New research found that these outdated systems, which may not be encrypted or even documented, were more susceptible to threats.
By analyzing publicly available federal spending and security breach data, the researchers found that a 1% increase in the share of new IT development spending is associated with a 5% decrease in security breaches.
"In other words, federal agencies that spend more in maintenance of legacy systems experience more frequent security incidents, a result that contradicts a widespread notion that legacy systems are more secure," the paper found. The research paper was written by Min-Seok Pang, an assistant professor of management information systems at Temple University, and Huseyin Tanriverdi, an associate professor in the Information, Risk and Operations Department at the University of Texas at Austin.
"Maybe the conventional wisdom that legacy systems are secure could be right," said Pang, in an interview. But the integration of these systems "make the whole enterprise architecture too complex, too messy" and less secure, he said.
Federal agencies have seen a rapid increase in security incidents, the paper points out, citing federal data assembled by the Government Accountability Office. From 2006 through 2014, the number of reported security incidents increased by more than 1,100 percent, or from 5,503 to 67,168. An incident can cover a range of activities, such as a denial of service, successfully executed malicious code, and breaches that give intruders access.
One of the largest federal system breaches occurred in 2015, when hackers gained access to some 18 million records at the Office of Personnel Management.
Tony Scott, the former federal CIO under President Barack Obama, told lawmakers at a hearing last year that nearly three quarters of IT budgets are spent maintaining legacy systems.
"These systems often pose significant security risks, such as the inability to utilize current security best practices, including data encryption and multi-factor authentication, which make them particularly vulnerable to malicious cyber activity," Scott said.
The U.S., overall, has more than 3,400 IT professionals employed to maintain legacy programming languages, a U.S. House committee was told after the OPM breach.
If the federal government doesn't modernize its systems, Pang said it may see more large breaches similar to the OPM hack.
In the absence of modernization, Pang said that effective IT governance "mitigates security risks of the legacy systems." It also recommended moving systems to the cloud.
Pang said the government needs to pass the Modernizing Government Technology Act. That legislation, which was approved by the House last year, would have boosted IT spending by about $9 billion from 2017 to 2021 had it reached the president's desk.
Sign up for CIO Asia eNewsletters.