Posts
The COBOL
Layer
The Language That Outlived Its Era
COBOL — Common Business-Oriented Language — was created in 1959 under a Defense Department initiative led by Grace Hopper and a committee of computer manufacturers. It was designed for business data processing: reading records, performing calculations, writing output. Its syntax was deliberately English-like, intended to be readable by business managers as well as programmers. It was good at what it was designed for. It processed fixed-format records with defined field lengths reliably, efficiently, and at scale. The Social Security Administration began building its core systems in COBOL in the 1960s.
COBOL is still running those systems today for the same reason the SSN is still the primary key of American identity: because replacing a working system is harder than maintaining it, because the dependencies that accumulated over decades make replacement increasingly complex, and because the consequences of failure — for a system that pays 70 million Americans their monthly Social Security benefits — are severe enough that caution has consistently won over modernization.
The scale is difficult to convey. The SSA's COBOL codebase is approximately 60 million lines. To put that in context: the entire Linux kernel — the operating system that runs most of the world's servers and Android phones — is approximately 30 million lines of C. The SSA's legacy codebase is twice that size, written in a language that predates the personal computer, accumulating dependencies across five decades of benefit program changes, legislative amendments, regulatory updates, and system integrations. It is not a relic. It is running infrastructure. It processes billions of dollars in benefit payments every month.
COBOL is not a museum piece. It is the operational nervous system of the American social insurance state. The SSN is its primary key. Changing one without touching the other is not possible. Touching both simultaneously, without stopping, at the scale required, is the hardest software engineering problem in the history of American government.
What It Means to Change the Organizing Principle
In database architecture, a primary key is the field that uniquely identifies each record and around which all other records are organized. Every table in a relational database has a primary key. Every relationship between tables — every link that allows a query to pull a person's benefit history, tax record, or contribution account — is built on the assumption that the primary key is stable, unique, and permanent.
The SSN is the primary key of the SSA's data model. It has been since the Numident was established in 1972. Every record in every table in every SSA database is organized around, retrieved by, and related to other records through the nine-digit SSN. Changing that primary key — replacing the SSN with a new, revocable, cryptographically secure identifier — is not a matter of updating a configuration file. It is a matter of migrating every record in every table in a 50-year-old database to a new organizing principle, updating every query and program that references the old key, and doing all of this without introducing errors into the benefit calculations that determine whether 70 million Americans receive correct payments.
* SSA Master Beneficiary Record — conceptual structure * Every record organized by SSN as primary key * Every downstream lookup begins here 01 MASTER-BENEFICIARY-RECORD. 05 MBR-SSN PIC 9(9). 05 MBR-SURNAME PIC X(16). 05 MBR-GIVEN-NAME PIC X(16). 05 MBR-DATE-OF-BIRTH PIC 9(8). 05 MBR-BENEFIT-AMOUNT PIC 9(7)V99. 05 MBR-ENTITLEMENT-DATE PIC 9(8). 05 MBR-EARNINGS-HISTORY. 10 MBR-EARN-YEAR PIC 9(4) OCCURS 60 TIMES. 10 MBR-EARN-AMOUNT PIC 9(8)V99 OCCURS 60 TIMES. * MBR-SSN is the primary key. * 60 million lines assume its permanence. * Every downstream system that calls this record * passes MBR-SSN as the lookup parameter. * There is no secondary identifier. * There is no migration path that does not * touch every line that references MBR-SSN.
The primary key problem compounds at every layer of the dependency stack. SSA systems interface with IRS systems — which have their own SSN-keyed databases. SSA systems interface with DHS E-Verify — which uses the SSN to match employment authorization records. SSA systems interface with state government Medicaid systems, with VA records, with the Railroad Retirement Board, and with dozens of other federal and state agencies whose own legacy codebases treat the SSN as the key that connects their records to the national identity system. A primary key migration at SSA that does not simultaneously migrate all of these downstream systems produces a broken interface — a new identifier at SSA that no downstream system can recognize.
You cannot change the primary key of one system in a network of interdependent systems. You must change all of them, or build a translation layer between the old key and the new one — which means building, testing, and operating a second system of equivalent complexity while the first one continues running. That is not a modernization project. That is two modernization projects running in parallel, for a system that cannot be taken offline.
