Bringing US up to code: How outdated software has become a safety issue

People pass through Salt Lake City International Airport on Wednesday, Jan. 11, 2023. Aircraft across the U.S. were grounded for hours by a cascading outage in a government system relied on for hazard updates. The incident comes as many software systems across government agencies need renewal or replacement.

Rick Bowmer/AP

January 17, 2023

When his 6 a.m. flight from Palm Springs, California, to Pittsburgh, was delayed last week Chris Goranson got worried. “I thought something pretty bad must have happened,” says the professor at Carnegie Mellon University’s Heinz College and former federal employee working on modernizing computer systems.

There were no reasons given for the Jan. 11 delay. And the trouble seemed to be spreading nationwide. Although Mr. Goranson experienced only a 90-minute delay in California and another half-hour delay on his connecting flight in Dallas, some 1,300 flights were canceled and another 10,000 were delayed.

The culprit: a computer glitch at the Federal Aviation Administration, which caused a decision to temporarily ground all flights.

Why We Wrote This

Human error may have been the cause of the computer glitch that briefly grounded all U.S. airline flights last week. But the incident pointed to deeper challenges of keeping key software up to date.

The failure of its 30-year-old hazard-notification system – its first such crash – is focusing a bright light on the outdated computer systems still running at the FAA and beyond. Federal government agencies are relying on thousands of information technology systems that are decades old, expensive to maintain, and vulnerable to failure and cyberattack, IT experts say. And the problem of legacy systems keeps getting worse as technology speeds ahead and hackers become more sophisticated. 

“This is not going to be the only critical infrastructure system that is going to break down like this,” says Gregory Dawson, a clinical professor at Arizona State University who is also a consultant and author of a forthcoming book, “Digitalization and Sustainability: Advancing Digital Value.” “We have to be able to address it.” 

Why many in Ukraine oppose a ‘land for peace’ formula to end the war

He urges an all-out government effort, like its recent push to create and distribute COVID-19 vaccines, to solve the problem. 

The challenge is that voters apparently want – and politicians certainly deliver – government projects that are tangible. Spending $1 million on a park, for example, is much easier politically than replacing an old and obscure computer system that eventually could fail, says Joseph Steinberg, a cybersecurity expert and author of “Cybersecurity For Dummies.” 

“We saw this in the tech world with Y2K,” he says, referring to the predicted chaos that might have happened had the date function of antiquated computers turned over from 99 to 00 rather than 1999 to 2000. “All this money was invested to prevent the year 2000 problem. And yet people say: ‘Oh, look, it was all a waste, nothing happened.’ What do you mean, nothing happened? That was the goal!” 

Hewlett Packard Company employees are shown working in a basement Y2K Command Center on Dec. 31, 1999, at HP headquarters in Palo Alto, California. The transition to a new millennium occurred largely without the feared digital disasters, after many companies invested in precautionary steps.
AP/File

Unlike Y2K, the scope and expense of the current problem is known. Chief information officers at federal agencies track the condition and vulnerability of each of their systems. “You could walk into any federal government agency as well as at the state level, and they can tell you almost down to the nickel what needs to be replaced, why it needs to be replaced, and what happens if it’s not replaced,” says Professor Dawson at Arizona State. “But there’s got to be the money and, B, there’s got to be the political will.”

Congress has made efforts over the years to address legacy systems. In 2017, during the Trump administration, it passed the Modernizing Government Technology Act, which in turn created a modernization fund that allowed agencies to compete for money. Winning proposals get funds to upgrade their systems, which are paid back with the savings they realize. That’s a step forward, Dr. Dawson says, but it prioritizes upgrades that improve taxpayer interfaces rather than the infrastructure behind it.

Howard University hoped to make history. Now it’s ready for a different role.

The importance of that infrastructure became all too clear with the FAA’s glitch last week. Known as Notice to Air Missions or NOTAM, the system is the central collection point for any hazard – from closed runways to air shows – that flight crews might need to know. According to the FAA, human error was responsible. Personnel – reportedly contractors – failed to follow procedures and corrupted the system.

Such problems would be less likely with a modern system, Dr. Dawson points out, because it would have interfaces and other security measures built in that would keep workers from directly accessing a key database.

Old technology is hardly limited to the FAA. The Internal Revenue Service is busy trying to update the code of its Individual Master File, which it uses to process tax returns. Created in the 1960s with a computer language no longer in common use, the IRS system is one of the government’s oldest systems still operating.

Only a month ago did the Defense Department announce contracts with four commercial companies to provide services for its Joint Warfighting Cloud Capability. Hiring companies to provide cloud services is something small and large businesses have been able to do for years, points out a Hudson Institute report published last month. The F-35 stealth fighter reportedly has far fewer lines of software code than a 2020 Mercedes-Benz S-Class car, to handle everything from takeoff to targeting. And the Pentagon has struggled to get all the fighter’s software to work, the report says.

Of course, some areas of government are world class, such as the secretive National Security Agency. “Places like the NSA, CIA, certain parts of law enforcement are very, very sophisticated,” says Mr. Steinberg, the cybersecurity expert. “In some cases, they might be the best in the world. But that’s not everywhere.” 

Modernizing government systems goes beyond changing out hardware and software. “You can’t go and buy your off-the-shelf solution, says Carnegie Mellon’s Professor Goranson, a former employee of 18F, an office within the federal General Services Administration that collaborates with other agencies to fix and modernize their technology. Improving systems means understanding their quirks – how people interact with them and the little tweaks they’ve learned to make over the years to keep the system working.

“One important lesson I learned was that modernizing government systems is really hard,” he says.