Government // Cybersecurity
News
3/24/2014
10:08 AM
Connect Directly
RSS
E-Mail
100%
0%

Windows XP: Feds Brace For End Of Support

Roughly one in ten US government PCs still use Windows XP. They will be more vulnerable to attacks when XP support ends on April 8.

6 Cool Apps From Uncle Sam
6 Cool Apps From Uncle Sam
(Click the image for a larger view and slideshow.)

As Microsoft's April 8 deadline approaches for ending support of its Windows XP operating system, one of its largest group of users, the federal government, appears behind schedule in making the transition to new operating systems, leaving an estimated 10% of federal desktop computers more vulnerable to attacks. After that date, government computers using the operating system will continue to function, but they will become "five times more vulnerable to security risks and viruses," even if anti-virus software is in place, Microsoft said on its website.

Since 2007, when Microsoft announced its intentions to stop supporting XP, the company has worked with the federal government to check its progress, eventually on a monthly basis, and identify issues that may cause a delay in deployments of newer operating systems. Most agencies have moved from XP to the latest versions of Windows, and more than 90% of them are expected to have made the transition by April, Susie Adams, chief technology officer for Microsoft Federal, said in an email to InformationWeek.

That's better than the market at large: As of last month, more than 29% of the desktop market, or roughly a half-a-billion active users worldwide, still use XP, according to Web-tracking firm Net Applications.

[Are you prepared for the end of Microsoft support for Windows XP next month? Read: Windows XP Security Issues: Fact Vs. Fiction]

"We see significant momentum in agencies moving to Windows 7 and Windows 8.1 across the federal government," said Adams. "The same holds true for agencies moving to a cloud-based productivity suite with Office 365. The vast majority of cabinet-level agencies are moving or have moved to Office 365 in whole or in part." It's less clear how many agencies are replacing desktops with tablets that use Android or Apple's iOS operating systems.

The remaining 10% still relying on Windows XP, in part to sustain various legacy applications, will no longer get security updates or technical support for the outdated operating system. Even the National Institute of Standards and Technology, which published the "Guide to Securing Microsoft Windows XP Systems for IT Professionals" for federal agencies, issued its last update in October 2008.

Graphic from NIST Draft 'Guide to Securing Microsoft Windows XP Systems for IT Professionals.'
(Image: via Flickr)
Graphic from NIST Draft "Guide to Securing Microsoft Windows XP Systems for IT Professionals."
(Image: via Flickr)

Those agencies that haven't made the switch will be susceptible to attacks by hackers looking for new flaws in the unpatched machines. These include thousands of computers on classified military and diplomatic networks that hold sensitive information, according to the Washington Post.

Organizations that will experience problems once Microsoft stops releasing patches for Windows XP fall into two categories. There are those with computers that are part of larger systems, performing specialized tasks with certain control components on Windows XP. Owners of those systems won't be able to upgrade, although this situation for the most part won't apply to government agencies, Dave Frymier, chief information security officer at Unisys, said in an interview.

Federal agencies fall into the second category: organizations with numerous Windows XP workstations that haven't been upgraded for budgetary reasons, and continue to run XP because newer operating systems won't work on the antiquated hardware they have.

"We've talked to organizations that have thousands of these workstations, and the magnitude of this problem is large," said Frymier. "The longer a Windows XP machine sits there unpatched, the more vulnerable it will become to zero-day attacks that exploit an unknown vulnerability. It's been speculated that there are thousands of zero-day attacks against Windows XP."

There is also the issue of long-term support. Eventually, new hardware and software will stop working on the old operating system. As manufacturers switch to newer versions of Windows, many devices such as cameras and printers won't be compatible with Windows XP, according to Microsoft.

If CIOs cannot afford to pay for a refresh, the best alternative is segregating the XP systems into their own environment, Frymier said. They will have to replicate parts of their infrastructure, such as domain controllers, printers, and DNS servers -- a process that varies in difficulty. One way to compartmentalize an XP environment is by using network technologies like firewalls, switches, and routers.

The other alternative is isolating applications so that only authorized users can see and access the data in these applications. Unisys offers a software-based product called Stealth Solution Suite, which allows multiple user groups to share the same IT infrastructure in a secure way. Unisys launched a mobile version of the product in October.

Frymier said organizations should take Microsoft's warnings to upgrade to newer operating systems seriously. He said, "I think the Windows XP event could possibly be what Y2K wasn't."

What do Uber, Bank of America, and Walgreens have to do with your mobile app strategy? Find out in the new Maximizing Mobility issue of InformationWeek Tech Digest.