What Lives in Human Minds — and Is Leaving
The technical complexity of the COBOL layer is compounded by a human capital problem with no software solution. The programmers who wrote the SSA's core COBOL systems, and the programmers who have maintained and modified them over the subsequent decades, are a diminishing population. The average age of an experienced COBOL programmer in the United States is estimated to be in the mid-to-late sixties. The university programs that trained COBOL programmers largely stopped doing so in the 1980s and 1990s. The knowledge of how 60 million lines of accumulated, partially underdocumented code actually behaves — the edge cases that are handled by logic that was never written down, the workarounds that were added to address problems that are no longer remembered as problems, the dependencies that are implicit in the code structure rather than explicit in documentation — exists in a finite, aging, and irreplaceable set of human minds.
This is not a problem that artificial intelligence fully solves. AI-assisted code translation can convert COBOL syntax to Java or Python syntax with reasonable accuracy for well-documented, well-structured code. It cannot reconstruct the institutional knowledge of why a particular piece of code does what it does when the reason was never written down, when the original programmer retired fifteen years ago, and when the behavior is only visible in edge cases that the test suite does not cover. The DOGE intervention of 2025 made this problem visible in real time.
The initiative: Beginning in early 2025, personnel associated with the Department of Government Efficiency pushed for accelerated modernization of SSA's legacy systems, including migration of COBOL code to modern languages on timelines measured in months rather than the years that SSA's own modernization roadmap — developed beginning in 2017 — had projected. AI-assisted code translation was proposed as the mechanism for accelerating the timeline.
The access controversy: Whistleblower complaints and subsequent court filings documented concerns about the access granted to DOGE personnel to SSA systems including the Numident — the master SSN database. Allegations included that data was copied to cloud environments with inadequate security controls and that personnel without appropriate clearances or expertise had been granted access to sensitive systems. Courts issued injunctions. Inspector General investigations were opened. The full record of what data was accessed, copied, or transmitted remains incompletely public.
The technical concerns: SSA career staff, independent technical experts, and congressional oversight raised specific concerns about the risks of rapid COBOL migration: the potential for undetected errors in benefit calculations; the loss of institutional knowledge embedded in legacy code that AI translation cannot reconstruct; the absence of adequate testing infrastructure to validate migrated code at the scale and complexity of SSA's systems; and the operational risk of introducing errors into a system that processes monthly benefit payments for 70 million Americans.
The outcome: The most aggressive migration timelines were modified or paused following pushback from SSA career staff, congressional concern, and legal challenges. The episode did not produce a resolved modernization path. It produced a documented record of the tensions between speed-driven efficiency goals and the technical reality of what the COBOL layer actually is.
The FSA finding from the episode: The DOGE intervention is not primarily a political story. It is a technical proof of concept — specifically, a proof that the COBOL layer cannot be approached as a straightforward modernization project without confronting the primary key problem, the institutional knowledge problem, and the operational risk of errors in a system with no tolerance for benefit payment failures. The intervention made those constraints visible. It did not change them.
When a Design Decision Becomes a Physical Fact
The previous posts in this series treated the SSN's dominance as a policy problem — a consequence of decisions that were made without adequate deliberation, a governance vacuum that was filled by private actors, a sovereignty failure that could in principle be addressed by a sufficiently determined political coalition. The COBOL layer changes the category of the problem.
A policy can be revised. A governance framework can be created. A regulatory gap can be filled by legislation. These are difficult political problems, but they are problems in the domain of human decision-making — problems that a determined actor with sufficient authority can address. A primary key embedded in 60 million lines of running code, with a dependency stack that spans dozens of federal and state systems and interfaces with the private sector identity architecture that Post 3 documented, is not a policy problem. It is a physical fact about the current state of operational infrastructure that determines whether 70 million Americans receive their benefits correctly every month.
This is what it means to say that the COBOL layer encodes the 1936 ontological assumption. The assumption — that the SSN is the primary fact of identity, the organizing principle around which all other records are structured — is not stored in a policy document. It is stored in the data model of a running system. The data model cannot be changed without changing the system. The system cannot be changed without risking the benefits of 70 million people. The risk cannot be eliminated without the time, expertise, and resources that a careful migration requires. And a careful migration requires a political commitment that has not been assembled in the fifty years since the Numident was built.
