Why Microsoft's Windows game plan makes us WannaCry

Oh, 'collective responsibility' – that old chestnut

Analysis In the circular firing squad of WannaCrypt, the world's largest recorded ransomware outbreak, nobody looks good.

Not end-users for clinging to dated and unprotected Windows PCs despite warnings, not the government whose National Health Service saw 61 organisations compromised, and certainly not Microsoft – the actual author of Windows.

Just last night, The Register revealed that even though Microsoft had been griping about NSA exploit stockpiles at the weekend, it had also been sitting on its own stockpile ...of patches: Friday's WinXP fix was built in February.

WannaCrypt infected 230,000 Windows PCs in 150 countries, targeting unpatched Windows 7 and Windows Server 2008 or earlier systems.

Nonetheless, in our own national chapter of this international drama, the NHS and the British government deserve to be shamed. They had been warned time and again. Nobody could say they couldn't have anticipated this.

Among those "earlier systems" hit by the malware's extortionist authors was XP, the desktop operating system released in 2001 that still comprises seven per cent of the market and for which Microsoft stopped writing security updates on April 8, 2014 – except for those paying a premium for extended support packages. The news of the end-of-support was well-flagged and the ramification of not acting was simple and clear: continue running XP and your data and your PCs were at risk from malware written after that date.

The Microsoft support agreement, the extension, and ball-dropping

At the start of 2014, when The Reg investigated the matter, the NHS in England was running around 1.086 million Windows PCs and laptops at trusts, GPs and other health groups in the run-up to Microsoft's planned end of support in March of that year.

The government had agreed a temporary framework support agreement with Microsoft which guaranteed delivery of special security patches for XP, Office 2003 and Exchange 2003 FOR one year, priced at £5.584m. This was paid for by central purchasing agency the Crown Commercial Service.

But seven months into the framework deal, 18 out of 140 trusts had not taken advantage of this centrally negotiated lifeline, even though it didn't even come out of their budgets – it was paid for at Cabinet level – and even though the government made it clear action on the matter of upgrading from Windows XP was imperative.

Strong words, but not only did Whitehall fail to take control of the situation and drive upgrades, it also did not renew its Microsoft agreement.

When the deal ended on April 14, 2015, it was decided CCS would not purchase government-wide support for a second year. Instead, individual government departments and agencies were told they were free to allocate budget and sign their own agreements with Redmond.

The extended support deal of 2014 wasn't unique – Microsoft offered custom support extensions to the private sector, too, but such deals weren't cheap. Priced at $200 a year per PC in the first year, doubling in year two, Microsoft was clear: it was a temporary measure and you had to demonstrate a plan to migrate.

And yet, over two years later, vast tracts of the British state – including the NHS – continued to be exposed to outdated and unpatched systems.

As early as December last year, a Freedom of Information request by Citrix put the count of trusts with some exposure to Windows XP within the UK national health services as high as nine in 10 – with many set to miss the April deadline.

So what are they going to do about it?

Now that a problem has surfaced, and it's major, Whitehall is taking action – of a kind. It's doing what it does best: talking, and it's blaming the victim.

UK Defence Secretary Michael Fallon, speaking on The Andrew Marr Show on BBC One on Sunday, preferred to concentrate on a different set of figures – the number of boxes across the NHS as a whole that were running XP. He claimed on Sunday, echoing the NHS statement of a day before, that "less than five per cent" were running the OS (6 minutes, 38 seconds into this clip – requires presence in the UK and TV licence). He also complained that the government was "spending around £50m on the NHS cyber systems to improve their security, and said the government had "encouraged NHS trusts to reduce their exposure to the weakest system, the Windows XP".

Microsoft has been quick to act, too, issuing emergency fixes for XP and Server 2003, as well as modern builds, within hours. Microsoft is also talking in any apparently successful, judging by headlines, attempt to form the narrative of this event. And well it should, for the NHS and government are merely actors in this tragedy.

Other stories you might like

  • Twitter founder Dorsey beats hasty retweet from the board
    As shareholders sue the social network amid Elon Musk's takeover attempt

    Twitter has officially entered the post-Dorsey age: its founder and two-time CEO's board term expired Wednesday, marking the first time the social media company hasn't had him around in some capacity.

    Jack Dorsey announced his resignation as Twitter chief exec in November 2021, and passed the baton to Parag Agrawal while remaining on the board. Now that board term has ended, and Dorsey has stepped down as expected. Agrawal has taken Dorsey's board seat; Salesforce co-CEO Bret Taylor has assumed the role of Twitter's board chair. 

    In his resignation announcement, Dorsey – who co-founded and is CEO of Block (formerly Square) – said having founders leading the companies they created can be severely limiting for an organization and can serve as a single point of failure. "I believe it's critical a company can stand on its own, free of its founder's influence or direction," Dorsey said. He didn't respond to a request for further comment today. 

    Continue reading
  • Snowflake stock drops as some top customers cut usage
    You might say its valuation is melting away

    IPO darling Snowflake's share price took a beating in an already bearish market for tech stocks after filing weaker than expected financial guidance amid a slowdown in orders from some of its largest customers.

    For its first quarter of fiscal 2023, ended April 30, Snowflake's revenue grew 85 percent year-on-year to $422.4 million. The company made an operating loss of $188.8 million, albeit down from $205.6 million a year ago.

    Although surpassing revenue expectations, the cloud-based data warehousing business saw its valuation tumble 16 percent in extended trading on Wednesday. Its stock price dived from $133 apiece to $117 in after-hours trading, and today is cruising back at $127. That stumble arrived amid a general tech stock sell-off some observers said was overdue.

    Continue reading
  • Amazon investors nuke proposed ethics overhaul and say yes to $212m CEO pay
    Workplace safety, labor organizing, sustainability and, um, wage 'fairness' all struck down in vote

    Amazon CEO Andy Jassy's first shareholder meeting was a rousing success for Amazon leadership and Jassy's bank account. But for activist investors intent on making Amazon more open and transparent, it was nothing short of a disaster.

    While actual voting results haven't been released yet, Amazon general counsel David Zapolsky told Reuters that stock owners voted down fifteen shareholder resolutions addressing topics including workplace safety, labor organizing, sustainability, and pay fairness. Amazon's board recommended voting no on all of the proposals.

    Jassy and the board scored additional victories in the form of shareholder approval for board appointments, executive compensation and a 20-for-1 stock split. Jassy's executive compensation package, which is tied to Amazon stock price and mostly delivered as stock awards over a multi-year period, was $212 million in 2021. 

    Continue reading

Biting the hand that feeds IT © 1998–2022