Agencies struggle under burden of legacy IT
Connecting state and local government leaders
As experts warn of the threats posed by outdated federal technology, lawmakers inch closer to backing a $3.1 billion fix-it fund.
Legacy IT is expensive to maintain, difficult to secure, but everything from tax returns to nuclear warheads depends on it.Of some 7,000 federal IT investments, 5,233 dedicated the entirety of their budgets to operations and maintenance in fiscal year 2015, according to a May 25 report from the Government Accountability Office. Out of the total $80 billion the feds spent on IT in FY15, $61.2 billion was on O&M.
Many crucial federal systems are decades old and incompatible with modern security tools, creating a "dire security situation," GAO Director of IT Management Issues Dave Powner said.
And the obsolescence won't be easily reversed, lawmakers and experts alike warned.
"You can't continue to spend 70 percent of your $80 billion on legacy systems and retain personnel, provide information or make sure the information you have is safe and secure. It’s just not working,” aid Rep. Jason Chaffetz (R-Utah) said at a May 25 hearing on the financial costs and cybersecurity risks posed by aging legacy technology.
The outdated tech includes hardware and software alike -- both custom and commercial off-the-shelf products.
While a few agencies are racing to implement Windows 10, some “still use Windows 3.1, which came onto the market in the early 1990s, or Windows XP, which came onto the market in the early 2000s," said Chaffetz, who chairs of the powerful House Oversight and Government Reform Committee.
For some specific government investments, the agency in charge has a clear plan to replace aging technology, but in many other cases, plans are elusive.
GAO's report fingered the IRS' Individual Master File, for instance: a system that went online in the 1960s, written in "a low-level computer code that is difficult to write and maintain." The report noted that IRS "has general plans to replace" the IMF with a modern setup but "no firm date" for transition.
Agencies need replacement plans with "clear milestones," GAO's Powner said, but federal agency CIOs tend to only stick around for two years on average. It's no wonder so few tech leaders start ambitious modernization pushes that might outlast their own brief tenures, he said.
"Most CIOs are not tackling these large modernization projects," he noted.
Terry Milholland, the IRS' CTO, defended the transition away from the individual master file, saying that the incredibly complicated move has been ongoing for decades and that IRS is making headway.
"The principal issue there is now to convert the mainline code from assembly language to Java," he testified. "We in fact tackled the hardest, knottiest, most grittiest part of this code, which is critical for processing taxpayer returns, to convert into Java."
Milholland said the second of three phases in IRS modernization should be done in 2019 or 2020 – depending on the budget.
Defense Department CIO Terry Halvorsen echoed Milholland's concern about funding.
Lawmakers pilloried the Pentagon for using 8-inch floppy disks in its nuclear arms management system, but Halvorsen pushed back, saying the floppies are actually very reliable and, with limited money to dedicate to varied priorities, ditching the disks isn't high on his list of priorities.
In an effort to fund the upgrade of legacy systems, the White House proposed legislation to create a $3.1 billion revolving fund, which would disburse money for IT modernization to agencies on the condition that it be paid back.
Chaffetz and IT Subcommittee Chair Will Hurd (R-Texas) originally indicated they'd prefer agencies to fund modernization projects by realized savings in other IT work, such as through data center consolidation savings. But at the hearing, Chaffetz said he was “warming up to the idea” of the modernization fund.
That "warming up" comment corroborated what an Office of Management and Budget staffer told GCN sister site FCW a day earlier: that an "open conversation" between Chaffetz and administration officials about the IT modernization fund had taken place in recent days.
And federal CIO Tony Scott, while not mentioning Chaffetz specifically, said at the Management of Change conference on May 24 that he was pleased by the give-and-take with legislators and their staffs about the fund. "The folks on the Hill …. have asked really good, hard questions about how this would work," Scott said. "It’s helped us to make the proposal better."
A longer version of this article originally appeared on FCW, a sister site to GCN.
NEXT STORY: Coordination key to state cyber responses