Exclusive A critical crown court IT system and thousands of laptops used by the UK's Ministry of Justice run on Microsoft's obsolete and unsupported Windows XP operating system, The Register can reveal.
As recently as March 2019, the ministry was paying hundreds of thousands of pounds for a VPN to support 2,000 Windows XP laptop users – news that comes as the department admits that a critical court IT system is also running on XP boxen.
Rumours began circulating on Twitter last week after a barrister wondered whether the criminal courts' DARTS audio recording system was running on Windows XP.
Ben Rowe wondered aloud whether something he was told in court about the use of XP, the obsolete Microsoft operating system for which all updates ended years ago, was true.
I was informed today that DARTS, the system which makes and stores recordings of all Crown Court matters runs on Windows XP - the operating system that is no longer supported by Microsoft and is particularly vulnerable to ransomware attacks (e.g. NHS). @CEOofHMCTS, any comment?— Ben Rowe (@benmrowe) March 5, 2020
The Register asked the MoJ whether this rumour, as well as a similar one about the XHIBIT court listings system, was true. We also asked whether the ministry is paying Microsoft for an extended support licence. Such a licence would mean that even though general updates – including critical security patches – for Windows XP ended years ago, the MoJ was still receiving upgrades for the elderly OS.
Yet when looking at public MoJ spending data for the first half of 2019, El Reg was only able to find a £600,000 payment to Vodafone described as "cost of providing secure Virtual Private Network to 2,000 Windows XP laptop users" made in March last year. There were no entries in spreadsheets examined by The Register for payments directly to Microsoft.
A ministry spokesman would only say: "We are in the process of upgrading our courts' computer systems. We have robust security in place as well as a specialist team constantly checking for threats."
He did, however, tell El Reg that while the MoJ wasn't going to discuss specifics, one of the two court systems was running on Windows 10 machines – and the other is said to not be internet-facing. XHIBIT is used to generate public court listings data to show which cases are being heard in crown courts every day.
Apart from the obvious, what does this mean?
Twitter personality CrimBarrister, a practising criminal lawyer, explained for El Reg what a hack against either of DARTS or XHIBIT would mean. DARTS was first introduced in the late 2000s to replace human stenographers; the last stenography contract ended in March 2012.
"On a very basic level if DARTS isn't functioning at all – say it's down due to a [denial-of-service] hack – then that court room can't sit unless they brought in a manual stenographer," explained the barrister.
CrimBarrister continued: "If someone hacked into DARTS for content, then potentially evidence or legal argument which was for some reason being given in private could be published when it shouldn't be, or evidence being given in court could be passed to a witness who shouldn't get to know in advance what another witness had said, or to, for example, criminal associates."
Crown courts in particular are full of legal arguments about whether evidence gathered by police should be revealed to juries. A criminal wanting to disrupt an ongoing trial could access DARTS and publish a recording about a piece of evidence which was ruled out by the judge. If the jury heard that argument, the entire trial would have to be abandoned.
Ministry of Justice abandons key plank of £280m IT projectREAD MORE
The barrister concluded: "Like many of the issues facing the crown courts these days, it seems the technical security and integrity of important systems like the recording of trial evidence as it is being given is being left wide open to hacking and interference simply due to a lack of funds to make simple updates to the system."
Jonathan Black, a past president of the London Criminal Court Solicitors' Association, told The Register: "It is bizarre that the MoJ and HMCTS have at best taken their eye off this ball," adding: "Too often we receive communications from the CPS asking us to delete information containing personal information that were served unintentionally, yet vulnerable individuals unknowingly have their sensitive details available online."
Last year The Register revealed that a core plank of the MoJ's Common Platform Programme, intended to introduce sweeping new IT-based reforms to the courts, had been shelved. Before that the National Audit Office had given the MoJ a thorough dressing-down for its plans, which were based in part on making thousands of redundancies to save money. ®