May 15, 2020

Modernizing Government Information Technology


KEY TAKEAWAYS

  • Outdated “legacy” IT systems have hindered government response to the coronavirus pandemic at the federal, state, and local level.
  • In addition to working slowly and crashing frequently, these obsolete systems present significant cybersecurity and privacy risks.
  • Congress has conducted oversight and passed legislation to address the issue of outdated government technology, and President Trump has made modernizing technology a top priority of his administration.

As government at all levels works to respond to the coronavirus pandemic, outdated “legacy” information technology systems have hindered response efforts. While there is no set definition for what constitutes a legacy IT system, they are generally older, outdated, and are less able to perform their basic functions than newer versions of the technology. They may no longer be supported by the manufacturer or vendor who created the product. They may lack the latest security features or use software that is known to be vulnerable. As government works to fulfill some of its most basic functions in the digital age, it is critical that it use up-to-date technology and employ cybersecurity best practices.

GAO sounds the alarm on Legacy IT

The Government Accountability Office has been sounding the alarm on the risks associated with outdated IT since at least 2015, when it added “improving the management of IT acquisitions and operations” to its biennial “high risk list.” This list identifies federal programs and operations that are especially vulnerable to fraud, waste, abuse, and mismanagement, or particularly in need of transformation.

The federal government plans to spend more than $90 billion this fiscal year on information technology. Most of this money will be used to maintain existing systems, many of which are outdated, costly to maintain, and vulnerable to cyberattacks. For example, for years the Department of Defense system that coordinates the operation of U.S. nuclear forces ran on an IBM Series/1 computer system from the 1970s that used 8-inch floppy disks. The system was finally modernized in 2019.

GAO has identified the 10 most critical federal IT systems in need of modernization. These include a 19-year-old Department of the Interior system that supports the operation of certain dams and power plants; a 36-year-old system at the Department of Transportation that contains sensitive aircraft information; and a 47-year-old Department of Education system that contains personal student information.

Critical Federal Systems In Need of Modernization

Coronavirus_Government IT

real world impact

Outdated IT can affect citizens trying to interact with government agencies in search of information or services. In a time when everything from banking to grocery shopping can be done online, people have come to expect to have similar access to their government online. Many government services fail to meet this expectation, a problem made worse as offices have been closed during pandemic-related stay-at-home orders.

As the unemployment rate surges to levels not seen since the Great Depression, creaky unemployment claims systems across the country have struggled to keep up. States and local governments – in urban and rural areas, in places hit hard by the coronavirus and places that have been relatively spared – have been hampered in their ability to respond to the pandemic by outdated IT.

In Connecticut, the state website that accepts unemployment applications simply froze. Officials determined the website was unable to handle more than 8,300 applications in a single day, a fraction of the applications coming in.

New Jersey was forced to put out a request for volunteers who know the 1950’s programming language COBOL, as the state’s 40-year-old unemployment benefits system struggled to respond to the increased requests. COBOL is an outdated programming language, and there are very few IT professionals with the skills to program and maintain the systems.

In the nation’s capital, the system used to process unemployment applications does not work on mobile phones. As recently as 2019, nearly 1 in 5 American adults did not have broadband service at home but did own a smartphone. Some of them may not have other access to a laptop or desktop internet connection during the pandemic shutdowns. It took officials more than two weeks to remove a question from the website due to the website using programming language from the 1950s. Citizens unable to access the website were urged to call in, only to face wait times of up to six hours.

In Texas, the three-decade-old system used to process unemployment claims has likewise not been up to the task. Some citizens say they’ve spent weeks trying to apply without success. One recently laid off Texan criticized the state in a news report: “They say they’re open for business, but they’re not open for everybody. I don’t feel like they’re open for mine.”

Florida has been particularly challenged by its outdated systems. With the website continually crashing, residents were forced to try logging on or phoning overwhelmed call centers for hours, some taking weeks to even be able to apply for benefits. The head of the department responsible was forced to apologize for the failures of the website, and the state recently signed $119 million in contracts to help fix it.