The philosophical dimension of the COBOL layer is this: the question of what American identity is — what proves it, what the primary fact of personhood is for administrative purposes — was answered in 1936 by a decision to use a nine-digit sequential number for a contributions ledger. That answer was then encoded, over fifty years, into 60 million lines of running code. The question has not been reopened since. Not because no one has tried. Not because the answer is correct. But because reopening the question requires changing the code, and changing the code requires a level of institutional commitment, expertise, and sustained political will that has not been available at any point in the half-century since the Numident was built.
The 1936 decision was made by administrators trying to solve an immediate problem. The COBOL layer was built by programmers trying to track contributions accurately. Neither group was making a philosophical statement about the nature of American identity. Together, across fifty years, they encoded one anyway — in a language that 23-year-old software engineers cannot read, in a system that cannot be stopped, processing the monthly income of 70 million people.
What the Technical Lock Establishes
The SSN's dominance is no longer only a policy failure. Posts 1 through 3 documented a sequence of policy failures: inadequate original design, uncontrolled drift, ungoverned semantic capture. Post 4 documents a different category of problem. The SSN is the primary key of a 60-million-line COBOL codebase that has been running, accumulating dependencies, and encoding the 1936 design assumption into operational infrastructure for fifty years. Changing the primary key is not a policy decision that can be made and implemented. It is a software engineering project of extraordinary complexity that must be executed without stopping a system 70 million Americans depend on for their income.
The dependency stack multiplies the complexity. An SSA primary key migration that does not simultaneously address IRS systems, DHS E-Verify, state Medicaid interfaces, VA records, and the private sector verification APIs that connect to SSA produces a broken network. Every downstream system that passes the SSN as a lookup parameter must either be migrated simultaneously or bridged through a translation layer — itself a new system of equivalent complexity that must be built, tested, and operated in parallel with the legacy system it replaces.
The institutional knowledge problem is irreversible on its current trajectory. The programmers who understand why the SSA's COBOL systems behave as they do — not just what the code says, but why it was written that way, what edge cases it handles implicitly, what dependencies are undocumented — are a population in their sixties and seventies whose knowledge cannot be fully transferred to a new generation or reconstructed by AI translation tools. Every year that passes without a systematic knowledge capture and modernization effort makes the eventual migration more dangerous.
The DOGE intervention proved what the constraints are, not that they can be overcome by speed. The 2025 push for rapid COBOL migration demonstrated precisely the risks that SSA career staff and independent experts had identified: the primary key problem, the institutional knowledge gap, the operational risk of errors in benefit calculations, and the absence of adequate testing infrastructure for systems of this complexity. The intervention was not wrong to identify modernization as necessary. It was wrong to treat necessity as a substitute for the time and expertise that the work actually requires.
The 1936 ontological assumption is now a physical fact. The SSN is the primary key of American identity not because anyone decided it should be, but because 60 million lines of running code, and the full dependency stack built around them, make it so. Changing that physical fact is possible in principle. It requires a sustained national commitment — political, technical, and financial — of a kind that has not been assembled in the fifty years since the Numident was built. Post 5 documents why that commitment has not been assembled: the beneficiary ecosystem that profits from the status quo, and the political economy that defends it.
The Technical Record — What Post 4 Establishes
| Finding | Source | Status |
|---|---|---|
| SSA operates approximately 60 million lines of COBOL — SSN as primary key in every record, every lookup, every benefit calculation | SSA modernization documentation; GAO reports | Documented |
| Primary key migration requires simultaneous update of all downstream systems — IRS, DHS, VA, state interfaces, private sector APIs — or parallel translation layer of equivalent complexity | Software architecture analysis; SSA dependency documentation | Structural Finding · Supported |
| Experienced COBOL programmers average age mid-to-late sixties; institutional knowledge of legacy system behavior partially undocumented and non-reconstructable from code alone | Industry surveys; GAO workforce reports | Documented |
| DOGE 2025 intervention: accelerated COBOL migration attempted; technical concerns raised by career staff and independent experts; aggressive timelines modified or paused; access to Numident data subject to whistleblower complaints and court injunctions | Court filings; congressional record; SSA whistleblower complaints; IG investigation record | Documented |
| SSA modernization roadmap active since 2017 — no completed primary key migration; no resolved replacement identifier architecture as of 2026 | SSA IT modernization plans; GAO oversight reports | Documented |
| The 1936 ontological assumption — SSN as primary fact of identity — is encoded in operational infrastructure that cannot be changed without a sustained technical commitment not yet assembled | Structural inference from technical record | Structural Finding · Supported |
No comments:
Post a Comment