Legacy at Risk: UK Government Urgently Moves to Secure "Red" Systems

“Code Red” means roll in the crash carts, we’ve got an emergency.

That’s essentially what’s happened within many UK Government departments after questions raised in parliament led to an internal review of government legacy systems. No fewer than 43 have been reported as having a “red” or critical status.

What does this mean? The government defines legacy systems as systems that meet any or all of the following criteria:

• software out of support
• expired vendor contracts
• too few people with required knowledge and skills
• inability to meet current or future business needs
• unsuitable hardware
• known security vulnerabilities
• recent problems or downtime

Each legacy system was assessed on a two-factor point scale. Factor one was the likelihood of the system failing in the near future and factor two was the amount of impact that failure would have on: national security; government’s reputation; finances and budgets; external stakeholders; operations; other technology systems..

Critical Systems at Risk

A “red” status is achieved by scoring highly in both of these factors. So not only are 43 systems likely to fail in the near future, they are likely to have significant impact within the UK when they do.

Eleven of these systems are maintained within the Ministry of Defense and 6 are managed by the Department of Work and Pensions, two agencies with significant impact on public life. No fewer than 11 government bodies reported having at least 1 “red” system, and 6 had 4 or more.

Notably, some departments like the Department for Culture, Media and Sport have refused to disclose their data, while others have not completed their assessments, so the number of red systems could be higher.

What Needs to be Done?

While the government has vowed to deal with this issue and has stated that there is a “funded and carefully planned out remediation plan” it is unclear what the next steps will be.

Choosing a solution presents a delicate balancing act for the government CIOs and COOs. If they do not update or migrate these systems within the next few months, they risk system failure with the consequences thereof, and continued exposure to security risk and public criticism. If they move too quickly, they’ll be forced to skip the fine-tuning required for such a project and may discover critical kinks–such as the immense cost of shifting an entire system, or the possible inability to access all of their data in a new operating system.

It’s necessary to consider all of the data history associated with these systems. Whether they are related to global defense or citizens’ pensions, it is crucial and required by law that this data not only be retained, but remain accessible, even if they are not required for the replacement system to function.

The Solution: Divide and Conquer

The decision makers in these cases need to learn to compartmentalize: what elements of these systems are active and must migrate to a new system and what elements should be securely and accessibly archived. Separating elements such as data history from operating functions will accomplish several goals at once: bring down the cost and complexity of migration, speed up the process, ensure compliance, and increase the likelihood of a successful migration.

IT teams could be split into units with their own mission. One unit will migrate all the active operations and data to a new system without consideration for nonactive elements. The other will focus on securing the data history within an accessible archive. With these teams working concurrently, the entire migration will be completed swiftly and smoothly.

For choosing an accessible home for the data history, there are a few qualities the solution should have to achieve the best results:

1. It should be application/system agnostic so that it can scale across all of the critical legacy systems as well as future legacy systems. This would also allow for plug-ins to current systems and AI tools.
2. It should enable data sovereignty for the government so that the data is not continually at risk due to SaaS updates or failures.
3. It should have smart, relational search capabilities to compile data for auditing and reports.
4. It should have automated governance tools such as purge protocols for compliance.
5. It should be user-friendly and not require highly specialized IT skills to operate.

With this plan in place, government CIOs and COOs could be empowered to swiftly correct this legacy emergency and put all their systems back in the green.

Find out more about this type of solution.

For more information about this article, you can contact our Press Office.