Defense Department Runs the US Nuclear Arsenal Using Floppy Disks

Written by

According to a report from the US Governmental Accountabilty Office, major governmental agencies including the Department of Defense, Treasury Department and the Social Security Administration have been using IT systems that are up to 50 years old. These are handling important functions related to taxpayer information, federal prisoners, military veterans and nuclear programs—and they’re deeply vulnerable to attack.

The Department of Defense, for example, runs its strategic air command system on an IBM Series/1 Computer—a 1970s computing system—and uses 8-inch floppy disks. This system coordinates the operational functions of the United States' nuclear forces, such as intercontinental ballistic missiles, nuclear bombers, and tanker support aircrafts.

The Department of the Treasury meanwhile uses assembly language code—a computer language initially used in the 1950s and typically tied to the hardware for which it was developed. And the Department of Veterans Affairs automates time and attendance for employees, timekeepers, payroll and supervisors using a bespoke software written in Common Business Oriented Language (COBOL)—a programming language developed in the 1950s and 1960s. It runs on IBM mainframes.

The list goes on and on.

What’s even more shocking is that the US government spent most of its annual IT budget last year to maintain these systems. More than 75% of the total amount budgeted for IT for fiscal year 2015 on operations and maintenance (O&M) investments, according to the GAO. That spending has increased over the past seven fiscal years, which has resulted in a $7.3 billion decline from fiscal years 2010 to 2017 in development, modernization and enhancement activities.

And there’s little end in sight. The President's fiscal year 2017 budget request for IT was more than $89 billion, with much of this amount reportedly for operating and maintaining existing IT systems.

The Office of Management and Budgets (OMB) did recently begin an initiative to modernize, retire and replace the federal government's legacy IT systems, but until that policy is finalized, the GAO warned that the government runs the risk of maintaining systems that have outlived their effectiveness—with great security risk.

“Many IT O&M investments in GAO's review were identified as moderate to high risk by agency CIOs and agencies did not consistently perform required analysis of these at-risk investments,” it noted.

“The GAO’s report on the government’s archaic IT systems is alarming, but unfortunately not surprising,” said Bob Ertl, senior director of product management at Accellion, via email. “Layers of bureaucracy plus fierce competition for budget dollars are historically responsible for the public sector lagging behind in technology adoption. The problem with that is when you put off making technology upgrades, you put off making security upgrades.”

He added that the massive data breach at the Office of Personnel Management highlights this very issue.

“While it remains to be seen whether the lessons learned from that breach will be applied, hopefully this report from the GAO provides additional context for just how dire the security situation is at the federal government level,” Ertl said.

Photo © Yongcharoen_kittiyaporn

What’s hot on Infosecurity Magazine?