If you're a U.S. taxpayer, you've likely heard how Tax Day 2018 was uniquely rocky for the Internal Revenue Service (IRS). A series of technical problems prevented the IRS from processing tax returns filed electronically on 17 April. The agency rebooted its systems and restored them later that night, but it nevertheless extended the deadline for taxpayers to file their returns without penalty through 18 April in light of the outage. The IRS did not specify what went wrong at the time of this writing, but legacy systems might have had something to do with it. As reported by The Washington Post, many of the Internal Revenue Service's 60 IT systems have not received updates in decades. Two of them are nearly six decades old, making them some of the oldest systems in the U.S. federal government. It's possible these systems caused the computer glitch that brought down the IRS for a day.
Federal Agencies' Reasons for Having Legacy Systems
The incident at the IRS begs the question: why do federal agencies use legacy systems if they can interrupt regular business functions? One reason is that federal agencies prefer the stability afforded by these assets. Compuware CEO Christopher O'Malley noted this preference in a May 2017 article for FedScoop: When it comes to working code, the longer it’s been running, the better it becomes as bugs and inefficiencies are eliminated over time. CIOs from the Department of Health and Human Services, the IRS and the Defense Department are just a few that have said that their legacy systems, written in Assembler and COBOL, are well written and can be kept current through ongoing stewardship. Another reason why federal agencies keep legacy systems in place is because these information assets are often critical to day-to-day business. So long as the systems are effective, many federal agencies feel justified in keeping those resources in place and avoiding costly IT modernization projects that fail and subsequently result in a lawsuit.
Drawbacks of Outdated Technology
Of course, legacy systems have their drawbacks. Making outdated technology work with new solutions is what Gartner describes in its glossary as "one of the information systems (IS) professional's most significant challenges." This effort oftentimes requires extra money and time to ensure the systems use compatible data formats and can work together. Indeed, as much as 70-80 percent of federal IT dollars go to supporting legacy systems today, reported Government Technology magazine. Also, while some might prefer them for their stability, legacy systems are still outdated in the sense that they don't receive updates and patches. They are therefore susceptible to security vulnerabilities, and they might even lack security features with which newer technologies likely come equipped. Illustrating this fact, then-director of the Office of Personnel Management (OPM) Katherine Archuleta said at a 2015 hearing before the House Oversight and Government Reform Committee that Social Security numbers stored by the agency were not encrypted due to the networks being "too old." This deficiency was at least partially responsible for the 2014 OPM breach of 18 million former, current and prospective federal employees' data.
Modernization as a Way Forward
Government officials are aware of the problems associated with legacy systems. In May 2018, the Trump White House itself weighed in with an executive order (EO) designed to streamline federal agencies' IT management practices. A data sheet about the EO highlighted the "billions of dollars [spent] on failed IT investments" as well as the fact that "agencies have struggled to modernize IT systems, largely allocating resources toward the maintenance of older systems rather than using those funds to transition to modern technologies." This EO followed five months after President Trump signed the Modernizing Government Technology Act into law. Under this legislation, the White House Office of Management and Budget (OMB) created the Technology Modernization Fund Board to oversee $100 million in modernization efforts. The Board had received nine projects from seven federal departments as of April 2018. OMB slated four of those to move on to the second phase in the proposal process, reported Nextgov at the time, and encouraged departments to continue to submit ideas. For Tripwire's federal sales director Keren Cummins, DevOps combined with security is one of the first ideas that comes to mind. Cummins wrote in an article for Nextgov that "DevSecOps" could accelerate replacement projects and new applications:
Security professionals who are willing to assert themselves, partner with their DevOps teams, and shift their engagement to the left in the development cycle will enable their agencies to release software even faster, because they will not be imposing a traditional (and now largely irrelevant) final security and compliance signoff at the end of the process. Baking security into DevOps can give security personnel the opportunity to finally become an agent of progress, rather than being seen as an inhibitor.
As they investigate DevSecOps and other modernization methods, federal agencies need to consider how they'll secure their changing IT systems and how they can stay compliant with federal mandates like FISMA. Tripwire can help in that regard. To learn more, click here.