CircleID

Not long after the message that Microsoft will stop updating Windows XP from 8 April onwards, after extending it beyond the regular life cycle for over a year already, came the soothing message that malware will be monitored for another year. That may be good news to some, but the fact remains that this is not the same as patching.

Remaining on XP leads to a vulnerable state of the desktop, lap top and any other machine running on XP; vulnerable to potential hacks, cyber crimes, becoming part of a botnet, etc. Next to that your machine becomes a part of an army aimed to hurt others. Transition to a newer operating system is important but who should lead here?

As I expect you to aware of the necessity of patching/updating software and running AV security, etc. I prefer not to go into detail here. For those that would like to read the longer version, you can visit my blog.

Windows XP as liability

The relevance of Microsoft stopping the support of Windows XP is that every vulnerability discovered after 8 April will no longer be patched and remain a vulnerability for ever. Part of the problem is that people or organisations running XP won't notice any difference. The program keeps doing everything it did before. The main problem is from a security angle. An estimated 20 to 29% of all desk tops in the world still run on this operating system. Everyone running XP becomes exposed. End users become vulnerable to hacks, botnets, the stealing of personal identity, phishing, etc. Apparently there are more people working with XP in developing countries, so the risks become greater there. But what about institutions, government agencies and companies?

The danger is the same for everyone involved. The risk and danger to inflict serious harm only becomes greater if e.g. a hospital, water protection or major infrastructural institutions like oil refineries or road systems become easier targets for hackers or cyber terrorists. Next to that reputational damages will be higher also. So this makes Windows XP or more precisely working with Windows XP a liability, personally and collectively.

The role of government

At the latest IGF in Bali, Indonesia, Internet Engineering Task Force (IETF) representatives discussed their work, role, but also the (lack of) implementation of technical standards. If governments think it is important to implement a new standard, their message was, it is they that should ask for this implementation when buying a new product. As governments are big customers, this demand will lead to general implementation. Governments unfortunately do not often ask for best practices or new standards. Cheapest price is often more important or so I'm told.

Microsoft has announced the termination of support of XP several years ago. Still, it is said that several large institutions have not yet migrated to a newer version. Some may even still run Windows 98 or 95. It is at moments like this that a government (and yes, the question "who is the government?" is a valid one here) could lead. A good example is the Dutch National Cyber Security Centre that published a fact sheet (click here) in October 2013, warning the general public for the termination of XP's update service. This is not the same as establishing a program that aids the whole government to migrate in time. It is not just the central government that is in the line of fire from 8 April onwards, no, we have to think of smaller and specialised agencies and institutions, local government agencies, etc., who's systems may be part of the vital infrastructure of a country. A country cannot afford to become vulnerable this way, but it will probably happen anyway.

And outside government?

A government can never be responsible for the actions of non-governmental actors, but could lead in the way forward. Starting with itself and by starting serious awareness campaigns. Or by setting harsher rules concerning the use of internet? Like with cars and airplanes? Or is this just one step beyond?

Next to that there are machines that run XP (or older) that cannot be replaced or will not be until the end of their respective life cycles. What is the solution here? There isn't one, except looking at the option if it is essential that this machine connects to the internet. Any other suggestions?

Also it is important that an end is brought to the exclusiveness of the outside coming in kind of protection. It is the inside going out that needs more attention. Every vulnerability is abused to attack others as well. Protecting yourself as best as possible is also protecting your environment. So is developing and selling secure by design ICT products. As long as the inside out awareness is not there or is not seen as important, better, a standard, we might as well start allowing anyone to drive or fly without practice, tests and examinations. Securing the internet has to become a common task, not something without obligation, without needing to commit to. It is time this awareness sets in. Starting at government level.

Failure should not be an option

In short. From 8 April 2014 onwards the online world will notably be less safe and one thing is changing fast: We are staring the internet of everything in the face. No one can force an end user to migrate from his old hobby horse, that probably cannot even work on a modern operating system, to something else. This is different for institutions. Money ought not to be a reason not to migrate here. Primary processes, privacy sensitive data, critical infrastructure, even the lives of people may be involved. Reputations are at stake and judicial claims may even be brought to court should something seriously go wrong. Isn't not migrating gross neglect or worse? If not, perhaps it should become thus.

A duty to care starts with being as safe as possible. A duty to care ruling may be a solution that aids institutions to make timely decisions. It could make people, from you and me all up to the executive, aware that being on the internet comes with a responsibility to others on the internet, just like participation in traffic does. This is true for end users, but certainly for government institutions and organisations. It is they that have to lead and set examples. Failing after 8 April to migrate should not have any excuses. Is there a duty to care ruling? No, but who could provide this? Right, the government and not just for XP migration.

By Wout de Natris, Consultant international cooperation cyber crime + trainer spam enforcement. More blog posts from Wout de Natris can also be read here.

Related topics: Cyberattack, Cybercrime, Internet Governance, Malware, Policy & Regulation, Security