Between the costs of replacing core systems and the dwindling number of workers qualified to work on them, agencies have few good options.
The recent revelation of a breach at the Office of Personnel Management, which could have resulted in the theft of personal information of millions of government employees, also points up the broader problem government has with legacy systems -- whether it’s worth spending the money to secure them.
Not that securing the OPM’s systems would have done much good in this case -- according to the Department of Homeland Security Assistant Secretary for Cybersecurity Andy Ozment, the systems were not directly penetrated. Instead, attackers obtained OPM users’ network credentials and got to the systems and data from the inside.
Donna Seymour, the OPM’s CIO, told a recent House Committee on Oversight and Government Reform that the department was implementing database encryption, but that some of legacy systems were not capable of accepting encryption.
Some of the OPM’s systems are over 20 years old and written in COBOL, she said, which would require a full rewrite to include encryption and other security such as multi-factor authentication.
This is a government-wide problem. Many of the financial and administrative systems that are central to the agencies’ daily operations use the nearly 60-year old COBOL. Most agency CIOs have targeted those systems for replacement, but it’s not a simple rip-and-replace job -- any mistake could have a severe impact on the agency’s ability to fulfill its mission.
For that reason, many agencies have chosen to maintain those systems for now, but that’s not cheap, either. The OPM itself said last year that maintaining its legacy systems could cost 10-15 percent more a year as people with the right kind of expertise retire. And throughout government, legacy systems account for over two-thirds of the annual IT spend.
That expertise is unlikely to be replaced. Colleges aren’t turning out COBOL-trained coders anymore, and, with COBOL way down the list of popular languages, that won’t change. Agencies could bring in consultants to rewrite the code. But, again, not cheap.
And COBOL is unlikely to disappear anytime soon. Because of its ubiquity and utility, many organizations will continue to use COBOL until it’s pried out of their cold, dead hands. Meanwhile, old mainframe companies that have recently refocused on the cloud continue to update their COBOL tools to keep pace with current IT trends.
It’s not as if problems with legacy systems were the only reason for the breaches at OPM. Lawmakers also berated agency officials for their lack of attention to security governance issues that had been brought up years ago and were highlighted yet again last year in an OPM Inspector General report.
But the legacy issues are real and, according to some reports, extend even to “legacy” security systems such as signature-based firewalls, intrusion prevention systems and other widely installed devices that are just not capable of stopping modern, fast, sophisticated and chameleon-like threats.
However, at least the situation with the federal government is probably not as bad as that of a public school district in Grand Rapids, Mich., which is still running the air conditioning and heating systems for 19 schools using a Commodore Amiga -- as in the 1980s-era personal computer that was popular for home use -- because a replacement system reportedly will cost up to $2 million.
At least, we hope not.
NEXT STORY: NIST updates specs for next-gen PIV cards