The Hidden Dangers of Legacy Code in Defence

In 2020, DARPA highlighted a problem that has since become impossible to ignore. Modern defence systems are built on vast layers of legacy code, much of it poorly understood, sparsely documented, and difficult to secure (6).

At the time, the concern was largely structural. Today, it is accelerating.

Advances in artificial intelligence are changing how software is analysed, understood, and exploited. Capabilities that once required months of specialist effort can now be achieved in minutes. AI-driven tools are increasingly able to interrogate complex codebases, identify vulnerabilities, and suggest fixes at scale (1, 4, 10).

The implication is clear. If these tools can surface weaknesses in commercial and public systems, they can do the same, at far greater consequence, across defence infrastructure.

This is the uncomfortable reality. Defence is not just powered by software. It is dependent on legacy software, and that dependency is becoming a strategic risk.

A foundation built on ageing code

Legacy code is not an edge case in defence. It is the foundation.

Across military platforms, intelligence systems, and logistics networks, software written decades ago continues to underpin mission-critical capability. Research and industry analysis consistently show that legacy systems are inherently difficult to understand, modify, and secure due to their complexity and age (7, 6).

This challenge goes beyond age alone. Many of these systems lack formal specifications, contain incomplete documentation, and have evolved incrementally over time. As a result, even small changes can introduce disproportionate risk (6).

In practice, this creates a persistent tension. Defence systems must evolve to remain operationally relevant, yet the act of modifying them can introduce instability or unintended consequences.

The scale of the problem

The scale of legacy code across defence organisations is significant.

Within the United States, officials have acknowledged that a substantial portion of Department of War applications remain legacy systems, including critical software still running on outdated infrastructure (4).

The UK presents a similar picture. The Ministry of Defence describes its digital estate as a complex “brownfield” environment, composed of thousands of interconnected systems and data sources that have evolved over time (5). Independent oversight has reinforced this view, highlighting the scale and fragmentation of defence digital infrastructure (11).

This creates what has been described as a “data paradox”. Despite vast volumes of information, structural limitations prevent organisations from fully exploiting it for decision-making (5).

Legacy systems are therefore not just a technical issue. They are an operational constraint.

Security vulnerabilities embedded in time

The most immediate risk posed by legacy code is security.

Many older systems were not designed with today’s threat landscape in mind. As attack surfaces expand and adversaries adopt more sophisticated cyber capabilities, these systems become increasingly attractive targets.

Technical analysis highlights that legacy software remains difficult to secure due to its complexity, lack of visibility, and the challenges associated with applying modern security practices to ageing architectures (7, 10).

Historically, identifying vulnerabilities in such systems has been slow and resource intensive. That constraint is now eroding. AI systems can analyse vast codebases at speed, uncovering weaknesses that would previously have gone unnoticed (1, 4).

This creates a clear asymmetry. Defence organisations must secure entire ecosystems of ageing software, while adversaries need only identify a single point of failure.

The compounding cost of technical debt

Legacy code also imposes a growing financial and operational burden.

Across the public sector, ageing systems are recognised as a source of inefficiency, increasing costs, and limiting organisational agility (3, 11). In defence, this dynamic is amplified by the requirement to maintain operational readiness at all times.

As a result, systems are often patched rather than replaced. Over time, this leads to layers of technical debt that increase complexity and reduce flexibility (6).

The outcome is more than inefficiency. It is strategic drag. Programmes slow down, integration becomes more difficult, and the adoption of new technologies is constrained by the need to interface with legacy architectures.

Interoperability and the limits of modernisation

Modern defence depends on interoperability. Data must move seamlessly across platforms, domains, and allied systems.

Legacy code was not designed for this environment.

The UK Defence Data Strategy highlights siloed systems, inconsistent standards, and fragmented architectures as key barriers to integration (5). Independent review has further emphasised the challenges of integrating legacy systems within modern digital frameworks (11).

Efforts to modernise often rely on middleware and integration layers, which introduce additional complexity and potential failure points (10).

This creates a fragile ecosystem. Each new connection increases capability, but also expands the attack surface.

