Analysis In the circular firing squad of WannaCrypt, the world's largest recorded ransomware outbreak, nobody looks good.
Not end-users for clinging to dated and unprotected Windows PCs despite warnings, not the government whose National Health Service saw 61 organisations compromised, and certainly not Microsoft – the actual author of Windows.
Just last night, The Register revealed that even though Microsoft had been griping about NSA exploit stockpiles at the weekend, it had also been sitting on its own stockpile ...of patches: Friday's WinXP fix was built in February.
WannaCrypt infected 230,000 Windows PCs in 150 countries, targeting unpatched Windows 7 and Windows Server 2008 or earlier systems.
Nonetheless, in our own national chapter of this international drama, the NHS and the British government deserve to be shamed. They had been warned time and again. Nobody could say they couldn't have anticipated this.
Among those "earlier systems" hit by the malware's extortionist authors was XP, the desktop operating system released in 2001 that still comprises seven per cent of the market and for which Microsoft stopped writing security updates on April 8, 2014 – except for those paying a premium for extended support packages. The news of the end-of-support was well-flagged and the ramification of not acting was simple and clear: continue running XP and your data and your PCs were at risk from malware written after that date.
The Microsoft support agreement, the extension, and ball-dropping
At the start of 2014, when The Reg investigated the matter, the NHS in England was running around 1.086 million Windows PCs and laptops at trusts, GPs and other health groups in the run-up to Microsoft's planned end of support in March of that year.
The government had agreed a temporary framework support agreement with Microsoft which guaranteed delivery of special security patches for XP, Office 2003 and Exchange 2003 FOR one year, priced at £5.584m. This was paid for by central purchasing agency the Crown Commercial Service.
But seven months into the framework deal, 18 out of 140 trusts had not taken advantage of this centrally negotiated lifeline, even though it didn't even come out of their budgets – it was paid for at Cabinet level – and even though the government made it clear action on the matter of upgrading from Windows XP was imperative.
Strong words, but not only did Whitehall fail to take control of the situation and drive upgrades, it also did not renew its Microsoft agreement.
When the deal ended on April 14, 2015, it was decided CCS would not purchase government-wide support for a second year. Instead, individual government departments and agencies were told they were free to allocate budget and sign their own agreements with Redmond.
The extended support deal of 2014 wasn't unique – Microsoft offered custom support extensions to the private sector, too, but such deals weren't cheap. Priced at $200 a year per PC in the first year, doubling in year two, Microsoft was clear: it was a temporary measure and you had to demonstrate a plan to migrate.
And yet, over two years later, vast tracts of the British state – including the NHS – continued to be exposed to outdated and unpatched systems.
As early as December last year, a Freedom of Information request by Citrix put the count of trusts with some exposure to Windows XP within the UK national health services as high as nine in 10 – with many set to miss the April deadline.
So what are they going to do about it?
Now that a problem has surfaced, and it's major, Whitehall is taking action – of a kind. It's doing what it does best: talking, and it's blaming the victim.
UK Defence Secretary Michael Fallon, speaking on The Andrew Marr Show on BBC One on Sunday, preferred to concentrate on a different set of figures – the number of boxes across the NHS as a whole that were running XP. He claimed on Sunday, echoing the NHS statement of a day before, that "less than five per cent" were running the OS (6 minutes, 38 seconds into this clip – requires presence in the UK and TV licence). He also complained that the government was "spending around £50m on the NHS cyber systems to improve their security, and said the government had "encouraged NHS trusts to reduce their exposure to the weakest system, the Windows XP".
Microsoft has been quick to act, too, issuing emergency fixes for XP and Server 2003, as well as modern builds, within hours. Microsoft is also talking in any apparently successful, judging by headlines, attempt to form the narrative of this event. And well it should, for the NHS and government are merely actors in this tragedy.