Out Now

Updated: Microsoft shouldn’t complain about ransomware – it’s been holding the NHS to ransom for years.

Microsoft responded quickly to the WannaCry global cyber attack, releasing a patch for the defunct Windows XP operating system. Since then it’s focussed its attention to launching scathing attacks against governmental agencies, such as the NSA, who have been “stockpiling” software vulnerabilities for their own purposes.

There is a strong whiff of hypocrisy about this.

Microsoft created the concept of ransomware

Microsoft has been holding the UK government, in particular the NHS, to ransom for some time. The ransom demands began when it announced the end of life of Windows XP in full knowledge that there were huge numbers of users who would be left exposed to security problems without continued patching of the operating system.

Not unlike WannaCry, if XP was on your machine, you would need to pay to sort that problem out – with an expensive upgrade to Windows Vista.

Windows Vista had software compatibility problems that prevented many businesses and organisations from upgrading immediately. It also had significantly higher system requirements, meaning that hardware upgrades may also be required. And, most importantly, like all “even numbered Windows versions” – it was an absolute dog.

It’s no wonder that people chose to stay with Windows XP for as long as they could.

How the UK Government paid Microsoft’s ransom

When the deadline for Windows XP being de-supported loomed, everyone in the tech sphere was talking about it. Decisions that had been “put off” now had to be made and it was time to embark on the job of replacing Windows XP.

Or was it?

Smelling blood in the water like a shark who has just spent a week at a WeightWatchers boot camp, Microsoft offered the UK Government a lifeline – a £5.5 million lifeline.

Yes, for the meagre sum of £5.5 million a year, Microsoft would continue to support Windows XP.

On the date when the deal was struck it was a Hobson’s Choice for the UK Government and the NHS – either stick with Windows XP and pay Microsoft to support it or migrate users to the woeful Windows 8 with its confusing user interface and lack of backwards software compatibility.

Sorry, this all sounds like it’s the government’s fault – why are you holding Microsoft responsible?

I’m not holding Microsoft 100% responsible. Nor, however, are they 100% blameless.

Migrating NHS desktop computers to Linux would have enabled the NHS to move to a secure operating system using some, most, or even all of the hardware it had already invested in. Linux has far lower system requirements and works well on old machines.

Yes, some machines would have had to remain on Windows to run specialist software but machines used for general administration and to access intranet and cloud-based services could have been migrated.

Why didn’t the NHS consider this? The answer is that they did – and Microsoft deployed the full might of its lobbying arm to stop it from happening.

As far back as 2002, Microsoft was a major contributor to a shady group called “Software Choice” that hoped to slow or stop the adoption of Open Source by governments.

Between 2010 and 2014, the UK government/public services spend over £200 million on Microsoft Office licenses. In 2012, a leaked Cabinet Office brief documented Microsoft’s efforts to lobby against the Government expressing a preference for software that supported open standards.

In 2015, when the Conservatives announced that the document standard for the civil service would move from Microsoft’s .doc to the open source .odf, it was reported that Microsoft employees were calling MPs and threatening to pull Microsoft research jobs out of their constituencies.

Microsoft hasn’t kept its opposition to Open Source under wraps either. In 2014, a now missing blog post on Technet stated

“We believe very strongly that the current proposal is likely to increase costs, cause dissatisfaction amongst citizens and businesses, add complexity to the process of dealing with government and negatively impact some suppliers to government,

What Microsoft should have done

Microsoft don’t de-support products because they can’t support them anymore. They have proven that by delivering a patch rapidly for WannaCry on Windows XP. The reality is probably that the affected code is either not different/not that different in Windows XP to more recent versions of Windows or that the techniques required to fix it were essentially the same.

Microsoft de-support operating systems so that individuals and businesses will buy the new version of the product, no matter how terrible it might be (I’m looking at you, Vista, and you Windows 8). Microsoft de-support products in search of profit.

Microsoft knows how many operating XP machines there are out there. The operating system “reports in” to Microsoft for updates – updates that they have cut off.

As a technologist, I understand the economics of supporting old (or “legacy”) systems. A time comes when keeping them running is no longer cost effective. But, in this instance, there was clearly a business case for offering support. Governments were paying for it.

Microsoft could have continued to issue security patches until such time as the number of live machines dwindled. Microsoft could have played “white knight” and continued supporting the critical infrastructure services, like the NHS, that were using its software. Microsoft could have stopped this happening.

They just didn’t, because they couldn’t see a way that doing so would help them sell more copies of Windows 10.

WannaCry has played right into Microsoft’s hands – we’re about to pay hand over fist for Windows licenses to secure the system that they left broken in the first place.

 Update:  According to metadata in the Windows XP patch, Microsoft built this fix in February. 

 https://www.theregister.co.uk/2017/05/16/microsoft_stockpiling_flaws_too/

 

Leave a Reply