Even the most resilient system in the world is only as strong as the that team supports it.
For legacy technology, the challenges of uptime include keeping talent on hand who can decipher decades-old code written in COBOL, a programming language invented in the 1950s.
New Jersey got a stark reminder of this reality when the backend system supporting its unemployment platform buckled under the pressure of a 1,600% rise in applications, from 9,500 the week of March 14 to 156,000 the following week. Last week, initial claims jumped again by more than 206,000.
As businesses shut due to the coronavirus pandemic, the critical system faced an unprecedented surge in traffic.
"Given the legacy systems we should add a page for [COBOL] computer skills because that's what we're dealing with in these legacies," said New Jersey Governor Phil Murphy, in a press conference Saturday. "We have systems that are 40-plus years old. There'll be lots of postmortems and one of them on our list will be how the heck did we get here, when we literally needed [COBOL] programmers."
New Jersey's Office of Information Technology did not immediately respond to a request for comment.
Since the governor's call for help, a stream of volunteers has come forward, though the unemployment platform continues to ration applicant's access according to their Social Security Numbers.
But the episode revealed a weakness IT leaders need to watch out for. Legacy systems can struggle to adapt to new use cases or unexpected surges in demand, which bring along information security risks if solutions are hastily put together.
A blast from the past
COBOL, or common business-oriented language, was developed in 1959. From the outset, COBOL was intended as a unifying platform, a highly readable programming language that people could learn quickly.
"It's very English-like, verbose, and it was very precise and procedurally driven," said Brandon Edenfield, managing director of app modernization at Modern Systems, an Advanced Company, in an interview with CIO Dive.
In that time, computer systems were used mostly for number crunching, instead of powering mission-critical applications for global organizations. But use of COBOL continued to expand, and today it fuels operations for businesses processing large volumes of transactions in a mainframe.
As time went by, companies that failed to modernize were left to deal with undocumented, legacy applications that have been running for decades. Changes made by employees who have since retired or left leads to what Edenfield refers to as "spaghetti code."
This means knowledge of the language won't likely suffice to fix New Jersey's COBOL woes.
"Even if the governor finds COBOL programmers, these guys are going to [say], 'I know how to speak French, but I don't know what this stuff does,'" said Edenfield. "They're gonna have to get in and try to figure out what all these applications do."
A cautionary tale for business
What New Jersey underwent with its unemployment platform is reminiscent of the new context companies are in. As daily life changes, platforms have to handle new use cases and unprecedented levels of demand.
This puts extra strain on legacy systems that struggle to scale.
"Anytime you have a system that becomes difficult to maintain, there are dangers, regardless of its theoretical reliability," said Joseph Steinberg, a cybersecurity advisor, in an interview with CIO Dive.
If status quo sets in, IT leaders can push the need to modernize down the line if there are no immediate concerns. New Jersey's case highlights how a sudden shift in scale and needs can put infrastructure under fire, with a lack of sufficient talent to power the change.
"The percentage of people who can support this is dramatically lower than it was 20 years ago, which was dramatically lower than 40 years ago," Steinberg said.
Outdated systems can introduce cyber risk in a counterintuitive way. While a COBOL application running on a mainframe is likely secure, if systems can't scale when a surge hits, organizations could try to quickly create alternatives to keep critical systems up and running.
"When you create things in a rush, that's when you can get serious vulnerabilities introduced," said Steinberg.
The challenges of the pandemic will mean different things for different companies. Some will see their operations tested with the realities of remote work. Others, such as Zoom, already saw their cybersecurity placed in a totally different context.
"My hope, like everyone's hope, is that the pandemic slows down and we're going to go back closer to normal in the next few months," Steinberg said. "But if we don't, we're probably going to see other systems [fail], some of which may not be easily fixed."