Co-authored by Dr. Stephen Bryen, Chairman, Ziklag Systems
Rachel King and Danny Yardon of the Wall Street Journal have done some excellent reporting about Microsoft's termination of security support for Windows XP. What the authors have found is that a large number of computers used by the U.S. government, by the Critical Infrastructure (especially utility companies) and by ATMs are at risk. They also make it clear that despite warnings by Microsoft on support for a product that is 12 years old, the government sat on its hands and took no action on the threat.
Windows XP was introduced in October 2001 and was based on its network software called Windows NT and was intended to replace the consumer version of Windows 2000. Some readers may recall these programs, all of which have evolved from the even older MSDOS operating system, originally released in 1981. Even Windows 8 retains the "Command Prompt" and other file management tools of the old MSDOS.
Because Microsoft has employed spiral development techniques, that is, they have built on existing core software assets they developed, every successor program contains some of the code embedded in earlier operating systems, going back to the beginning. From the users point of view, this is good because it allows compatibility with older programs and lets them use data formats that otherwise would be replaced. The problem is what happens when Microsoft puts out a security patch for its products. When it does, as King and Yardon properly explain, if the patch touches on any of the old code, the older products, especially if they are no longer supported, are left vulnerable. Smart hackers will see that weakness a lot faster than the enterprise.
The government is facing multiple problems. To begin with, aside from the PCs the government uses, and which are tied into sensitive government networks, important parts of the critical infrastructure are vulnerable. Many -- banking, finance, power companies, pipelines, critical services, transportation and healthcare -- still use XP. In addition, there are probably millions of custom computer boards embedded in military and industrial machines that use XP. Some may have a special version that could be supported for another few years; but it is just as likely that more of them just use an out of the box XP operating system. This makes them more "hackable" than ever before.
Every day another public official, the latest, Secretary of Defense Chuck Hagel, warns of cyber threats. Hagel declared he was going to increase the Pentagon's cyber security staff threefold. He's quoted by AP as saying:
"The Department of Defense is on its way to building a modern cyber force. This force is enhancing our ability to deter aggression in cyberspace, deny adversaries their objectives, and defend the nation from cyber attacks that threaten our national security..."
Really? If the Defense Department, along with other U.S. government agencies are leaving the XP computers online connected to sensitive networks, would it not make more sense to get rid of the XP computers or find a solution to their vulnerability, then to triple the DOD cyber staff?
The same thing is true for the critical infrastructure.
For more than 20 years, the U.S. government has been pushing the need to protect the critical infrastructure. According to President Obama's recently released critical infrastructure cybersecurity framework, the U.S. Department of Homeland Security has pinpointed 16 critical infrastructure sectors.
They are: chemical, commercial facilities, communications, critical manufacturing, dams, defense industrial base, emergency services, energy, financial services, food and agriculture, government facilities, health care and public health, information technology, nuclear reactors, materials and waste, transportation systems and water and wastewater systems.
How many of these use Windows XP? No one knows for sure, but probably at least 10% and as much as 30 percent are older computers with XP. This does not even count the SCADA systems that are vital to many utilities such as oil refining. SCADA are industrial controllers that regulate manufacturing and refining systems. The Wikipedia diagram shows the computer clearly in the SCADA unit. A key vulnerability is these vital systems can be shut down by an adversary.
As the Stuxnet virus proved in Iran, the US-Israel malware destroyed numerous centrifuges within the Iranian nuclear program. A Stuxnet exploiting Scada and other critical infrastructure system vulnerabilities in the U.S. could create mass panic, as communications, transport, health care and energy shut down. Because our military forces rely extensively on commercial systems in the critical infrastructure space, our ability to respond to a physical attack on the U.S., say against our strategic aircraft carriers in Norfolk, may be compromised.
What can the government do? A simple step would be to replace the XP system with a more modern one, not necessarily Microsoft. Another solution would be to hire Microsoft to continue supporting XP as a bridge to the government providing its own security support systems for XP and other Microsoft products. The government could then sell support services to critical infrastructure organizations.
This is the best option because with some bridging to continue Microsoft support for an intermediate period, the government -- not a private company -- would take the lead in essential security fixes, fixes that any potential adversary, including hackers, would not know about. This would be a huge step forward.
The risks of commercial off the shelf technology (called COTS) have been known for more than 40 years. The government has been a poster child for how to get hacked because the government persists in leaving the control of COTS security in the hands of private companies that have different interests than the government. Has anyone noticed that GM let people die for more than a decade because they did not want to replace ignition switches? Some Silicon Valley companies have been notoriously slow in fixing major security vulnerabilities.
Isn't this really a wake-up call? If the government wants us to take them seriously on computer security and critical infrastructure protection, then it needs to take control of itself instead of being constantly beat up and hacked over COTS weaknesses and vulnerabilities.