Some government computers still using Windows XP
Nearly 16 years after its initial release and more than two years after Ottawa warned civil servants that it would soon become a security risk, Microsoft Windows XP is still being used in “a small number” of federal government departments.
According to the Treasury Board Secretariat, the devices that remain equipped with the once-ubiquitous computer operating system are all subject to “special operating procedures” that keep them in a kind of technological quarantine until they can be replaced.
It’s unclear precisely how many government-owned Windows XP devices are still humming away as of this week, but the number at the end of March 2015 was 12,356, according to an internal memo dated March 24 and obtained by Global News through an access to information request.
Officials estimated that the Department of National Defence would have 4,921 computers still using XP as of March 31, for instance, and the RCMP was even worse off, with 7,344 of their computers expected to still be using the system by the same date.
The problem with Windows XP is that it was designed and released before Twitter, Facebook, instant messaging, social networking or the “cloud.” Malicious online activity has kept pace with increasing Internet usage since 2001, and in April 2014 Microsoft stopped providing security updates and patches for Windows XP.
The tech giant did, however, sign a one-year, $306,625 contract with the government of Canada to extend its support a bit further. That contract expired at the end of March 2015. Since then, it’s been open season for hackers.
“The effort by Government of Canada departments over the past two years in retiring Windows XP devices has significantly reduced the government’s cyber security risk,” explained Kelly James, a spokesperson for the Treasury Board Secretariat, in an email.
“Where XP devices are still in use under temporary special operating procedures, they are to be isolated and contained within a tightly controlled network environment with no access to (government) networks or the Internet, and they are to be eliminated as quickly as possible.”
Windows XP + Internet + Human = Trouble
Chris Dodunski, chief technology officer at Phirelight Security Solutions in Ottawa, said he isn’t surprised that the government is still using XP – albeit in a limited capacity. Many of the applications supported by the operating system also need to be replaced or upgraded, he noted, and that can be a complex process.
Sheer volume is the other problem. In total, the government of Canada had 200,000 Windows XP devices across 52 departments that had to be retired. It began the process in early 2013.
“Some of the applications that sit on top of (XP) are very vulnerable to exploit,” Dodunski said. “This stuff is older, so it hasn’t been through the security ringer from an architectural perspective.”
Internet Explorer, the older Microsoft Office suite and earlier versions of Adobe software are some examples. Combining those inherent vulnerabilities with an Internet connection and a human being can be a recipe for disaster, Dodunski said, but in removing the Internet connection from the equation, the government will likely succeed in blocking most hacks or other malicious attacks. Once connections to outside networks are severed, the only thing left to worry about would be someone physically accessing a vulnerable XP computer from within a department.
At this point, Dodunski said, the government just needs to keep devices disconnected as it works toward retiring the last of the Windows XP holdouts.
“There really is no benefit (to Windows XP) other than as support for older, out-of-date programs.”
-with files from Amy Minksy
© 2015 Shaw Media