Federal offices are mired with outmoded IT infrastructure, some dating back to nearly the 1950s, and by staffing shortages that are greatly reducing their ability to meet customer needs.
The Government Accountability Office released its third installment of four reports on Feb. 7 that detail the main cyber areas the federal government needs to urgently address.
Information security has been designated a government-wide risk since 1997, later expanded to include protection of critical cyber infrastructure. The office has made more than 100 recommendations for agencies to strap down their IT protections since 2010, but as of December, more than half have yet to be implemented.
The IRS, for example, relies extensively on IT systems to collect trillions of dollars taxes and disburse hundreds of billions of dollars worth of refunds. Its system of applications, software and hardware has aged, GAO says, which leaves vulnerabilities open for security risks, unmet mission needs, staffing issues and increased costs.
“Analysis showed that about 33% of the applications, 23% of the software instances in use, and 8% of hardware assets” owned by the IRS are considered legacy, according to the Jan. 12 report. They range from “25 to 64 years in age,” with some software 15 versions behind the latest.
Such outdated equipment is a risk, GAO warns, as “malicious actors are becoming more willing and capable of carrying out cyberattacks.”
Beyond personally identifiable information, infrastructure programs that federal agencies maintain are at risk of catastrophes that can bleed out of Washington headquarters and affect municipalities, whether that’s energy, transportation systems, communications or financial services.
In line with government-wide modernization goals, the IRS put forth 9 initiatives to address legacy IT systems, but a majority of them failed to say how it would actually dispose of them.
Another example of heightened cybersecurity risks for infrastructure is at the Department of Energy. The agency was previously charged with implementing national cybersecurity strategies. The agency did that for its power grid, but not fully for the distribution systems that may be vulnerable to supply chain exploitations.
“As a result, these plans will likely be of limited use in prioritizing federal support to states in addressing grid distribution systems’ cybersecurity,” the report said.
In August, the department committed $45 million toward 15 research-and-development projects aimed at testing technology that protect the electric grid from cyber attacks, along with the additional grid upgrades funded by the Bipartisan Infrastructure Law and the Inflation Reduction Act.
Similarly, the Department of the Interior fell short of proofing its cyber strategy, which GAO found noteworthy given the agency’s role in overseeing offshore oil and gas infrastructure. The department recognized the need to address cybersecurity risks and initiated efforts to do so in 2015, 2020, and 2022, but the steps they took “did not result in substantial action, and the bureau had not yet developed a cybersecurity strategy,” another GAO report found.
To address that, Interior hired a cybersecurity specialist in 2022, but officials said the security overhauls would be paused until the employee was brought up to speed.
Such experts are high on the federal government’s wish list and often hard to come by. The Office of Personnel Management has labeled IT and cyber talent as a persistent skill gap in the government workforce and a critical need for actually carrying out policy.
Panelists at the Advanced Technology Academic Research Center’s IT Modernization Summit on Feb. 8 acknowledged getting the right talent on the right teams is as important a tool in reaching secure IT goals as the technology itself.
“You need a workforce in order to be productive,” said panelist Meikle Paschal Jr., a program manager for robotic process automation at the Department of Homeland Security.
Though federal IT modernization en bloc hinges on a skilled workforce, it’s often complicated by funding.
“[At] every agency, you have an idea that you want to modernize systems for various reasons,” said Drew Myklegard, deputy chief information officer at the Office of Management and Budget, at the ATARC event. " I think the most important thing is you’ve got to have the money.”
Sources of funding often comes down to administrative or Congressional priorities, like the Technology Modernization Fund via American Rescue Plan dollars or the Inflation Reduction Act for the IRS.
“Although I will say we haven’t had great luck with [TMF],” said LeAnn Oliver, director of DOE’s Office of Corporate Business Systems, at the ATARC event.
To support IT modernization, in April 2019, the IRS developed a business plan that identified relevant initiatives through 2024. Though not a comprehensive strategy for modernizing or replacing IRS’s legacy systems, it lays out four major categories of work that IRS deemed necessary to transforming the tech and upgrading the taxpayer experience.
However, officials noted that the success of that plan depends on hiring flexibility and required, predictable, multi-year funding.
Myklegard also said that OMB memos signal legislation that helps it and other agencies decide where to allocate assets.
“We’re also looking at what’s a great ROI,” Myklegard said. “Not all dollars that are put toward modernization yield the same benefits, so we’re always trying to maximize that ROI and reduce our risk.”
Molly Weisner is a staff reporter for Federal Times where she covers labor, policy and contracting pertaining to the government workforce. She made previous stops at USA Today and McClatchy as a digital producer, and worked at The New York Times as a copy editor. Molly majored in journalism at the University of North Carolina at Chapel Hill.