“The move from legacy IT and contracts to a future of services designed around user needs; smaller contracts; shorter terms; a more diverse supplier community that is welcoming to SMEs; open standards; open source; more use of commodity. These are the new parameters.”
According to the annals of GOV.UK, the statement above, made in 2012 by then-Cabinet Office minister Francis Maude, represents the first reference to legacy technology in public comments made by a senior official or minister.
The Government Digital Service, the creation of which had been championed by Maude in part to help address the issue of ageing or ineffective technology, was less than a year old at a time.
The organisation recently celebrated its 10th birthday and, following the September appointment of Steve Barclay as Chancellor of the Duchy of Lancaster, digital government has now also been overseen by 10 different ministers since Maude departed the front bench in 2015.
While Barclay’s face may be new, the issues he inherits are not. But the persistence of the problem means that the new Cabinet Office chief arrived at the department with what seems to be a well-developed understanding of legacy technology – particularly given his prior posting, as chief secretary to the Treasury.
Indeed, during his 19 months at HM Treasury he worked with GDS on the creation of a tool to provide data to inform government investment decisions. In July 2020, in the first speech he delivered in his previous role, Barclay spoke of his hope that the planned government three-year spending review – which was ultimately delayed by a year because of the pandemic – would have a keen focus on addressing legacy IT and serve as a springboard to delivering “fundamental change” in Whitehall’s digital and data infrastructure.
“The average tenure of a secretary of state is less than two years, and so it’s no surprise that issues such as legacy IT are often deprioritised in favour of the new and exciting,” he said. “Such an approach is not only expensive, it also poses cybersecurity risk, and prevents agile ways of working and cross-departmental interaction.”
A major report from the National Audit Office last year – which flagged up “a consistent pattern of underperformance” of government digital programmes going back 25 years – singled out legacy systems and data as one of six key areas where lessons from past projects need to be learned to ensure greater success for future programmes.
Just a few days later another report, commissioned by the government and written by the Digital Economy Council, found that half of government’s annual IT spend – £2.3bn out of £4.7bn in 2019 – is dedicated to the maintenance of legacy technology, otherwise known as “keeping the lights on”.
The scale and significance of this problem has, as Barclay hoped, at least been somewhat recognised by the Treasury in 2020’s one-year spending round and the full three-year review that followed in 2021.
In 2020 a £600m funding commitment made for technology upgrades was dished out between HM Revenue and Customs (£268m), the Home Office (£232m),the Department for Education (£64m) and the Ministry of Justice (£40m). The comprehensive review that took place in November 2021 promised £2.6bn across government over the next three years to update old kit and mitigate cybersecurity risks.
A recent roundtable event, hosted by PublicTechnology in partnership with security and IT management firm Tanium, brought together a range of senior officials to discuss the issues they face with legacy IT, what causes them and how they can be addressed. Among the 10 participants in the virtual gathering were the digital heads of several major departments, as well as those from smaller executive agencies and local authorities, and representatives of the commercial profession. To enable the discussion to be as open as possible, the event was held under Chatham House rules.
Attendees first considered the question of how to define legacy – and whether and why such a definition is useful in tackling the problem.
According to one participant, for those in the digital, data, and technology profession, there is no intrinsic taxonomic value in defining legacy.
“It is probably not useful just to think: are these things legacy or not? It is about why: what are the problems… [and] what are the drivers of those issues?,” they said. “Is it about capability? Is it about security? Is it something that is no longer in support? It is about understanding what the problems are, so we can do something actionable about them – rather than being able to say whether they go into the ‘legacy’ box or not.”
However legacy is defined, participants agreed that one common shorthand definition is often inaccurate, and can be unhelpful in enabling better understanding of the issue among ministers and senior managers outside the DDaT profession.
“Legacy doesn’t mean old,” said one senior digital leader, pointing to the fact that age does not feature anywhere in the Cabinet Office’s five-point checklist for what might constitute a legacy system or business process. Rather, these five points are: being considered end-of-life; impossible to update; no longer supported by suppliers; no longer cost-effective; or considered to be above government’s acceptable risk threshold.
Attendees agreed that there is plenty of technology of five, 10 or even 20 or more years’ standing that remains in use across government and continues to work well and serve the purpose for which it was implemented. This, perhaps, requires a different term – ‘heritage’ was suggested – that does not come loaded with the negative connotations of legacy.
“We need to start separating out what people mean [by legacy] to make it useful for ministers. If we are going to them and saying: ‘we’ve got this legacy tech, but it is absolutely fine’, then I think it confuses things,” one roundtable attendee said. “It would be interesting to test what ministers think the word ‘legacy’ means.”
The first of the seven principles of managing legacy technology laid out by the Cabinet Office is “aim to use continuous improvement planning to keep your technology up to date”.
Enacting incremental upgrades and patches is, from a technical standpoint, the key to avoiding potential issues with legacy systems – which can crop up even if the technology in question is comparatively new, according to one attendee.
“Without continuous improvement, legacy can rise up,” they said. “If you’ve got a new product which no-one is looking at because it isn’t 20 years old yet, then it just sits there and becomes legacy very, very quickly.”
Even with a careful approach to deployment and a commitment to ongoing upgrades, government tech professionals can still be subject to the caprices of IT firms.
The digital leader of one executive agency said: “I currently have a service that has been live since September, and I have been hit twice with this legacy thing… it is the vendor: they have changed something and taken a component out. This is a modern, digital service, using the latest technology. But the vendor has twice taken the service down. You build something new, and you try to future-proof things – but there are different types of exposure.”
Another participant, from a big-city local authority, agreed that “we all try and design so we don’t get legacy”.
