House panel weighs the risks of legacy IT

If the bid for a $3.1 billion revolving fund for IT modernization is going to get anywhere on Capitol Hill, it will likely need the support of Rep. Jason Chaffetz (R-Utah), who chairs of the powerful House Oversight and Government Reform Committee.

At a hearing on the financial costs and cybersecurity risks posed by aging legacy technology, Chaffetz allowed that his original characterization of the proposal as "hogwash" was subject to revision.

"I am warming up to the idea, but I'm not there yet," Chaffetz said.

The problem Chaffetz and others are facing: aging technology is expensive, insecure and underpins everything from tax returns to nuclear warheads.

"Federal legacy IT investments are becoming increasingly obsolete," the Government Accountability Office warned in a May 25 report, released as Chaffetz's committee held a hearing on the subject.

Many crucial federal systems are decades old and incompatible with modern security tools, creating a "dire security situation," GAO Director of IT Management Issues Dave Powner said.

And the obsolescence won't be easily reversed, lawmakers and experts alike warned.

Of some 7,000 federal IT investments, 5,233 dedicated the entirety of their budgets to operations and maintenance in fiscal year 2015, GAO found. Out of the total $80 billion the feds spent on IT in FY15, $61.2 billion was on O&M – a troubling stat to which federal CIO Tony Scott has pointed before.

"You can't continue to spend 70 percent of your $80 billion on legacy systems and retain personnel, provide information or make sure the information you have is safe and secure," Chaffetz said. "It's just not working."

The proposed revolving fund, which would disburse money for IT modernization to agencies on the condition that it be paid back, could give modernization pushes the jump-start they need to succeed, Scott argued.

Chaffetz and IT Subcommittee Chair Will Hurd (R-Texas) indicated they'd prefer agencies to fund modernization projects by realized savings in other IT work, such as through data center consolidation savings.   But Chaffetz's "warming" comment corroborated what an Office of Management and Budget staffer told FCW a day earlier:  that an "open conversation" between Chaffetz and administration officials about the IT modernization fund had taken place in recent days.  

And Scott, while not mentioning Chaffetz specifically, said at the Management of Change conference on May 24 that he was pleased by the give-and-take with legislators and their staffs about the fund.  "The folks on the Hill …. have asked really good, hard questions about how this would work," Scott said. "It’s helped us to make the proposal better. "

Drive-by leadership?

The outdated tech is hardware and software alike, and includes commercial off-the-shelf and custom products.

While a few agencies are racing to implement Windows 10, Chaffetz noted that, "Some agencies still use Windows 3.1, which came onto the market in the early 1990s, or Windows XP, which came onto the market in the early 2000s."

For some specific government investments, the agency in charge has a clear plan to replace aging technology, but in many other cases, plans are elusive.

GAO's report fingered the IRS' Individual Master File, for instance: a system that went online in the 1960s, written in "a low-level computer code that is difficult to write and maintain." The report noted that IRS "has general plans to replace" the IMF with a modern setup but "no firm date" for transition.

Agencies need replacement plans with "clear milestones," GAO's Powner said, but federal agency CIOs tend to only stick around for two years on average. It's no wonder so few tech leaders start ambitious modernization pushes that might outlast their own brief tenures, Powner said.

"Most CIOs are not tackling these large modernization projects," he noted.

Terry Milholland, the IRS' CTO, defended the transition away from the individual master file, saying that the incredibly complicated move has been ongoing for decades and that IRS is making headway.

"The principal issue there is now to convert the mainline code from assembly language to Java," he testified. "We in fact tackled the hardest, knottiest, most grittiest part of this code, which is critical for processing taxpayer returns, to convert into Java."

Milholland said the second of three phases in IRS modernization should be done in 2019 or 2020 – depending on the budget.

Defense Department CIO Terry Halvorsen echoed Milholland's concern about funding.

Lawmakers pilloried the Pentagon for using 8-inch floppy disks in its nuclear arms management system, but Halvorsen pushed back, saying the floppies are actually very reliable and, with limited money to dedicate to varied priorities, ditching the disks isn't high on his list of priorities.

And on the workforce front, Chaffetz acknowledged that government is missing out on talented tech workers due to a lack of hiring flexibilities. He said he might pursue streamlined critical pay for the IRS – which could keep the soon-to-depart Milholland on the job – but is leery of current IRS leadership and is backing the impeachment of IRS commissioner John Koskinen.

Chaffetz said he was working with Scott on other workforce solutions. Whatever the feds wind up doing to address tech personnel shortage, new federal jobs will probably be on the line.

"It's not all going to go to contractors," Chaffetz said, noting the importance of agencies maintaining visibility into and control over their IT operations.