Why Microsoft's Windows game plan makes us WannaCry
Oh, 'collective responsibility' – that old chestnut
Analysis In the circular firing squad of WannaCrypt, the world's largest recorded ransomware outbreak, nobody looks good.
Not end-users for clinging to dated and unprotected Windows PCs despite warnings, not the government whose National Health Service saw 61 organisations compromised, and certainly not Microsoft – the actual author of Windows.
Just last night, The Register revealed that even though Microsoft had been griping about NSA exploit stockpiles at the weekend, it had also been sitting on its own stockpile ...of patches: Friday's WinXP fix was built in February.
WannaCrypt infected 230,000 Windows PCs in 150 countries, targeting unpatched Windows 7 and Windows Server 2008 or earlier systems.
Nonetheless, in our own national chapter of this international drama, the NHS and the British government deserve to be shamed. They had been warned time and again. Nobody could say they couldn't have anticipated this.
Among those "earlier systems" hit by the malware's extortionist authors was XP, the desktop operating system released in 2001 that still comprises seven per cent of the market and for which Microsoft stopped writing security updates on April 8, 2014 – except for those paying a premium for extended support packages. The news of the end-of-support was well-flagged and the ramification of not acting was simple and clear: continue running XP and your data and your PCs were at risk from malware written after that date.
The Microsoft support agreement, the extension, and ball-dropping
At the start of 2014, when The Reg investigated the matter, the NHS in England was running around 1.086 million Windows PCs and laptops at trusts, GPs and other health groups in the run-up to Microsoft's planned end of support in March of that year.
The government had agreed a temporary framework support agreement with Microsoft which guaranteed delivery of special security patches for XP, Office 2003 and Exchange 2003 FOR one year, priced at £5.584m. This was paid for by central purchasing agency the Crown Commercial Service.
But seven months into the framework deal, 18 out of 140 trusts had not taken advantage of this centrally negotiated lifeline, even though it didn't even come out of their budgets – it was paid for at Cabinet level – and even though the government made it clear action on the matter of upgrading from Windows XP was imperative.
Strong words, but not only did Whitehall fail to take control of the situation and drive upgrades, it also did not renew its Microsoft agreement.
When the deal ended on April 14, 2015, it was decided CCS would not purchase government-wide support for a second year. Instead, individual government departments and agencies were told they were free to allocate budget and sign their own agreements with Redmond.
The extended support deal of 2014 wasn't unique – Microsoft offered custom support extensions to the private sector, too, but such deals weren't cheap. Priced at $200 a year per PC in the first year, doubling in year two, Microsoft was clear: it was a temporary measure and you had to demonstrate a plan to migrate.
And yet, over two years later, vast tracts of the British state – including the NHS – continued to be exposed to outdated and unpatched systems.
As early as December last year, a Freedom of Information request by Citrix put the count of trusts with some exposure to Windows XP within the UK national health services as high as nine in 10 – with many set to miss the April deadline.
So what are they going to do about it?
Now that a problem has surfaced, and it's major, Whitehall is taking action – of a kind. It's doing what it does best: talking, and it's blaming the victim.
UK Defence Secretary Michael Fallon, speaking on The Andrew Marr Show on BBC One on Sunday, preferred to concentrate on a different set of figures – the number of boxes across the NHS as a whole that were running XP. He claimed on Sunday, echoing the NHS statement of a day before, that "less than five per cent" were running the OS (6 minutes, 38 seconds into this clip – requires presence in the UK and TV licence). He also complained that the government was "spending around £50m on the NHS cyber systems to improve their security, and said the government had "encouraged NHS trusts to reduce their exposure to the weakest system, the Windows XP".
Microsoft has been quick to act, too, issuing emergency fixes for XP and Server 2003, as well as modern builds, within hours. Microsoft is also talking in any apparently successful, judging by headlines, attempt to form the narrative of this event. And well it should, for the NHS and government are merely actors in this tragedy.
Microsoft, upgrades, and the relentless march into the cloud
Once, before Microsoft's fascination with cloud, when Windows was one of Microsoft's biggest multibillion-dollar businesses drivers, Microsoft's policy was very clear and very consistent: a treadmill of new versions of Windows every two to three years, with a trailing support window as things moved forward.
It was a forced upgrades march, pushing users on to ever-newer versions of Windows to drive Microsoft's continued growth.
No upgrade? Stand still long enough and you'll lose not just new feature updates but also security updates - as happened with XP three years ago. Support became one of the two choke points to drive upgrades for Microsoft on Windows. The other chokepoint was the browser, and Microsoft would limit the versions of Windows that a new Internet Explorer could run on.
XP was the bump in the road of this march. Thanks to the Windows Vista omnishambles, XP was put on extended life support to cater for the fact it was still not just being used but sold. Released in 2001, by January 2014 just under one third of all PCs were still running Windows XP.
And yet Microsoft's patience had run out and it marked April 8 2014 as the date when it would stop writing security updates for the desktop operating system. It was all stick and no carrot: move to Windows 8 - or, at least, Windows 7, or drop out of the pack and risk getting picked off.
Dedicating engineers to fix old software takes resources away from Microsoft's preferred focus – building new software and services.
Little wonder, then, that Microsoft is now quick to point the finger, with legal chief Brad Smith talking about collective responsibility for cybersecurity and WannaCrypt, while carefully not reserving a portion for Microsoft.
Smith's blog is a stereotypical exercise in corporate disaster triage: emphasise how responsibly you acted – but not too strongly, talk of collective failings and lessons learned, and issue a call to action to avoid a repeat of this disaster.
So, Smith humbly reminds us that – on 14 March – Microsoft released a fix for WannaCrypt noting correctly, of course, "There is no way for customers to protect themselves against threats unless they update their systems."
He blames governments for hoarding vulnerabilities - holes in its code found by outsiders - and weaponising them. He even supplies a handy metaphor about a Tomahawk missile falling into the wrong hands for the non-tech press to grasp.
Then there's the call to action, a repeat of an earlier request for a "Digital Geneva Convention" with governments reporting vulnerabilities to vendors.
"We need collective action to apply the lessons from last week's cyber attack. And we need it now," Smith tweeted.
The devil is in Smith's wording, however, and so is Microsoft's culpability.
Back to that 14 March update.
"While this protected newer Windows systems and computers that had enabled Windows Update to apply this latest update, many computers remained unpatched globally. As a result, hospitals, businesses, governments, and computers at homes were affected," Smith wrote.
Smith didn't name names, but his euphemism of "many computers" juxtaposed with "newer Windows systems" meant he didn't need to and mostly referred to one thing: XP machines that Microsoft abandoned three years ago and that those running them either couldn't or wouldn't upgrade.
If anything good comes from WannaCrypt, it'll be the final death of XP.
Desktop migrations have long been a corporate snooze for managers, an exercise that adds nothing to the bottom line, while the buy costs a truckload in time and money. That's why we're in this mess.
Incidents like WannaCrypt, however, grab the attention of those in charge of change and produce a response. Having been burned by experiences, and with managers shamed and now kicking down to IT types, expect a spasm of upgrades.
What we likely won't see is a change in policy from Microsoft. ®