I saw an interesting article last week in Government Computer News, July 2015 by author Brian Robinson titled: “What’s worse: Living with legacy systems or replacing them”. His article was precipitated by the recent hack of the US Government’s Office of Personnel Management where millions of employees had their private information stolen. The fact was that those software systems were still running 20 year old COBOL code. And that in turn means that these systems were never designed to either be connected to the Internet or, be secure in that environment. In addition in another article from Ars Technica I learned that even encryption wouldn’t have worked because first the systems are too old to support it and additionally that the hackers had gained valid system credentials likely via social engineering.
How many court systems have computer software in that same state? Does your CMS operating system and database support encryption if you wanted to use them? For sensitive juvenile, victim, and financial records such as garnishment orders encryption is a must.
So what is the risk / reward model for maintaining the old systems? If one is in business the risk can be potentially quantified as lost sales and like recent breaches at major retailers, loss of customer trust, and government fines.
For courts there are definitely risks. First, there is the ability or inability to maintain an older system. If one uses outdated languages or operating systems there may not be anyone who can fix something that breaks. Second, as noted above the system may be insecure. And therefore the data stored therein may be accessible. Third, the hardware that the old software runs on may become increasingly hard to obtain. I remember one court who had to buy their printer equipment on eBay because the notice document printing was hard coded for only that type of printer into their ancient system. And fourth there is a serious risk of losing the court’s data because storage drives fail and even tape backups can become unusable.
The Department of Homeland Security posted an excellent web page on older systems risks with an assessment list for you to use at:
So what is your Plan B? Can you replicate your old system on a newer “virtual machine”? At least it is running on newer hardware that can be maintained and replaced?
Is it to go to paper? Obviously this only helps with immediate work and not with the ability to operate as efficiently as with your system? And if your plan is to go to paper, have you tested it to see if this or any other approach works?
Or would you have to close your court? For how long? And can the problem be fixed at all?
It is probably time to think about these things and do your risk assessment?