Build a Better: Gov-tech Infrastructure.

By Amel Afzal

For decades now, politics has become increasingly polarized – not least of all at the hands of our 45th president  – quite often propagating the sentiment that reasonable people can’t agree on anything. Here’s something both sides of the aisle should be able to agree on: state governments spend too much time and money maintaining outdated computer systems. This is debatably the single most important facet of having an effective government and organized society in the 21st century. Technology is an engine of government and, when properly administered, it streamlines service delivery: from renewing your driver’s license to filing your taxes. Without rethinking critical government infrastructure for the digital age, every state risks catastrophic failure, and New Jersey is no exception.

A report out of the Government Accountability Service (GAO) found that the federal government typically spends over $90 billion in a fiscal year on information technology and most of that is used to operate and maintain existing systems, including legacy systems.[1] Out of the 65 analyzed legacy systems, 10 were identified as the most critical to be modernized and these 10 systems alone cost upwards of about $337 million to operate and maintain.[2] These systems were assessed for outdated hardware, software, and code as well as the substantial security risks they could present.

Data from the Homeland Threat Assessment conducted by the Department of Homeland Security in October 2020 indicated that cyber deficiencies present the same level of urgency typically reserved for cyberattacks, terrorism, and natural disasters. In the year since the pandemic began, the FBI reported a 300% increase in reported cybercrimes, and cloud-based cyberattacks alone rose by 630% between January and April 2020. To put these numbers into perspective: The average cost of a data breach is $3.86 million as of 2020, the average time to identify a breach in 2020 was 207 days, and the average lifecycle of a breach was 280 days from identification to containment.[3]

One of the worst cyber espionage incidents ever suffered by the United States happened in 2020. The very underreported breach began in March 2020 and was only first publicly reported on December 13th, 2020. The hacking group was backed by a foreign government and infiltrated multiple branches of the federal government. The group is now identified as Cozy Bear (APT 29) and is backed by the Russian intelligence agency (SVR).[4]

Let’s evaluate just five agencies within government and the outdated technological systems they support:

  1. An Air Force computer system that assesses the wartime readiness of an aircraft uses COBOL, a programming language that dates back to the post-World War II era and is considered the programming equivalent of Old English. COBOL is rarely even taught anymore and governments now pay a premium to IT experts who can deal with issues related to this script. The same language is used by the Social Security Administration when determining retirement benefits and eligibility. The SSA has had to re-hire former employees who were some of the only few that knew how to operate this complex, outdated language. COBOL is also used by the Department of Justice’s Bureau of Prisons to monitor security, custody levels, and inmate population information, and by the Department of Transportation to track incidents involving hazardous materials.[5]

  2. Another obsolete code language called “assembly language code” is used by the master file at the Internal Revenue Service where the public’s taxes are assessed and refunds are generated. ASM was created in 1947 and is a very low-level programming code that is extremely time-consuming to write and error-prone.  Because of syncing issues between the systems, the GAO’s report noted that it is why the IRS has had trouble addressing refund fraud and risk making errors. This system costs $13.6 million to maintain.[6]

  3. The Department of Defense uses a 53-year-old system as a backup to send and receive emergency action messages from nuclear forces, including nuclear bombers and tanker support aircraft. This system uses 8-inch floppy disks which can hold about a fraction of the storage space of the “modern” flash drive. The GAO said replacement parts are difficult to find “because they are now obsolete”.[7]

  4. At the Department of the Interior, an 18-year-old industrial system is used to control dams and power plants. This system relies on hardware that the original manufacturer doesn’t support anymore. That means no security updates, patches, or fixes when bugs arise.[8]

  5. The Department of Education has not been able to effectively stop unauthorized devices from connecting to its network since 2011. They managed to limit this unauthorized access to 90 seconds which is equivalent to about an hour in “hacking terms” – more than enough time to launch or gain access to internal network resources. This is the department that stores all the sensitive financial data from students and their parents applying for college loans.[9]

Outdated systems have real-world impacts. We all remember the incident in 2018 when people across Hawaii spent 38 minutes thinking they were going to be attacked when an employee inadvertently selected the wrong option on a missile alert interface.[10] Several images circulated later showing an interface similar to the screen the employee should have been using. Both shared the same qualities: outdated, confusing, and with problematic design. We don’t know if the system in Hawaii was simply ancient or poorly designed, but we do know that the first rule of an efficient user-experience would be to keep the life-saving function away from a list of unnecessary and confusing links, buttons, and other distracting or unnecessary features.[11] The main takeaway from this incident and the examples listed above is that certain key elements of government have not yet adopted new technology in a way that is beneficial or intuitive for its users. It’s a welcome surprise that such incidents don’t occur more frequently.