At the federal level, banks initially struggled to process Paycheck Protection Program loans authorized by the Coronavirus Aid, Relief, and Economic Security Act because the system the Small Business Administration used to process the applications was continually crashing. People checking the status of their individual payments authorized by the CARES Act had to resort to tactics like typing their street address in all capital letters in order to navigate the outdated IRS system and avoid getting an error message.

cyebrsecurity risks of outdated tech

In addition to these infuriating failures to function properly, obsolete IT systems may present significant cybersecurity and privacy risks. Ensuring the cybersecurity of the nation is also one of the priorities on the GAO high-risk list, due to the dependence of federal agencies and our nation’s critical infrastructure on technology. Not only are these older computer systems more vulnerable to attacks, they also tend to be attractive targets because they contain large amounts of personal identifiable information. In the 2014 data breach at the Office of Personnel Management, hackers stole more than 21 million records.

State and local government have faced on onslaught of ransomware and other cyberattacks, even prior to the pandemic. Ransomware is a type of malicious software that seizes and encrypts data on a computer or network. Once a criminal has taken control of the data, he demands payment to return access to the owner. Many cities, hospitals, and retailers hit by these attacks have paid the ransoms, which are almost always less than the cost of restoring the data. Hospitals are reportedly bracing for an increase in ransomware attacks. Governments that have outdated systems in place may face increased risks of suffering a ransomware attack due to poor cybersecurity and other vulnerabilities.

congress and the administration respond

Congress has conducted oversight and passed legislation to address the issue of outdated government technology. Since 2015, the House Oversight and Reform Committee has released a bipartisan, bi-annual scorecard grading federal agencies on their implementation of critical IT and cybersecurity requirements. In the Senate, the Homeland Security and Governmental Affairs Committee recently held hearings focused on helping states and local governments improve their cybersecurity and examined the evolving national cybersecurity strategy.

In 2017, the Modernizing Government Technology Act, authored by Congressman Will Hurd of Texas, was enacted as part of the 2018 National Defense Authorization Act. It established the Technology Modernization Fund and Board, and authorized agencies to establish IT working capital funds in order to modernize and update systems over a number of years. The Trump administration has identified the TMF as critical in accelerating needed technology modernization. The TMF Board, chaired by Federal CIO Suzette Kent, has allocated funding for a variety of modernization projects across the federal government, including modernizing the Farmers.gov portal and the underlying IT infrastructure at the Department of Agriculture.

The CARES Act included $150 billion for states and local governments to respond to the pandemic. States are allowed to use some of these funds to help modernize outdated computer systems.

IT modernization is one of three key “drivers of transformation” highlighted in the President’s Management Agenda. In May 2017, President Trump issued an executive order directing agencies to take certain steps to secure their IT networks. As part of that, the president ordered a report regarding ways to modernize federal IT. The report, produced in December 2017, outlines actions needed to move the federal government to a more secure and cost-effective technology infrastructure.

The Trump administration chose to continue an Obama initiative launched in the wake of the initial failure of the Obamacare website: the U.S. Digital Service. USDS is a group of expert technologists who work to modernize critical digital government services. Some of the group’s projects include modernizing the Medicare payment system and simplifying the system veterans use to adjust their discharge status.

Looking Forward

Even large organizations with sophisticated IT practices would face challenges with the sudden and large increases in demand that many governments saw with their unemployment claims systems. But most jurisdictions would have been in a better position to handle the surge if they’d had modern systems in place that utilized cloud technologies, virtualization, and other current solutions. The pandemic may cause government officials to reconsider the priority they place on having a modern and secure digital infrastructure. This will require them to adjust their budgets and take other actions accordingly.

In the House, a bipartisan group of lawmakers led by the co-chairs of the cybersecurity caucus, Congressmen Michael McCaul and Jim Langevin, is reportedly working to include funding for state-level IT modernization efforts in the next congressional response to the pandemic. The recent $3 trillion proposal from House Democrats includes $1 billion in funding for the TMF. 

A coalition of technology industry groups wrote to leaders in the House and Senate seeking more money to modernize government IT at all levels. They recommend leaders prioritize funding for agencies working on the front line of the pandemic; establish and fund a mechanism to provide support for state-level IT modernization efforts; provide more funding to the TMF; and ensure modernization efforts are focused on cybersecurity. 

Issue Tags: COVID-19, Technology