A COBOL (common business oriented language)-based system used to support New York’s $160 billion state pension fund has become the subject of controversy, with some officials claiming it poses a potential security risk and others defending it as “battle-tested,” albeit set to be replaced.
Dubbed MEBEL (member, employer, benefits, executive and legal), the system dates back more than 25 years, according to an audit released earlier this month by the state Department of Financial Services. It “supports the core business processes of the retirement system including benefits processing, calculating and payment, employer billing and reporting, and enrollment and termination of membership,” the audit adds.
“Using a system that is more than 25 years old for such a high volume of transactions is dangerous, particularly because the systems and programs MEBEL was intended to interface with are also now very outdated and there are a small and dwindling number of specialists able to use and maintain them,” the audit states.
The audit also found that MEBEL had been using versions of IBM’s z/OS mainframe operating system and Microsoft’s SQL Server that were so out of date, they weren’t supported by the vendors. While the state has upgraded SQL Server it won’t do the same for z/OS until later this year, according to the audit.
“Software vendors do not create security patches or fixes for recently identified problems for software that is past their formal support end dates,” it adds. “This lack of security and functionality protection leaves the retirement system’s data vulnerable to bugs and to security breaches, including attacks by hackers.”
The Department of Financial Services falls under the auspices of New York Governor Andrew Cuomo’s administration, but the pension system is overseen by New York state Comptroller Thomas DiNapoli, who is elected separately and also serves as the state’s auditor. The two have sparred politically over various issues in recent years, including DiNapoli’s handling of the pension fund and Cuomo’s budget proposals.
DiNapoli’s office responded to the DFS audit on Friday, saying it contained “numerous inaccuracies, misleading statements and errors.”
MEBEL is a “secure and battle-tested system” and COBOL is a “very stable language used extensively throughout state government as well as financial institutions around the world,” the statement added.
A “reliable work horse,” MEBEL has been “constantly maintained and updated,” DiNapoli’s office said. “None of the hardware or software used by the System is old. The mainframe was purchased in 2009 and the software is current. A stable computer system has a low risk of sudden and arbitrary failure.”
Although COBOL dates back more than five decades, its time of invention is “irrelevant” in light of this ongoing maintenance, he added.
Nor is the suggestion of a security risk accurate, as MEBEL isn’t directly accessible from external sources, DiNapoli said.
As for skilled COBOL programmers, the comptroller’s office has had great success in hiring candidates from outside as well as training new staff on it and IBM’s CICS (customer information control system) transaction server, which is also used in MEBEL, DiNapoli said.
However, MEBEL alone has not met all of the necessary requirements and DiNapoli’s team has added other technologies to it, he said.
While MEBEL is scheduled for replacement, the DFS auditors and DiNapoli also disagreed on how long the process has been under way, with the former saying it “should have started years ago” and DiNapoli insisting it indeed has.
Accenture has been selected as the contractor on the project, which is in the early planning stages now.
The new system will primarily use Oracle’s PeopleSoft ERP (enterprise resource planning) software, according to DiNapoli spokesman Eric Sumberg.
A pension-check-writing component will likely be written with MicroFocus COBOL tools, he said via email on Tuesday. Fewer than 10 percent of pension plan beneficiaries receive checks, with most getting direct deposit into bank accounts.
The politically charged dispute over MEBEL’s viability ties into broader, ongoing debates surrounding application modernization, as well as the long-term viability of COBOL as IT professionals proficient in it edge closer to retirement.
While vendors have begun offering products aimed at porting COBOL applications to other platforms, billions of lines of COBOL code are still out there running critical systems and will likely do so for some time to come.
Meanwhile, a study released by MicroFocus earlier this year found that the majority of universities polled didn’t offer COBOL classes.