Why Microsoft's Windows game plan makes us WannaCry

Microsoft, upgrades, and the relentless march into the cloud

Once, before Microsoft's fascination with cloud, when Windows was one of Microsoft's biggest multibillion-dollar businesses drivers, Microsoft's policy was very clear and very consistent: a treadmill of new versions of Windows every two to three years, with a trailing support window as things moved forward.

It was a forced upgrades march, pushing users on to ever-newer versions of Windows to drive Microsoft's continued growth.

No upgrade? Stand still long enough and you'll lose not just new feature updates but also security updates - as happened with XP three years ago. Support became one of the two choke points to drive upgrades for Microsoft on Windows. The other chokepoint was the browser, and Microsoft would limit the versions of Windows that a new Internet Explorer could run on.

XP was the bump in the road of this march. Thanks to the Windows Vista omnishambles, XP was put on extended life support to cater for the fact it was still not just being used but sold. Released in 2001, by January 2014 just under one third of all PCs were still running Windows XP.

And yet Microsoft's patience had run out and it marked April 8 2014 as the date when it would stop writing security updates for the desktop operating system. It was all stick and no carrot: move to Windows 8 - or, at least, Windows 7, or drop out of the pack and risk getting picked off.

Dedicating engineers to fix old software takes resources away from Microsoft's preferred focus – building new software and services.

Little wonder, then, that Microsoft is now quick to point the finger, with legal chief Brad Smith talking about collective responsibility for cybersecurity and WannaCrypt, while carefully not reserving a portion for Microsoft.

Smith's blog is a stereotypical exercise in corporate disaster triage: emphasise how responsibly you acted – but not too strongly, talk of collective failings and lessons learned, and issue a call to action to avoid a repeat of this disaster.

So, Smith humbly reminds us that – on 14 March – Microsoft released a fix for WannaCrypt noting correctly, of course, "There is no way for customers to protect themselves against threats unless they update their systems."

He blames governments for hoarding vulnerabilities - holes in its code found by outsiders - and weaponising them. He even supplies a handy metaphor about a Tomahawk missile falling into the wrong hands for the non-tech press to grasp.

Then there's the call to action, a repeat of an earlier request for a "Digital Geneva Convention" with governments reporting vulnerabilities to vendors.

"We need collective action to apply the lessons from last week's cyber attack. And we need it now," Smith tweeted.

Upgrade this!

The devil is in Smith's wording, however, and so is Microsoft's culpability.

Back to that 14 March update.

"While this protected newer Windows systems and computers that had enabled Windows Update to apply this latest update, many computers remained unpatched globally. As a result, hospitals, businesses, governments, and computers at homes were affected," Smith wrote.

Smith didn't name names, but his euphemism of "many computers" juxtaposed with "newer Windows systems" meant he didn't need to and mostly referred to one thing: XP machines that Microsoft abandoned three years ago and that those running them either couldn't or wouldn't upgrade.

If anything good comes from WannaCrypt, it'll be the final death of XP.

Desktop migrations have long been a corporate snooze for managers, an exercise that adds nothing to the bottom line, while the buy costs a truckload in time and money. That's why we're in this mess.

Incidents like WannaCrypt, however, grab the attention of those in charge of change and produce a response. Having been burned by experiences, and with managers shamed and now kicking down to IT types, expect a spasm of upgrades.

What we likely won't see is a change in policy from Microsoft. ®