Elena Malykhina began her career at The Wall Street Journal, and her writing has appeared in various news media outlets, including Scientific American, Newsday, and the Associated Press. For several years, she was the online editor at Brandweek and later Adweek, where she ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
WKash
50%
50%
WKash,
User Rank: Author
4/2/2014 | 5:21:01 PM
XP behind the scenes
I was reminded by a CISO today that XP is still widely used in networks that, for instance, are simply used to manage surveillance camera systems, and that don't go through the same refreshes that desktops go through.
Indian-Art
100%
0%
Indian-Art,
User Rank: Apprentice
3/26/2014 | 10:07:09 AM
Good Options Exists

There is a very good chance Linux OS will run well with older hardware with lower specs

Switch to the free, safe, secure & awesome OS: www.ubuntu.com/download

Its the worlds most popular free OS. It has free upgrades & security updates.

For those who like the Windows look, I would recommend: www.kubuntu.com & for older computer with lower specs www.xubuntu.com or http://lubuntu.net

Or try Linux Mint: http://linuxmint.com

Because the Linux option is free & now so easy (user friendly) one must give it a try. You have so much to gain.

One can even dual boot Linux with Windows.

WKash
50%
50%
WKash,
User Rank: Author
3/25/2014 | 6:22:19 PM
What next
Michael Endler has a helpful guide on what to do next:  Windows XP Game Over: 9 Upgrade Options

 

WKash
50%
50%
WKash,
User Rank: Author
3/25/2014 | 6:19:28 PM
Re: The price of procrastination
Whoopty, I think there is more reason to fear than you suggest, especially those in offices. If the Target data breach teaches us anything, its that the defenses of enterprises handling millions of valuable records are only as good as their weakest links.  While a worker can say, "Hey, it's the company's/agency's machine," the fact remains, those machines still using XP will now become an open invitation to hackers.  I'm willing to bet the damage and/or cost of mitigation that will arise from hackers exploiting XP machinces will exceed what it would have cost to upgrade to Windows 7.
Whoopty
50%
50%
Whoopty,
User Rank: Ninja
3/25/2014 | 10:59:11 AM
Re: The price of procrastination
I think the days of the general public being "scared" of computers and what they can do died after the Y2K non-event. While they should still be wary, I think you're unlikely to find any real fear surrounding the Xp switchoff, because those that use it privately can upgrade without too much difficulty - for the most part - and those in offices, well it's not there machine is it? 
WKash
50%
50%
WKash,
User Rank: Author
3/25/2014 | 9:32:43 AM
Re: The price of procrastination
Given the shift to more risk-based security practices, one would think that the XP problem would have gotten the kind of attention Y2K generated, and agencies would have found the money.  But unfortunatley, internal politics surrounding key agency programs, and their funding, often wins out over the legitimate cries from the IT department.

 
Palaidnis
100%
0%
Palaidnis,
User Rank: Apprentice
3/25/2014 | 1:53:35 AM
Re: The price of procrastination
Procrastination, or the effect of budget cuts? XP is HOW old? Do you think IT specialists in civil service haven't been begging for money for upgrades for years? As long as no one wants to pay taxes, or fund the government, of course it will not perform to expectations. Chalk it up to the "deferred maintenance" aka "I left my check book in my car, I'll be back in a few minutes" policies demanded by certain crowds.

 
WKash
100%
0%
WKash,
User Rank: Author
3/24/2014 | 10:47:59 PM
The price of procrastination
It seems illogical that agencies would take the risks of not switching off XP.  But when managers are being told there's no money for equipment/software upgrades, all IT can do is say I told you so when the hackers get through.
Gary_EL
50%
50%
Gary_EL,
User Rank: Ninja
3/24/2014 | 11:18:29 AM
Predator's Ball
It's going to be like a wolf pack decending on a herd of sheep. I still can't believe the nonchalant

attitude that people who should know better are displaying about this whole issue.
Cyber Security Standards for Major Infrastructure
Cyber Security Standards for Major Infrastructure
The Presidential Executive Order from February established a framework and clear set of security standards to be applied across critical infrastructure. Now the real work begins.
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Tech Digest - July 22, 2014
Sophisticated attacks demand real-time risk management and continuous monitoring. Here's how federal agencies are meeting that challenge.
Flash Poll
Video
Slideshows
Twitter Feed
InformationWeek Radio
Archived InformationWeek Radio
A UBM Tech Radio episode on the changing economics of Flash storage used in data tiering -- sponsored by Dell.
Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.