rewrite this title Is Software Holding the U.S. Hostage?

When Superstorm Sandy hit the New York area in 2012, parts of New York City suffered a week-long blackout.

I was living in Brooklyn at the time, and I was lucky enough to have power.

That meant that my apartment turned into a workspace for a half-dozen friends who had lost their power.

Now, having a half-dozen friends crash at your place is fun for a few days. But in my experience, the marginal utility starts to decline by around day four…

Especially when you realize there’s a chance they might never leave.

Last week, tens of millions of people across Spain and Portugal were faced with a similar problem when both countries suddenly lost power.

It was one of the worst blackouts in European history.

And as we discussed in our last issue, something similar could happen here in the U.S. because our power grid is just as vulnerable.

It’s old and needs updating. It’s exposed to extreme weather events like hurricanes and wildfires. And the integration of renewable energy sources makes it prone to large power fluctuations like the one Spain just experienced.

Meanwhile, our grid is being strained by an increasing demand for power.

Unfortunately, that’s not the only massive infrastructure problem the U.S. is facing today.

You see, the legacy software still powering America’s air traffic control, shipping logistics, defense systems and even our hospitals is hanging on by a thread.

This problem might seem far less obvious, but it’s equally as dangerous. And unless we address it soon, it’s only a matter of time before there are serious consequences.

A Problem That’s Harder to See

The biggest risk to our critical infrastructure is buried deep in lines of code, written decades ago and patched together ever since.

According to Synopsis/Black Duck’s 2025 Open Source Security and Risk Analysis Report, the vast majority of these fragile legacy systems contain at least some open source software (OSS).

But while the use of OSS can be more cost-effective and transparent, the study found that 91% of the codebases reviewed had outdated OSS components.

And 90% of them contain components that are more than 10 versions behind the most current version.

That means they weren’t designed for the threats we face today.

And that’s understandable when you consider the length of time it often takes for government projects to get off the ground.

By the time software is implemented, it’s not unusual for it to already be out of date.

And many of these legacy systems no longer receive updates or security patches at all.

That’s why hospitals, air traffic networks, defense contractors and other areas of critical infrastructure are such ripe targets for hackers.

For example…

The Wolf Creek nuclear power plant in Kansas was the target of Russian hackers back in 2017.
The Colonial Pipeline hack in 2021 was the biggest cyberattack on an oil infrastructure target in U.S. history.
And just last year, a China-linked state-sponsored group infiltrated major U.S. telecoms as part of a cyberespionage campaign.

Yet despite these major security breaches, we still rely on software written when Bill Clinton was president.

According to a recent RSAC panel, some traffic systems run on firmware from multiple decades ago, with little standardization and no centralized oversight.

Our water infrastructure is fractured into more than 55,000 independent districts, each with its own aging software stack.

And the health care sector isn’t faring much better.

A 2023 study showed that roughly 40% of open-source code used in medical software contains known vulnerabilities…

Even though a single ransomware attack could permanently shut down a hospital.

After all, that’s what happened to St. Margaret’s Health in Spring Valley, IL.

Source: wqad.com

It was hit with a ransomware attack in 2021 that disrupted the hospital’s ability to submit claims to insurers, Medicare or Medicaid for months.

Those billing delays sent St. Margaret’s into a financial spiral, and the 120-year-old hospital was forced to shut its doors in 2023.

It was the first time a hospital was shut down in the U.S. due to a cyberattack. But it likely won’t be the last…

If we fail to act on our legacy software issues.

The Cost of Doing Nothing

The problem with maintaining old code is that it’s expensive and inefficient.

Legacy systems often rely on outdated programming languages, custom hardware and a lack of expertise.

As the original engineers retire, there’s no one left who truly understands how everything fits together.

It’s like trying to fix a crumbling bridge without the original blueprints… and while traffic is still running across it.

But here’s the thing…

The longer we delay modernization, the more we risk falling behind.

We’re already seeing it happen in the airline industry, where legacy flight ops systems are now a major reason for delays.

According to the Department of Transportation, last year over 22% of U.S. commercial flights arrived late.

And tarmac delays of over three hours were up more than 51% from the year before.

The airline industry loses an estimated $60 billion a year from these disruptions. Yet, many carriers continue relying on decades-old scheduling platforms because replacing them is viewed as too risky or expensive.

I believe there’s a far greater risk in doing nothing.

The good news is that momentum seems to be building to do something about our legacy software problem.

In January 2025, the Cybersecurity and Infrastructure Security Agency (CISA), in partnership with the Defense Advanced Research Projects Agency (DARPA) and other government agencies, published a report titled Closing the Software Understanding Gap.

It recognizes that most legacy systems are so complex, we no longer fully grasp how they work.

The report highlights the risks of this software understanding gap to both national security and critical infrastructure, and it recommends a broad, government-coordinated approach to help fix the problem.

One solution is to invest in rigorous software assessment techniques known as formal methods that allow deep auditing across massive codebases.

Formally verified software used to seem impossible to do at scale, but advances over the past decade have made it much easier to use in everyday development.

Naturally, AI is playing a part. It’s already helping developers untangle and refactor legacy code.

In fact, according to GitLab research, 34% of developers are now using AI to modernize legacy code.

That percentage will only go up as AI continues to improve.

By analyzing, testing and rewriting outdated software, AI tools should cut the time and cost of modernization significantly.

Here’s My Take

The blackout in Spain and Portugal last week should be a wake-up call for all of us.

Not just about the vulnerabilities of our energy grid but about the software that powers our critical infrastructure.

Because the longer we depend on outdated code, the greater the chance that something will break.

That’s why smart money is backing the companies powering America’s digital rebuild.

As federal agencies and Fortune 500s begin to upgrade their software, companies working on secure-by-design software, AI-powered development tools and formal verification should benefit from America’s digital rebuild.

Members of my Strategic Fortunes service know this already.

At the beginning of last year, I identified a company that’s helping large institutions map and modernize complex legacy systems, including government infrastructure.

As of this morning, its stock price is up over 640% since my recommendation.

And as concern around this issue keeps growing, we’ll likely see more chances for similar gains.

Regards,

Ian KingChief Strategist, Banyan Hill Publishing

Editor’s Note: We’d love to hear from you!

If you want to share your thoughts or suggestions about the Daily Disruptor, or if there are any specific topics you’d like us to cover, just send an email to dailydisruptor@banyanhill.com.

Don’t worry, we won’t reveal your full name in the event we publish a response. So feel free to comment away!