Report: Legacy systems once thought secure are susceptible to cyberthreats
Cybersecurity incidents in the U.S. federal government increased 1,121% between 2006 and 2014, according to new research from Min-Seok Pang, an assistant professor of management information systems at Temple University, and Huseyin Tanriverdi, an associate professor in the Information, Risk and Operations Department at the University of Texas at Austin.
The good news is even small investments in IT modernization can help federal agencies reduce their vulnerability to security breaches. The researchers found a 1% increase in new IT development spending was associated with a 5% decrease in security breaches, ComputerWorld reports.
"In other words, federal agencies that spend more in maintenance of legacy systems experience more frequent security incidents, a result that contradicts a widespread notion that legacy systems are more secure," according to report.
The federal government is certainly no stranger to large security breaches or legacy systems. Until now, the one good thing federal authorities could say about those old systems was few hackers knew enough legacy software such as Cobol and Fortran to breach them. But the report found those legacy systems may be more susceptible to threats than previously believed.
The federal government spends almost 75% of its $80 billion federal IT budget on operations and maintenance of legacy systems, according to a report released last May from the Government Accountability Office. Not only is maintaining those old systems expensive, it also prevents the federal government from investing in modern tech that can help it attract new IT talent and decrease spending on maintenance.
The government reportedly employs more than 3,400 IT staffers who specialize in "dead" programming languages like Cobol and Fortran. As those programmers retire, agencies will be stuck with old systems and no one to maintain them. If those systems aren't as secure as was previously believed, more agencies could be at risk of large-scale security incidents.