27 May 2016 – Great story this week that revealed the U.S. Defense Department is still using 8-inch floppy disks in a computer system that coordinates the operational functions of the nation’s nuclear forces. The Defense Department’s 1970s-era IBM Series/1 Computer and long-outdated floppy disks handle functions related to intercontinental ballistic missiles, nuclear bombers and tanker support aircraft, according to the new Governmental Accountability Office report.
But great news!! I know the bad news is that it may not a very secure operating system. But the good news is that the hackers are having trouble figuring out how to get the 2600 baud acoustic modems to ARPAnet to download the malware. Exactly. Security through obsolescence.
The report shows how outdated IT systems are being used to handle important functions related to the nation’s taxpayers, federal prisoners and military veterans, as well as to the America’s nuclear umbrella:
Federal legacy IT systems are becoming increasingly obsolete: Many use outdated software languages and hardware parts that are unsupported. Agencies reported using several systems that have components that are, in some cases, at least 50 years old. GAO pointed out that aging systems include the Treasury Department’s ‘individual master file,’ which is the authoritative data source for individual taxpayers. It’s used to assess taxes and generates refunds. That file ‘is written in assembly language code — a low-level computer code that is difficult to write and maintain — and operates on an IBM mainframe.
The report also mentioned that several other departments, such as the departments of Treasury, Commerce, Health and Human Services and the Veterans’ Administration “reported using 1980s and 1990s Microsoft operating systems that stopped being supported by the vendor more than a decade ago.”
But I suppose there is an argument to be made that what we really have here is tax-payer dollars well-spent on equipment that keeps on giving. And I am reminded of my old days in the Marine Corps at NJS where the security mantra was the government doesn’t want anything in general release in these situations. So a large old floppy which isn’t readable or writable by the average Windows computer creates “security by obscurity” that makes it harder for a non-authorized command to be run. We certainly don’t want some kid playing Thermo-Nuclear War. I am sure they use War Games as a training film 🙂
And I’d be curious to know how many of these seriously outdated systems are egregious piles of failure, and how many are utterly contrary to any “fad of the week” from the last three decades – where doing it right the first time and actually comparing it (pretty favorably) to the results of (the so often horribly doomed) “upgrade” efforts.
Some flavors of outdated are fairly clearly bad; if you can’t get replacement hardware without raiding a museum or reverse engineering and cloning/emulating quirky 80s gear all by yourself, keeping your systems running is going to be unpleasant and expensive. If you have a system whose security depends on an OS or other 3rd party components that have exciting known vulnerabilities and haven’t had vendor support even under a thrillingly expensive special extended contract with the vendor in a decade, you have a problem.
If you have a legacy system that is merely retro, but well built and supported by hardware you can still get without much trouble, you will certainly get your share of snide comments about its dreadfully antique design. But you are taking a real risk in trying to modernize it. Those sorts of “upgrades” don’t always fail; but agonizing, wildly expensive, upgrade attempts that languish in development so long that the upgrade is obsolete before you’ve finished deploying it are hardly uncommon.
Sure, in an ideal world, we’d all get to implement from scratch with all the benefits of hindsight and absolutely no accrued technical debt; but we don’t live in an ideal world. How many of these systems are old as in broken; and how many are old as in classic?