Yesterday’s technology, tomorrow. That fairly sums up the problem with the federal government information technology infrastructure. That, and the cumbersome and antiquated acquisition process to purchase today’s technology sometime in the next three years.
Original post here: https://www.morganwright.us/irs-tax-day-glitch
Not to mention the dreaded certification process of the 2002 Federal Information Security Management Act (FISMA), which morphed into the 2014 Federal Information Security Modernization Act — the new and improved FISMA. And don’t forget the Federal Risk and Authorization Management Program (FedRAMP). All catchy acronyms that have failed to solve one of the most perplexing problems for government — how to build and secure a system that works.
The latest poster child is the meltdown of the online IRS tax filing system. How many billions of dollars were spent in the name of FISMA, FISMA and FedRAMP? And what we end up with, instead of a working system, is a system that goes down precisely on the day devoted to procrastination. (Guilty as charged, your honor.)
It would be easy to blame it on the old code and systems still running the IRS, except the IRS itself touted a new system called the Modernized e-File (MeF).
According to the site, “The IRS spent over three years on the design and development of a new e-file system which is often referred to as Modernized e-File (MeF).” That’s great for the corporations it was designed for, as for the rest of us, we get what has been referred to as the “most antiquated computer system in the federal government”.
The computer language is Assembly, and dates back to 1947. The language is so old, it’s rumored that more people understand the Aramaic in Mel Gibson’s “The Passion of the Christ” than know how to write code in Assembly.
It would be easy to blame the IRS failure on outdated hardware and software. But then we’d have to explain Healthcare.gov, and the infamous video of then-Health and Human Services Secretary Kathleen Sebelius watching the system go down in front of reporters.
What was initially estimated to cost $93.7 million, shot up to around $292 million and, according to a 2014 Inspector General report, the ultimate cost exceeded $1.7 billion. And it still crashed. I had to privilege of testifying before Congress about it in 2013. One lesson that was made abundantly clear is that, in government, there is never enough time and money to do it right, but there is always enough time and money to do it over.
Twenty-one million people had some of their most sensitive information stolen when security clearance forms were exfiltrated from the ever-negligent Office of Personnel Management (OPM) in June 2015. Their systems were so old, the records couldn’t even be encrypted.
The assistant inspector general of audits for OPM, Michael Esser, said the security breach followed a “long history of failing”. In a 2016 report, Esser said, “at the end of fiscal year (FY) 2016, the agency still had at least 18 major systems without a valid Authorization in place,” even though this was required by FISMA.
The OPM issues dated back to 2007 and crossed both political parties and two administrations. No political party is immune from failure and lack of accountability.
This leads us to the ongoing issue confounding government: Systemic failures at IRS, OPM, State Department, National Oceanic and Atmospheric Administration (NOAA), the U.S. Postal Service and more.
But it’s more than “yesterday’s technology, tomorrow”, or bad hardware that has to be rebooted so taxpayers can pay their taxes, or antiquated code and procurement processes. It’s accountability. What else could explain a $93 million project that ballooned to $1.7 billion? Or eleven years of failing to secure and certify major information systems? No one is being held accountable.
This is not to say that the private sector is the ultimate model, but at least the CEO of Target was fired after the massive 2013 breach and the even more massive Equifax breach cost that CEO his job (although it was called “retirement”).
To be fair, Target and Equifax are not governed by the same funding and acquisition processes as government is. If they were, you’d still be hearing the manual cash registers ringing up your purchases and forget taking a credit card or Apple Pay.
The other aspect is competition. The bureaucracy of government procurement is Darwinian; only the strong can survive the bidding, capture and procurement process. GitHub, a favorite place for source code (kind of Facebook for geeks), would have to spend over $250,000 just to get FedRAMP certification.
Instead, agile and innovative companies are smothered by the weight of government “innovation”. Instead of “tomorrow’s technology, today”, at a competitive price, government is content to acquire “yesterday’s technology, tomorrow” — at a premium.
Morgan Wright is an expert on cybersecurity strategy, cyberterrorism, identity theft and privacy. Previously Morgan was a senior advisor in the U.S. State Department Antiterrorism Assistance Program and senior law enforcement advisor for the 2012 Republican National Convention. Follow him on Twitter @morganwright_us.