US Government Unprepared For the Transition off Windows XP as End-of-Life Rapidly Approaches

The deadline for installing secure operating systems on federal government computers will pass next month with the job incomplete, leaving hundreds of thousands of machines running outdated software and unusually vulnerable to hackers.

Federal officials have known for more than six years that Microsoft will withdraw its free support for Windows XP on April 8, 2014.  Despite a recent rush to complete upgrades, an estimated 10 percent of government computers — out of several million — will still be running the operating system on that date, company officials said.

That includes thousands of computers on classified military and diplomatic networks, U.S. officials said.  Such networks have stronger defenses generally but hold more sensitive material, raising the stakes for breaches if they occur.

Security experts warn that hackers have been preparing for what Microsoft calls the “end-of-life” for Windows XP by stockpiling “vulnerabilities” that amount to skeleton keys that can give intruders remote access.  Hackers who break into a single computer on a network can use the passwords they steal to work their way into other machines, even ones that have updated operating systems and other protections, experts say.  Intrusions often are limited to espionage but can be the first step toward cyber-attacks capable of disabling critical systems.

Some federal officials said that they asked Microsoft to extend its deadline for ending support for Windows XP.  The company declined and instead offered — for new fees — “custom support agreements” that give protection that likely will fall short of what the company long has provided to most XP users for free, according to experts.

That included routine security patches whenever a cyber-attack, virus, or other intrusion revealed an exploitable weakness in the operating system anywhere in the world.  That comprehensive protection, amounting to a global early-warning system based on data from hundreds of millions of computers, is slated to disappear after the April deadline.  Some agencies have declined to contract for custom support agreements because they deemed them an unnecessary expense.

“For all the money we collectively give Microsoft, they were not too receptive to extending the deadline,” said a senior State Department official, speaking on the condition of anonymity to be candid about relations with a major vendor.  “There was some grumbling that they were not willing to extend.”

Microsoft said that, based on its surveys with federal agencies, it expects the transition to continue during the next several months and be virtually complete by year’s end, although there are likely to be a small number of Windows XP machines operating into 2015.

“Because we are tightly working with our customers, and because of the types of systems that have yet to make the move off XP, we do not feel there is a substantially greater risk for the federal government on April 9 than there is on April 7,” Mark Williams, Microsoft’s chief security officer for federal systems, said in an e-mail.  “That being said, at the end of the day, it’s important to remember that the safest system is a modern one.”

Windows XP, released in 2001, is the last operating system that Microsoft built before the company made a range of significant security improvements, including systems that limit the ability of hackers who break into one program to move into others and gain control of the computer’s most basic functions.

Responsibility for overseeing cybersecurity policy at federal agencies is shared — somewhat uneasily — by the Department of Homeland Security and the White House’s Office of Management and Budget.  In April 2012, DHS sent OMB a draft plan for warning federal agencies that they needed to prioritize moving their computers off Windows XP before Microsoft ended support, but OMB officials never acted on the plan, several current and former government cybersecurity officials said.

Several experts estimate the government has over 4 million computers running Windows XP.

The Justice Department still has over 25% of its nearly 230,000 computers upgraded, leaving tens of thousands running XP.  The Department of Veterans Affairs will still have about 2 percent of its computers, up to 6,000 units, on the outdated operating system by the deadline.

The Commerce Department officials didn’t know how many of the department’s 85,000 machines were using the outdated operating system because updating is left to bureau-level officials.

The inability to complete the transition from Windows XP on time has drawn fire from critics who say it highlights broader flaws in how the federal government deploys information technology and manages critical assets at a time of rising cybersecurity threats.

“There is something broken in the process if they are letting this many machines be un-updated at this point,” said Steve Bellovin, former chief technologist for the Federal Trade Commission, now a computer science professor at Columbia University.  “Some of it is budget cuts.  Some of it is not very good management, I suspect.”

“It is troubling that a list of current [computer systems] isn’t more readily available,” said a congressional aide familiar with cybersecurity policy

The federal government for years has been a regular target of hackers — mainly foreign intelligence services — with significant breaches at many agencies.  The Navy recently battled an intrusion in which Iranian cyberspies spent several months moving within the service’s unclassified system before being detected and expelled.

The risks of running Windows XP were highlighted in 2009 when Chinese hackers managed to exploit a vulnerability in the browser on XP computers at Google, enabling the theft of valuable source code.  Operation Aurora, as security researchers dubbed it, targeted more than 30 other U.S. companies.

The transition away from Windows XP has been slowed by the large amount of custom government software built to run on the operating system.  Just a year ago, a senior State Department official said, nearly all of its 85,000 computers on unclassified systems ran on XP, even though three generations of newer, safer Windows operating systems were available from Microsoft.

Government incompetence never ceases to amaze.

Source: Washington Post