Federal Breaches and COBOL – the OPM Hack Explained

The U.S. Office of Personnel Management (OPM) recently experienced the largest U.S. governmental data breach potentially exposing the personal data of up to 18 million current and former federal employees exposed. To explain the reason behind the breach, many have pointed the finger at COBOL, the venerable programming language. Critics maintain that because the programming language was written decades ago, attackers were able to find and exploit vulnerabilities into the OPM’s systems.

However, even the strongest army base is at risk when the doors are wide open. Similarly, the security measures and access methods to core government systems and data, as the metaphorical gatekeepers, must be up to the task of protecting the prized possessions inside.

Why the Government, and Many Other Organizations, Use COBOL

People have a tendency to believe that what’s new should be the best solution. It’s time to set the record straight; the most likely candidate for ongoing success in terms of IT capability, are the systems that work today, and have done so for years. So while COBOL isn’t a new concept, it is an unrivalled technology in terms of running core systems.

There is good reason why COBOL has been in active use for core business systems, across many platforms, for five decades. The U.S. Federal Government has billions of lines in COBOL in current use, because these applications are reliable and suit the government’s needs. Without these systems, it would be very difficult for government agencies to deliver on their individual mission.

Outside of the U.S. government, the use of COBOL is even more pervasive with over 200 billion lines of COBOL code across many vital financial insurance industries as well as retail, logistics and manicuring organizations to name a few. In fact, COBOL is responsible for two-thirds of global IT transactions.  COBOL’s longevity is due to its unrivaled ability to adapt to technological change.  Few languages over the past six decades have continually adapted to meet the demands of digital business and modern technology. Who still uses COBOL?

Addressing the Real Issues

While data encryption and multi-factor authentication are important security considerations, the broader IT security question is more significant. After all, even if data is encrypted, but poorly secured, attackers can still steal it. So the real question we should ask after a breach is not what programming language an organization was using, but rather what security protocols and measures did the organization employ to prevent unauthorized access in the first place? All applications require robust infrastructure security.  Without it, all systems are at risk, regardless of their age.  Here are a few specific questions any organization should ask before and after a security breach:

  • Does my organization follow proper password best practice, or are passwords too simple?
  • Do our users have the appropriate amount of access, or do some have unnecessary administrative rights?
  • Do we have identity and access management (IAM) processes in place that monitor user activity and alert us of suspicious behavior?

If members of an organization cannot answer these questions confidently, there are security gaps that need addressing immediately. These issues affect peripheral systems—web, client, server and other user interface systems that enable access to back end data. Attackers typically look for these frontend vulnerabilities in order to gain access to the backend applications, systems and data. Poor security practices leave the metaphorical front door open, giving attackers access to the whole house.

In short, whether an organization uses Java or COBOL is irrelevant if the organization’s security protocols and practices are lacking.  This was indeed the case at OPM.  Inspector General McFarland noted in his Capitol Hill testimony that OPM has failed to act on the recommendations of his office to modernize and secure its existing IT infrastructure.  McFarland further commented that such failures were likely the cause of this breach.


Modernizing COBOL systems to meet new challenges

COBOL’s proven reliability and longevity are misinterpreted as signs that it has not evolved to support modern IT requirements or is deficient in some other way. U.S. Federal CIO Tony Scott has even suggested that the government needs to “…double down on replacing these legacy  systems.” Replacing COBOL, however, is not the answer and will undoubtedly introduce many more challenges to a government IT organization struggling to presently keep pace with modern tech advances. The smarter move is to innovate from a position of strength; which COBOL provides.

Modern COBOL technology delivers the trusted reliability and robustness that it did in 1960 but with the ability to connect to modern technologies and architectures including cloud, mobile, .NET, and Java, as well as the latest hardware platforms from the z13 mainframe to the latest incarnations of Windows, UNIX and Linux. By supporting and integrating with the latest platforms and digital technologies, IT can rest assured and get on with the business of implementing more pressing concerns such as implementing appropriate security strategies for their evolving systems.

Given the seemingly increasing digital threat our IT systems face, it’s critical that IT leaders provide a more responsive, flexible and integrated management system to secure these mission critical applications from unauthorized use.  Modern COBOL offers simple solution to the OPM security breach and an opportunity to significantly improve its existing security infrastructure.






Orginal Article written by

Ed Airey

Amie Johnson

Derek Britton

Share this post:

Leave a Reply

Your email address will not be published. Required fields are marked *