services layer can be built to communicate between the older systems and the modern user experiences. At ÄKTA we do this for big corporate clients all the time. It's called XOA, or Experience Oriented Architecture. Can also solve some security issues.

Thu, Jul 2, 2015

This was a management failure, period. None of my personal information needed to be exposed to the internet. This was an OPM internal function (only). Anything else was just a "convenience". That decision caused the failure. There was no excuse for this.

Thu, Jun 25, 2015

I read that a Windows Security Product vendor was the one who reported the possible breakin to OPM, from their demonstration on Windows-only boxes.

Tue, Jun 23, 2015

It was a RedHat OS with Adobe documents that were hacked. You may want to actually check facts, before you write a story.

Show All Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above


HTML - No Current Item Deck
  • Transforming Constituent Services with Business Process Management
  • Improving Performance in Hybrid Clouds
  • Data Center Consolidation & Energy Efficiency in Federal Facilities

More from 1105 Public Sector Media Group