Age, at least when it comes to federal IT systems, is really just a number.
Some of the most vulnerable technologies still in use today by the federal government are only eight years old, while others are pushing 60. Often, Congress has looked at old IT systems as primary targets for overhauls. IT experts said that there are many systems that may be considered “old” and not every one can be updated at once due to budget and personnel constraints.
“Unfortunately, the budget process is not nimble and legacy system transformations take many years,” said Suzette Kent, chief executive officer of Kent Advisory Services and a Trump-era chief information officer. “In almost all cases, there are increased costs before benefits are realized. This leaves very little ability to take on major change initiatives.”
In June 2019, GAO identified 10 legacy systems that are most in need of modernization, whether because they were inaccessible, costly to maintain, or pose cybersecurity risks. And while age is certainly a common denominator for many of the most at-risk technology, it’s not itself a reason to retire them, experts said before the House’s Subcommittee on Cybersecurity, Information Technology, and Government Innovation on Wednesday.
“Our federal CIO has noted that not all old systems are legacy, and old doesn’t necessary mean bad, antiquated, risky or in need of retirement,” said Kevin Walsh, director of IT and cybersecurity at GAO. “Having the newest toys or gadgets, like batman, doesn’t necessarily mean good governance or good IT. I want the tools that are right, that are doing the job well.”
The message from the White House and Congress has been that because of increasing cybersecurity risks posed by China, Russia and others and the vast stores of sensitive information agencies maintain, government agencies have to ensure their systems are updated incrementally and safely. Agencies say they’re constrained by stagnant budgets and an aging IT workforce that is poached by the private sector. There’s also no clear inventory of what systems need a health check the most.
The other challenge, experts said, is that modernization must be committed to year after year by successive administrations if it’s going to be successful.
Without clear planning and priorities, agencies risk pouring billions into failed modernization attempts, committee Chair Nancy Mace (R-S.C.) said. The federal government spends more than $100 billion on IT and cyber-related investments, 80% of which goes to the operations and maintenance of existing systems.
To deal with the money problem, Congress and the White House have partnered to created the Technology Modernization Fund, which since 2017 has been a source of flexible IT funding outside of appropriations. So far, that program has helped, Kent and others said. Kent said no TMF projects have had cost overruns to date.
For example, at the Department of Housing and Urban Development, Kent said the TMF authorized the agency to translate three projects with a combined 7 million lines of COBOL — a programming language that is 64 years old — into 1.2 million lines of Java, a language that many graduates and current IT professionals are familiar with.
The tools got the code about 70% correct, indicating that a human still needs to be in the loop. Still, automation and AI can be a force multiplier in this effort, experts said.
Rep. Mace her office plans to introduce legislation in the coming weeks to further develop the TMF.
Other funding vehicles include grants and public-private partnerships, though Kent said those can be hard to scale. Working capital funds are used sporadically by some agencies.
The lack of an official inventory of legacy IT systems also makes it difficult for government to know the full scope of the problem, lawmakers said. The Office of Management and Budget said it drafted guidance in 2016 that would set evaluation criteria to prioritize systems. As of Wednesday’s hearing, the guidance has yet to be released.
Agencies also need to be able to recruit and retain cyber and IT professionals that are fluent in modern systems and can flatten learning curves for the government overall. It’s not just that agencies struggle to pay at the level of tech companies; because so many systems still operate on near-dead computer languages, there aren’t experts out there who can still speak them.
In one example, the Social Security Administration re-hired retired employees to work on its COBOL systems, GAO found.
Walsh said that today’s IT workforce doesn’t need a college degree, and government has already tried to lean on skills-based hiring.
“This legacy crisis needs a strong Congressional push to ensure that the right plans, actions, and budgets are in place,” said David Powner, executive director of the Center for Data-Driven Policy at the MITRE Corporation.
“Let’s be realistic: what we need to do to modernize is appropriate more money,” said North Carolina Republican Rep. Chuck Edwards.
Molly Weisner is a staff reporter for Federal Times where she covers labor, policy and contracting pertaining to the government workforce. She made previous stops at USA Today and McClatchy as a digital producer, and worked at The New York Times as a copy editor. Molly majored in journalism at the University of North Carolina at Chapel Hill.