When is it too obsolete?

A Telegraph Report tells of a major UK hospital falling victim to a ransomware attack.

A source at the trust told Health Service Journal that the attack had affected thousands of files on the trust’s Windows XP operating system, and the trust’s file sharing system between departments has been turned off while an investigation takes place.

Of course, what stands out there is the mention of Windows XP: this operating system was declared obsolete nearly three years ago – though some customers have been able to purchase extended support from Microsoft.  Was the hospital one of them?  Let’s assume not, for a moment – after all, the fee for that support is unlikely to be small.

On one level, that sounds like a classic case of cutting corners and reaping a bad outcome as a result: the longer software has been in circulation, the more likely it is to fall victim to someone probing it for vulnerabilities.  Software that’s no longer maintained will not be patched when such vulnerabilities are found, and as a result, anyone running it is easy prey.   Without a good backup strategy, ransomware can prove very expensive – and, at that, you need a backup strategy which takes account of the behaviour of ransomware, lest you find that the backup itself is as useless as the main data.

I don’t know the cost of extended support from Microsoft, but I’d be surprised if it was cheaper than the cost of licences for an up-to-date copy of the operating system: the reason for not upgrading is usually tied up in all the dependencies.  Old software needs old operating systems in order to run reliably. If your system isn’t broken, it’s easier to leave everything exactly as it was.  The world is full of old software.  It doesn’t naturally wear out, and so it may continue to be used indefinitely.  Until, that is, someone forcibly breaks it from outside.  Then you’ve suddenly got a big problem: you may pay the ransom, and get your data back.  But how long before you fall victim to another attack, because you’ve still got an obsolete system?

It’s easy to criticise people and organisations who fall victim to attacks on their out-of-date software: keeping everything updated is, you may say, part of the cost of doing business today.  But that’s easy to say, and less easy to do.  In the management of most other parts of the estate, you can do updates and maintenance at times to suit you and your cash-flow.  In the case of software maintenance, that decision may be taken out of your hands.  You might be forced into buying lots of new software – and then, suddenly, other software, and maybe even bespoke systems, as well as lots of new hardware, with costs suddenly spiraling out of control.

This problem is almost as old as the personal computer (if not older): but recent events make it much worse. First, the scale and impact of cyber attacks is raising the stakes quite alarmingly.  But meanwhile, computer technology has rather stabilized: a desktop PC doesn’t need to do anything markedly different now than it did ten years ago.  So whereas PCs used to get replaced every three years (with hard-up organisations stretching that to five, say), now there’s really no need to buy a new machine until five or six years have elapsed.  If you stretch that a bit, you will easily run past the end of the device’s support lifetime.  And then, you potentially reach a point of great instability.

And – above all – the real problem is that this is getting worse by the day.  Not only are PCs living longer, but we are adding random poorly-supported devices to the internet daily, in the name of tablets, e-readers, TVs, internet-of-things, and a dozen other causes.  Few of those are anywhere near as well-supported as Windows, and many will be expected to operate for a decade or more. It’s not going to be pretty.