In a move that throws the UK’s government IT footprint wide open to hackers of all stripes, the Government Digital Service has decided not to extend its £5.5m deal with Microsoft for support for Windows XP.
When the contract runs out at the end of the month (as in, Sunday), “weaknesses that are found in unsupported products will remain unpatched and will be exploitable by relatively low-skilled attackers,” the office warned.
After more than six years of fair warning to enterprises, Microsoft cut off support for the discontinued XP operating system last April. Customers no longer receive new security updates, non-security hotfixes, free or paid assisted support options or online technical content updates. And crucially, any new vulnerabilities discovered in Windows XP will never be addressed by security updates from Microsoft, opening the door to zero-day vulnerabilities that last forever.
Obviously, in the case of the UK, the dangers are considerable: NHS patient data, police investigation data, state secrets and other sensitive information can be exposed via Trojans and spyware, among other dangers.
Many companies have completed the long process of transitioning to modern operating systems like Windows 7 or 8, but there are many that have not—even now, more than a year later, 44% of firms are still running at least some PCs on XP. Now, the UK government’s PCs will join those millions of non-updated PCs at risk.
The Crown Commercial Service bought a year’s extension of support, given the impact on national security and possible chaos that could arise otherwise. The idea was to complete a wholesale upgrade of thousands of PCs across the UK’s government IT footprint during that 12 months—but it’s a project that never happened. Some departments, like HM Revenue and Customs, have begun the process but are behind schedule in a migration to Windows 7 and 8.1; others haven’t started, like NHS Scotland, which has about 2,600 computers still running XP.
The Office of the Chief Technology Officer confirmed to the Guardian, “Technology leaders met last month and took a collective decision to not extend the support arrangement for 2015. The current support agreement ended in April 2015.”
It’s a move meant to light a fire under IT staff. But the paper went on to report that instead of migrating immediately, each department is expected to negotiate its own support deal with Microsoft as a stop-gap measure—which will be more expensive, ultimately, than the previous omnibus agreement. The Crown Commercial Service said that it saved the government about £20 million last year by buying in bulk.
“It is vital that all organisations only use software products which are supported by the vendor, and that plans be made to migrate from older products as the end of support period is reached,” the UK’s CTO guidance advises—not that the directive has been thus far committed to.
The situation is likely to get worse before it gets better: In July, Microsoft is discontinuing support for Windows Server 2003, which will put around 2.7 million servers at risk.