The United States Government Accountability Office has released a report showing the dire state of the US Government's IT infrastructure.
One of the revelations is that the Pentagon appear to be controlling its nuclear and ballistic arms using an IBM computer from the 1970s, showing it's age by the fact that it uses eight inch floppy disks that can store about 80kb each.
According to the GAO, the US Department of Defense's Strategic Automated Command and Control System (SACCS), “Coordinates the operational functions of the United States' nuclear forces, such as intercontinental ballistic missiles, nuclear bombers, and tanker support aircrafts. This system runs on an IBM Series/1 computer — a 1970s computing system — and uses 8-inch floppy disks.”
The office added: “The [Department of Defence] plans to update [SACCS's] data storage solutions, port expansion processors, portable terminals, and desktop terminals by the end of fiscal year 2017.”
Likewise, the US Treasury appears to be using a 56-year-old IBM mainframe using programs written in assembly code to do its taxes and currently has no plans to update its systems.
An eight-year-old IBM System z10 mainframe using COBOL for some of its personnel systems was found in use at The Department of Homeland Security, and the Department of Justice is using primitive tech to store prison inmates databases.
The report tries to explain that, "Federal legacy IT investments are becoming increasingly obsolete: many use outdated software languages and hardware parts that are unsupported", and went on to explain the situation by saying that, "Federal IT investments have too frequently failed or incurred cost overruns and schedule slippages while contributing little to mission-related outcomes. The federal government has spent billions of dollars on failed and poorly performing IT investments which often suffered from ineffective management, such as project planning, requirements definition, and program oversight and governance."
The federal government currently spends $60billion a year on keeping existing systems up and running. The GAO report found that this number is forecast to increase by %2 by 2017, presumably still taking up the main stke of the budget which would go on new systems.
Wieland Alge, VP & GM EMEA at Barracuda Networks spoke with SC and said that, “At first glance, it's easy to make fun of the Pentagon for relying on 1970s tech. If you look a bit closer, you'll actually see that many other large organisations are running similar legacy systems. The Pentagon has by all accounts been running a bulletproof, isolated system, which certainly appears to have been doing its job to full satisfaction.”
“Even today, we see many industrial environments using a similar setup. Sure, the industrial world isn't run on floppy disks, but there is still a lot of 1990s and early 2000s technology used to control plants and steer machines. The real dangers surface when these organisations try to connect legacy systems to networks, thereby exposing them to modern vulnerabilities.”
"Like a Brit setting off on a sunny summer holiday only to be scorched by the Sun on day one, IT teams can't prepare for something that has been out of view for so long. The key to securing connected legacy and modern devices in Industry 4.0 is to seal the entire attack surface as quickly as possible."
Jonathan Sander, VP of Product Strategy at Lieberman Software spoke with SC and said that, “While some frame the use of these 70s era IBM computers as attempts at security by obscurity, it's possible to see it in a different light. What you have with these systems is a completely understood and predictable platform. It's 24/7 operations on a platform that has been tested in every conceivable way for 4 decades. How many systems made in the last few years can claim that? Security isn't the same beast when you're dealing with systems that are fully purpose built. The computers controlling these missile silos aren't also there to run spreadsheets or play flash games on the Internet. They are very boring, very specialized, and very reliable as a result. Yes, they are also obscure in the sense that there aren't many people who can operate, repair, or even understand them. Some will claim that results in a measure of security, but that debate it moot when you consider that the real security in these systems is that there are no ways to divert them from their one and only task. There is no system that hasn't been hardened, no software that hasn't been purged of vulnerability over the decades. That is, until someone finds one they missed. But the theory is not that they are secure because no one can understand them, but rather that they are secure because the few who understand these systems well have been making them more and more secure over a very long time.”