Currently, we’re still scrambling through the pandemic with outdated legacy systems hindering the government response to contain the pandemic at all levels of government. While unemployment remains a problem, state labor departments struggle to keep up with the sheer volume of applications. At the federal level, banks struggled to process paycheck protection loans authorized by the Covid-19 relief CARES Act because the Small Business Administration’s online loan portal fell victim to data breaches. Local governments spent months retroactively upgrading their network portals to support student-teacher live group remote education.[12] We saw all saw this play out on the news. The truth is, even large, sophisticated IT practices would face challenges when met with the demand we have seen during the pandemic. Even still, most jurisdictions would have been in a far better position if we had modern systems in place that used cloud technologies and efficient code. Put simply – outdated technology is expensive, hard to maintain and susceptible to vulnerabilities. Research shows that over 10,000 new malware threats are discovered every hour. If your technology is not up to date, you run exponential risks of failure and breach.[13]

Immediate recommendations:

  1. Office of Information Technology: Create a coalition of experts between the public and private sectors to advise and address the technological holes for all three branches of state government. This department will monitor system upgrades, technology developments, assess risks, mitigate risks, innovate and create guidance for implementing recommendations.[14]

  2. Revolving System Replacement Fund: Work with IT WCF’s to implement a realistic revolving fund to accelerate system replacements, upgrades, and software debt bringing the Govt. Tech infrastructure into the 21st century. This fund would continue to exist for future maintenance to avoid system overhauls.[15]

  3. Cyber-Education Committee: Incentivize the creation of cyber education committees within each state agency to focus on innovative coding languages and smart systems that public sector employees can learn and practice, free of charge on a periodic basis. This committee would educate employees on cyber threats and how to identify and contain a breach or disfunction without agency interference.

  4. Universal Broadband Communications Infrastructure: Connect the state – and the country – with secure broadband networks to reach into every neighborhood, household, school and hospital. Reform the Universal Service Fund for better use of the nation’s wireless spectrum to easily access applications, taxes, immigration documents, and retirement benefits. Emphasize the ethos of a citizen- and user-driven government.

  5. Protect Cyber Networks: Work with the Federal Trade Commission and other federal agencies to make it easier to track down cybercriminals who prey on in-state consumers. Initiate strategies to ensure that academic, research and industrial networks remain safe from espionage and disruption.

  6. User-Driven Government: Build a model of digital infrastructure that houses citizens as users – as “customers”. Creating a system with connected layers allows us to create content and data once and then deploy it in useful ways. Efficiencies like upgrades and replacements would also take a fraction of the time.[16]

  7. International Data Study: Launch a massive research initiative that deconstructs international data and technology systems to learn from how they are helping transform their government infrastructures into the 21st century. Where in the world will you find the most advanced e-government? Estonia. This tiny republic has some of the fastest broadband speeds and it offers what no other country does: e-residency. “E-stonia” is aiming to create an information society and perhaps we can learn from them.[17]

  8. Institutionalize Change: Provide grant funding to counties and municipalities that successfully use technology to make residents’ lives easier, and make government even more efficient. Empower agencies of change to deliver better mission outcomes through technological infrastructure and incentivize them for following through.

The pandemic alone should be enough cause for the government to reconsider priorities on modernizing digital infrastructure. This is a non-partisan issue and it is crucial to deliver on the most basic functions in the digital age. The use of up-to-date technology and cybersecurity best practices is an immediate requirement, and while it may be inconvenient for agencies to face the issues of broken systems, the threats should be enough to spur a complete system overhaul. The cost of an upgrade is significantly cheaper than the cost of a meltdown.[18]