AI as both solution and threat

Artificial intelligence is increasingly positioned as a solution to the legacy code problem.

Programmes across defence are exploring how AI can be used to analyse, refactor, and modernise ageing codebases (1, 4).

The potential benefits are significant, faster vulnerability detection, automated code analysis, and more efficient system upgrades.

However, this capability cuts both ways.

The same tools that enable defenders to identify weaknesses can be used by adversaries to exploit them. As AI lowers the barrier to advanced code analysis, the likelihood of vulnerabilities being discovered and weaponised increases (4).

There are also questions of trust. AI-generated fixes must be carefully validated, particularly when integrated into complex legacy systems where unintended consequences can be severe (2).

AI does not remove the complexity of legacy code. It accelerates interaction with it.

Why replacement is not an option

It is often assumed that legacy systems can simply be replaced. In defence, this is rarely realistic.

Military platforms are designed to operate over decades. Their software is tightly integrated with hardware, operational procedures, and certification frameworks. Replacing these systems wholesale would be costly, disruptive, and strategically risky (11).

Instead, defence organisations are forced into a continuous balancing act, maintaining existing capability while incrementally introducing new functionality.

This ensures that legacy code is not a temporary issue. It is a permanent feature of the defence landscape.

The strategic implication

The real danger of legacy code is not just technical. It is strategic.

Legacy systems shape the pace of innovation, constrain how quickly new capabilities can be deployed, and limit how effectively data can be exploited. They introduce friction across development, integration, and operations (5, 11).

At the same time, advances in AI are making these weaknesses more visible and more exploitable (4).

What was once hidden within opaque systems is now increasingly exposed.

Conclusion: containing the past to secure the future

Defence cannot abandon its legacy systems, but it cannot afford to ignore them.

The challenge is to manage them deliberately. This means improving visibility, reducing complexity, and designing architectures that allow new capabilities to coexist with old systems without compromising security or performance.

It also requires recognising a shift. Legacy code is no longer a passive risk. In an AI-enabled world, it is an active attack surface.

The future of defence will depend not only on the technologies it builds next, but on how effectively it manages what already exists.

Also By Us:

References:

1.         Air & Space Forces Magazine. (n.d.). Air Force turns to generative AI to modernize legacy software. https://www.airandspaceforces.com/air-force-generative-ai-modernize-legacy-software/

2.         BBC News. (n.d.). AI Security Institute sets out best practices. https://www.bbc.co.uk/news/articles/c2ev24yx4rmo

3.         Cyber Defense Magazine. (n.d.). Legacy code: A growing threat to public sector organizations. https://www.cyberdefensemagazine.com/legacy-code-a-growing-threat-to-public-sector-organizations/

4.         DefenseScoop. (2024, September 12). Pentagon looks to artificial intelligence to modernize legacy code. https://defensescoop.com/2024/09/12/pentagon-artificial-intelligence-modernize-legacy-code-john-hale/

5.         Defence Science and Technology Laboratory. (2021). Data strategy for defence. https://assets.publishing.service.gov.uk/media/614deb7a8fa8f561075cae0b/Data_Strategy_for_Defence.pdf

6.         DARPA. (2020). DARPA and legacy code modernisation. https://www.darpa.mil/news/2020/legacy-code

7.         IBM. (n.d.). What is legacy code? https://www.ibm.com/think/topics/legacy-code

8.         Infosecurity Magazine. (n.d.). AI Security Institute sets out best practices. https://www.infosecurity-magazine.com/news/ai-security-institute-best/

9.         Learning Tree International. (n.d.). Why Rust is the secret weapon for cyber defence. https://www.learningtree.co.uk/blog/why-rust-is-the-secret-weapon-for-cyber-defence/

10.   Military Embedded Systems. (n.d.). Modernizing systems with top-grade static analysis. https://militaryembedded.com/comms/communications/modernizing-systems-top-grade-static-analysis

11.   National Audit Office. (n.d.). The digital strategy for defence: A review of early implementation. https://www.nao.org.uk/reports/the-digital-strategy-for-defence-a-review-of-early-implementation/