Not long after the message that Microsoft will stop updating Windows XP from 8 April onwards, after extending it beyond the regular life cycle for over a year already, came the soothing message that malware will be monitored for another year. That may be good news to some, but the fact remains that this is not the same as patching.
Remaining on XP leads to a vulnerable state of the desktop, lap top and any other machine running on XP; vulnerable to potential hacks, cyber crimes, becoming part of a botnet, etc. Next to that your machine becomes a part of an army aimed to hurt others. Transition to a newer operating system is important but who should lead here?
Windows XP is the operating system of Windows that came on the market in 2001. After the release vulnerabilities, e.g. small mistakes, holes or oversights in the software, are discovered by Microsoft itself, ethical hackers or through abuse happening on the internet that is discovered, e.g. by anti-virus vendors. Microsoft closes these vulnerabilities through patches, regular updates, that are sent to users once a month on the so called “Patch Tuesday”. By updating the operating system regularly the operating system is as safe as possible. That is the reason why patching is so important. In combination with a firewall and (regularly updated) anti-virus software a computer is closed off for your every day attacks. Not safe, but secure.
Windows XP as liability
What is the relevance of Microsoft stopping the support of Windows XP? This lies in the fact that every vulnerability discovered after 8 April will no longer be patched and remain a vulnerability for ever. Is this a problem for someone working with XP as such? No, the program keeps doing everything it did before. Is it a problem from a security angle? Yes, in general because between 20 to 29% of all desk tops in the world still run on this operating system. Yes, specifically because everyone remaining on XP becomes exposed. All end users become vulnerable to hacks, botnets, the stealing of personal identity, phishing, etc. Apparently there are more people working with XP in developing countries, so the risks become greater there. But what about institutions, government agencies and companies
The danger is the same for everyone involved. The risk and danger to inflict serious harm only becomes greater if e.g. a hospital, water protection or major infrastructural institution like oil refineries can become easier targets for hackers or cyber terrorists. Next to that reputational damages will be higher also.
The role of government
At the latest IGF in Bali, Indonesia, Internet Engineering Task Force (IETF) representatives discussed their work, role, but also the (lack of) implementation of technical standards. If governments think it is important to implement a new standard, their message was, it is they that should ask for this implementation when buying a new product. As governments are big customers, this demand will lead to general implementation. Governments unfortunately do not often ask for best practices or new standards. Cheapest price is often more important or so I’m told.
Microsoft has announced the termination of support of XP several years ago. Still, it is said that several large institutions have not yet migrated to a newer version. Some may even still run Windows 98 or 95. It is at moments like this that a government (and yes, the question “who is the government?” is a valid one here) could lead. A good example is the Dutch National Cyber Security Centre that published a fact sheet (click here) in October 2013, warning the general public for the termination of XP’s service. This is not the same as establishing a program that aids the whole government to migrate in time. It is not just the central government that is in the line of fire from 8 April onwards, no, we have to think of smaller and specialised agencies and institutions, local government agencies, etc., who’s systems may be part of the vital infrastructure of a country. A country cannot afford to become vulnerable this way, but it will probably happen any way.
And outside government?
A government can never be responsible for the actions of non-governmental actors, but could lead in the way forward. Starting with itself and starting serious awareness campaigns. Or by setting harsher rules concerning the use of internet? Like with cars and airplanes? Or is this just one step beyond?
Next to that there are machines that run XP (or older) that cannot be replaced or will not be until the end of their respective life cycles. What is the solution here? There isn’t one, except looking at the option if it is essential that this machine connects to the internet. Any other suggestions?
Also it is important that an end is brought to the exclusiveness of the outside coming in kind of protection. It is the inside going out that needs more attention. Every vulnerability is abused to attack others as well. Protecting yourself as best as possible is also protecting your environment. As long as this is not seen as important, that this awareness is not there, we might as well start allowing anyone to drive or fly without tests and examinations. Securing the internet has to become a common task, not something without obligation, without needing to commit to. It is time this awareness sets in. Starting at government level.
Failure should not be an option
In short. From 8 April 2014 the online world will notably be less unsafe and one thing is changing fast: We are staring the internet of everything in the face. No one can force an end user to migrate from his old hobby horse that probably cannot even work on a modern operating system, to something else. This is different for institutions. Money ought not to be a reason not to migrate here. Primary processes, privacy sensitive data, even the lives of people are involved. Reputations are at stake and judicial claims may even be staked should something seriously go wrong. Isn’t not migrating gross neglect or worse? If not, perhaps it should become thus.
A duty to care starts with being as safe as possible. A duty to care ruling may be a solution that aids institutions to make timely decisions. It could make people, from you and me all up to the executive, aware that being on the internet comes with a responsibility to others on the internet, just like on roads. This is true for end users, but certainly for government institutions and organisations. It is they that have to lead and set examples. Failing after 8 April to migrate should not have any excuses. And who could provide a duty to care ruling? Right, the government.
Wout de Natris, De Natris Consult
Haarlem, 16 January 2014