The US Department of Defence recently admitted that the Strategic Automated Command and Control System that co-ordinates intercontinental ballistic missiles, nuclear bombers and tanker support aircraft still runs on a 1970s computer system and uses eight-inch floppy disks. This is not cutting edge technology; these types of disks were phased out in the 1990s and by way of comparison a modern 16 GB memory stick that you can buy for a few pounds holds the equivalent of 65,000 of these disks.
This disclosure is included in a report by the Government Accountability Office (GAO), the US equivalent of our National Audit Office, which calls for federal agencies to address the problem of their aging legacy systems. The US Treasury for example is still using a 56 year old system – written in assembly language, a low-level computer code that is difficult to write and maintain -as the authoritative data source for individual taxpayers when accounts are updated and taxes are assessed. The report concluded that the federal government spent about 75 percent of its $80 billion IT budget for 2015 on operations and maintenance, and that because many its systems are becoming increasingly obsolete, this is reducing the money available to invest in development, modernisation, and enhancement. Investments in new developments has declined by $7.3 billion since 2010, whilst at the same time the US Office of Management and Budget (OMB) has directed agencies to move to cloud computing and shared services to make IT more efficient and agile, and enable innovation.
It is worrying to hear that the World’s only super power and richest nation is coordinating its nuclear arsenal and managing its tax affairs using ancient technology, but it is not alone. Many of the banks are still relying on 1960 and 70s systems. In 2012, RBS was fined £56m by the Bank of England after its payments systems crashed and left millions of RBS, NatWest and Ulster Bank customers unable to access accounts, a glitch that lasted for 23 days. TalkTalk was fined £3 billion by Ofcom in 2011 after problems with its legacy billing systems, and when it was hacked in 2015 it was widely rumoured that its systems were older than the attackers.
When our own National Audit Office last looked in detail at the risks posed by legacy system in 2013, it estimated that at least £480 billion of the government’s operating revenues and £210 billion of non-staff expenditure such as DWP pension payments and entitlements were reliant to some extent on legacy ICT. It noted for example that the system that supports the VAT collection service was introduced in 1973 and costs £430 million a year to run, and that whilst the system has been developed and moved on to new hardware, HMRC was still relying on very old technology to support 1.9 million customers and process 7.7 million VAT submissions. Similarly the NHS prescription payments used a system dating back to 1996 and the DWP system for assessing state pension was originally introduced in 1987 and costs £385million a year to run.
As Sir Amyas Morse, Head of the National Audit Office, said at the time: “Legacy systems are a fact of life. The challenge is how intelligently they are managed, whether they are being retained, updated, replaced or phased out.” However, as every year goes by the costs of retention increase as skills become scarcer, the risks associated with replacement expand as understanding of how the systems operate decreases, and systems that were designed before the Internet was invented become ever more vulnerable to attack in our hyper-connected world.
Are you still relying on legacy systems?