Bringing US up to code: How outdated software has become a safety issue

|
Rick Bowmer/AP
People pass through Salt Lake City International Airport on Wednesday, Jan. 11, 2023. Aircraft across the U.S. were grounded for hours by a cascading outage in a government system relied on for hazard updates. The incident comes as many software systems across government agencies need renewal or replacement.
  • Quick Read
  • Deep Read ( 4 Min. )

The Federal Aviation Administration’s 30-year-old hazard-notification system recently had its first crash ever to cause a nationwide grounding of flights. The incident is focusing a bright light on the outdated federal computer systems that, IT experts say, are increasingly vulnerable to failure and cyberattack. 

The Internal Revenue Service is busy trying to update the code of its Individual Master File, which it uses to process tax returns. Dating from the 1960s, it is one of the government’s oldest systems still operating. Congress has made efforts over the years to address legacy systems, including the Modernizing Government Technology Act in 2017.

Why We Wrote This

A story focused on

Human error may have been the cause of the computer glitch that briefly grounded all U.S. airline flights last week. But the incident pointed to deeper challenges of keeping key software up to date.

The challenge is that voters apparently want – and politicians certainly deliver – government projects that are tangible. Spending $1 million on a park, for example, is much easier politically than replacing an old and obscure computer system that eventually could fail, says cybersecurity expert Joseph Steinberg. 

Gregory Dawson, a digital security expert at Arizona State University, urges an all-out government effort, like its recent pandemic vaccine push. 

“This is not going to be the only critical infrastructure system that is going to break down like this,” he says of the FAA. “We have to be able to address it.” 

When his 6 a.m. flight from Palm Springs, California, to Pittsburgh, was delayed last week Chris Goranson got worried. “I thought something pretty bad must have happened,” says the professor at Carnegie Mellon University’s Heinz College and former federal employee working on modernizing computer systems.

There were no reasons given for the Jan. 11 delay. And the trouble seemed to be spreading nationwide. Although Mr. Goranson experienced only a 90-minute delay in California and another half-hour delay on his connecting flight in Dallas, some 1,300 flights were canceled and another 10,000 were delayed.

The culprit: a computer glitch at the Federal Aviation Administration, which caused a decision to temporarily ground all flights.

Why We Wrote This

A story focused on

Human error may have been the cause of the computer glitch that briefly grounded all U.S. airline flights last week. But the incident pointed to deeper challenges of keeping key software up to date.

The failure of its 30-year-old hazard-notification system – its first such crash – is focusing a bright light on the outdated computer systems still running at the FAA and beyond. Federal government agencies are relying on thousands of information technology systems that are decades old, expensive to maintain, and vulnerable to failure and cyberattack, IT experts say. And the problem of legacy systems keeps getting worse as technology speeds ahead and hackers become more sophisticated. 

“This is not going to be the only critical infrastructure system that is going to break down like this,” says Gregory Dawson, a clinical professor at Arizona State University who is also a consultant and author of a forthcoming book, “Digitalization and Sustainability: Advancing Digital Value.” “We have to be able to address it.” 

He urges an all-out government effort, like its recent push to create and distribute COVID-19 vaccines, to solve the problem. 

The challenge is that voters apparently want – and politicians certainly deliver – government projects that are tangible. Spending $1 million on a park, for example, is much easier politically than replacing an old and obscure computer system that eventually could fail, says Joseph Steinberg, a cybersecurity expert and author of “Cybersecurity For Dummies.” 

“We saw this in the tech world with Y2K,” he says, referring to the predicted chaos that might have happened had the date function of antiquated computers turned over from 99 to 00 rather than 1999 to 2000. “All this money was invested to prevent the year 2000 problem. And yet people say: ‘Oh, look, it was all a waste, nothing happened.’ What do you mean, nothing happened? That was the goal!” 

AP/File
Hewlett Packard Company employees are shown working in a basement Y2K Command Center on Dec. 31, 1999, at HP headquarters in Palo Alto, California. The transition to a new millennium occurred largely without the feared digital disasters, after many companies invested in precautionary steps.

Unlike Y2K, the scope and expense of the current problem is known. Chief information officers at federal agencies track the condition and vulnerability of each of their systems. “You could walk into any federal government agency as well as at the state level, and they can tell you almost down to the nickel what needs to be replaced, why it needs to be replaced, and what happens if it’s not replaced,” says Professor Dawson at Arizona State. “But there’s got to be the money and, B, there’s got to be the political will.”

Congress has made efforts over the years to address legacy systems. In 2017, during the Trump administration, it passed the Modernizing Government Technology Act, which in turn created a modernization fund that allowed agencies to compete for money. Winning proposals get funds to upgrade their systems, which are paid back with the savings they realize. That’s a step forward, Dr. Dawson says, but it prioritizes upgrades that improve taxpayer interfaces rather than the infrastructure behind it.

The importance of that infrastructure became all too clear with the FAA’s glitch last week. Known as Notice to Air Missions or NOTAM, the system is the central collection point for any hazard – from closed runways to air shows – that flight crews might need to know. According to the FAA, human error was responsible. Personnel – reportedly contractors – failed to follow procedures and corrupted the system.

Such problems would be less likely with a modern system, Dr. Dawson points out, because it would have interfaces and other security measures built in that would keep workers from directly accessing a key database.

Old technology is hardly limited to the FAA. The Internal Revenue Service is busy trying to update the code of its Individual Master File, which it uses to process tax returns. Created in the 1960s with a computer language no longer in common use, the IRS system is one of the government’s oldest systems still operating.

Only a month ago did the Defense Department announce contracts with four commercial companies to provide services for its Joint Warfighting Cloud Capability. Hiring companies to provide cloud services is something small and large businesses have been able to do for years, points out a Hudson Institute report published last month. The F-35 stealth fighter reportedly has far fewer lines of software code than a 2020 Mercedes-Benz S-Class car, to handle everything from takeoff to targeting. And the Pentagon has struggled to get all the fighter’s software to work, the report says.

Of course, some areas of government are world class, such as the secretive National Security Agency. “Places like the NSA, CIA, certain parts of law enforcement are very, very sophisticated,” says Mr. Steinberg, the cybersecurity expert. “In some cases, they might be the best in the world. But that’s not everywhere.” 

Modernizing government systems goes beyond changing out hardware and software. “You can’t go and buy your off-the-shelf solution, says Carnegie Mellon’s Professor Goranson, a former employee of 18F, an office within the federal General Services Administration that collaborates with other agencies to fix and modernize their technology. Improving systems means understanding their quirks – how people interact with them and the little tweaks they’ve learned to make over the years to keep the system working.

“One important lesson I learned was that modernizing government systems is really hard,” he says.

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
What is the Monitor difference? Tackling the tough headlines – with humanity. Listening to sources – with respect. Seeing the story that others are missing by reporting what so often gets overlooked: the values that connect us. That’s Monitor reporting – news that changes how you see the world.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.

QR Code to Bringing US up to code: How outdated software has become a safety issue
Read this article in
https://www.csmonitor.com/Business/2023/0117/Bringing-US-up-to-code-How-outdated-software-has-become-a-safety-issue
QR Code to Subscription page
Start your subscription today
https://www.csmonitor.com/subscribe