But, without the processes – and the ongoing budget – to support the approach of continuous improvement, systems and services can go for long periods without a proper assessment of risk.
“We often design a service for a lifespan… which is possibly tied into a contract with a supplier,” they said. “Sometimes the legacy issue comes up because those services are designed for two or three years, but don’t get reviewed for eight or 10 years: there isn’t the capacity in the public sector to go round and review everything at every point that it needs. It is only where you can build in that continuous improvement that you cut out the legacy. Otherwise, quite often what you see is a service that is built however many years ago and it has got to the point that it is creaking, and we are fixing it and designing a service for the next period of time, rather than taking that continuous improvement approach.”
Paul Jackson, head of public sector at Tanium, said that in recent years he has seen changes to contracting models and commercial discussions that have at least reflected a greater awareness of the risks posed by allowing technology to become outdated.
“Previously the way contracts were written made it quite hard to do some of that evergreening,” he said. “But I have seen a shift in the conversation to consider how to be futureproof. There is more awareness to try and provide that evergreening, to try and make sure it is part of the decision-making process, and that it is recognised you need a level of innovation and improvement.”
Are costs effective?
As is so often the case, funding represents another major contributory factor to the issues caused by legacy tech. But, according to digital leaders taking part in our discussion, it is not just a question of how much money is available, but rather the structures, considerations, and processes that inform how and where it is provided, and for what purpose.
Support is invariably provided in large, one-off chunks – often to address the urgent need of a service or system that needs to be fixed. And, thereafter, digital and IT teams are tasked with keeping things running as cheaply as possible.
“Technology is one of the most raidable budgets when funding gets tight,” according to a digital leader at a major department. “There is big upfront funding, then minimal running costs [are expected], which doesn’t really suit the way technology works now.”
Funding processes should make provisions for the expectation that the value of technology – both financial and otherwise – can only be realised and calculated over time.
“In most other industries, they recognise that the IT that is supporting your services is part of your asset base. I don’t think central government and its funding arrangements are particularly wired up to deliver that forward-thinking service-delivery model,” said the digital leader of another large department. “Let’s assume 10-20% of the value of the asset… should be going into continuous improvement, and made available to those product teams. But that is not typically how we do things.”
They added: “This is something for us to tackle – and we need to talk about it overtly as part of this discussion, as it is as relevant to policy and delivery leads as it is to the technology leads.”
Another department represented at the roundtable has tried to build in some longer-term consistency into funding for digital objectives, with the inclusion of a consideration of the ongoing cost of continuous improvement. Once again, the importance of including colleagues from policy and delivery was stressed – for whose ease-of-reference the dedicated funding has been characterised as ‘maintenance’.
“There is always a pressure on business-as-usual [operations] to ‘reduce, reduce, reduce’; but there has now been this creation of a ‘maintenance’ conversation on top of this,” said one of the department’s senior digital leaders. “We go out to the rest of the department and say, ‘usability, availability, security – these are the things we think we should be aiming for, do you agree? Well, in order to do that, we are going to need X amount more’, which we have labelled ‘maintenance’.”
Another participant pointed out that the money needed to deliver a service does not end with the deployment of the necessary technology; employing the people needed to support the tech – particularly for ageing systems – can represent as much as 60% of the overall cost of a service over its lifespan.
“There is a huge unmeasured people cost in dealing with all the old technology and legacy data and bringing it all together,” they said. “Maybe if government could be a bit more aware of this cost, that would help make the case for funding for improvement and address transformation issues.”
Reframing the issue
The Central Digital and Data Office, created within the Cabinet Office last year to help set digital and data strategy across government, is currently working on the creation of a framework to allow for better assessment of legacy technology – particularly at the level of individual services, rather than department-wide. The aim is to recognise problems that cut across departmental boundaries, and map out a model through which risks and opportunities can be calculated, and priorities set.
The CDDO is currently working with departments to identify the biggest legacy-related issues affecting services and those that are expected to crop over time, covering factors such as capacity and resources, funding, and security.
Once complete, the framework will represent a record of the issues being caused by legacy tech and what is driving them, as well as how they can be remediated and the benefits of doing so, alongside the risks of leaving things as they are, even if systems are still seemingly in decent working order.
The aim is to create a unified means for departments to assess opportunity and risk, and prioritise projects. The Cabinet Office also hopes that the creation of the framework will allow it to better understand how and where it can support departments, with money, personnel, or through forging connections.
The digital director of an executive agency claimed that the “CDDO can play a big role in connecting people” – particularly in helping tech professionals share bad experiences, as well as good.
“In the very early days of GDS, there was a network and, when people were putting together programmes of work, you would be connected with someone who had done a similar thing,” they said.
“We used to host quite a few people here [to talk about] legacy contracts. Most of the time we didn’t tell people how to do it – we told them what not to do. Lessons learned is a big thing.”
Another aim of CDDO in its work to address legacy over the coming months is to help bring together colleagues from different professions. As well as connecting digital specialists with policy and delivery professionals, procurement and commercial representatives also need to play a key role in the conversation.
A commercial director of an executive agency said that, in their experience, DDaT professionals from different departments are accustomed to making connections, and have created “a number of forums” for doing so.
“But my experience is that policymakers are generally very departmentally aligned,” they added. “To make that [connection] there is an awful lot of work to do, and it is more difficult to do that centrally.”
But, according to a senior digital leader, the legacy of failing to broaden the discussion to include all stakeholders could be long and troublesome.
They said: “It would be interesting to ask service delivery people ‘what are you doing to deal with legacy’? And, if the answer is: ‘it is an ICT or digital issue’ then we will still be having this conversation in 10 or 20 years’ time, because it will still be a digital or ICT issue, and we’ll still be the ones that are trying to fix it.”