Legacy Cobol code an increasing problem in computer security, claims research

Study finds 'security through obscurity' doesn't work and that investment in modern IT also helps improve security

A study of US federal government security breaches has pointed the finger of blame - at least in part - on Cobol code still running on a plethora of legacy systems.

The study purports to refute the claim that legacy systems, such as mainframes running applications in largely obsolete languages, are more secure than modern systems as a result of 'security through obscurity'.

It comes after a 1,121 per cent increase in the number of IT security 'incidents' in the US federal government between 2006 and 2014, which was crowned in 2015 by the breach of the US Office of Personnel Management. This spilt highly sensitive details of more than 22 million people employed by the US government and its agencies, including their all-important social security numbers.

The investigation found that the software on the 30-year-old mainframe hosting the database was written in Cobol and was "too technically obsolete to encrypt the personal information".

The study found that agencies that invest more in new IT systems experienced fewer security breaches than departments that focus their IT spending on maintaining legacy systems. "In other words, federal agencies that spend more in maintenance of legacy systems experience more frequent security incidences, a result that contradicts a widespread notion that legacy systems are more secure," concluded the report.

However, official security audits have typically underplayed the security risks posed by legacy systems. The researchers also found that agencies with more geographically dispersed systems were less targeted than agencies where the IT was centrally concentrated.

"Whether of not legacy IT systems are more vulnerable to security threats than modern systems is a matter of continuing debates… Legacy systems could be more secure than newly-developed systems for several reasons. First, many decades-old legacy systems are relatively isolated from external networks, thereby reducing threat accessibility…

"Second, most of the legacy systems were developed with old programming languages or development tools, such as Cobol, and run over antiquated hardware," suggested the report, adding that most hackers today would be unfamiliar with the technologies.

"Third, legacy systems are often undocumented or poorly documented… hence, even if cyber criminals are willing to invest in learning the legacy systems, there is little they can discover and the costs entailed in discovering the flaws and vulnerabilities in the legacy systems could be very high."

However, the authors suggest, all these potential advantages are outweighed by a plethora of disadvantages.

"First, legacy systems have possibly accumulated a large amount of sensitive information over the years or decades. Thus, they are attractive targets as they carry highly tangible value for an infiltrator," claim the authors.

Indeed, the Internal Revenue Service (IRS), the US equivalent of HMRC, "still maintains the Individual Master File, which was developed 56 years ago with Assembly language code, bit it still processes income tax filings and refunds of all American taxpayers. This system is a frequent target of security attacks", warn the report's authors.

"Second, the legacy systems that were designed and developed decades ago are very unlikely to have strong security features from the beginning, since awareness and knowledge of security defences were limited at that time," and, furthermore, when they were implemented they were not expected to be connected to a public network accessible globally.

"Even if they had some security defences, such features are unlikely to match the increasing sophistication of more recent and newly emerging security threats. For instance, the mainframe systems might not have a well-designed authentication system that closely monitors and deters malicious access attempts.

"They may not have strong identity governance and access management capabilities to manage access credentials of tens of thousands of employees and segregate potentially conflicting access privileges.

"In addition, because such systems are unlikely to have proper documentation and there might be few employees who know the systems well, they might not have been properly maintained or 'patched' with new security features. Hence, it is difficult to apply effective countermeasures to legacy systems."

Such legacy systems typically reflect a complicated and therefore hard to manage IT architecture, they argue, and in any case are also running highly complex software, which carries with it a high likelihood of bugs and security flaws.

In the past year, the US government has committed $3.1bn in spending to overhaul its legacy IT. However, given how entrenched such systems are in US government, it will no doubt take a lot more than that to modernise US federal government systems.