Rip and Replace?

Scene from a movie: A hacker sends the UK Government a ransom note to say that he has infected the Police network in the UK and where he will shut down the network if he is not paid 100 BTC. "How did you do it, they ask?", "Well, you're running Windows XP on your network (ha, ha!), and I just logged into one of them, and then just propagated a bit of malware. I can now see all the activities on your network".

You would think that with GDPR on the horizon, the increasing occurrence of Cyber Crime, and in an increasingly data-driven world, that we could point to the Police as have one of the most secure and advanced IT infrastructures, but sadly, at the current time, this seems a long way off this. Yesterday the BBC reported that Greater Manchester Police still have over 20% of their PCs running Windows XT (and which has not been supported since 2014).

Overall it is disappointing that there has been such an underspending within law enforcement for IT within the UK. This is often due to a lack of real investment in creating an infrastructure which is fit for the 21st Century, and also a resistance to change (and a "rip and replace" approach).

There are still many public sector bodies which still use legacy operating systems such as Windows XP, but generally, we need to move into a world where we virtualise things, and run them within Cloud-based infrastructures (not public, but with centralised control of the infrastructure).

Most organisations thus now run virtualised desktops for their staff, and where patching and updates can be managed centrally. The infructure too can be monitored for intrusions. Along with this it is easier to segment the network, and apply different levels of security depending on access levels.

A network, too, is only as secure as its weakest element, and having Windows XP connect to a wider network provides a possible route into other systems. The file permissions on systems, and the joining into a domain, are not supported well within Windows XP, thus it could leave the network open to attack from malicious entities (including from insider threats).

There is also another factor that is slowing down IT change in law enforcement, and it relates to procurement and change management processes. In Scotland, there is currently an estimated underspend in the IT change budget within Police Scotland, and some of the money may have to be handed back to the government, as it cannot be spent fast enough.

While Greater Manchester disclosed the details of the machines running Windows XP, many police forces have refused to disclose their details. While London's Metropolitan Police Service did not give details, it is thought that they still have over 10,000 machines running Windows XP.

While disclosing details of the number of machines running Windows XP within law enforcement, the thought that there is even one machine running it in such as security-critical infrastructure is a worry.

The public sector is riddled with IT projects which have failed and also with a resistance to change, and it is time that we perhaps looked to create new infrastructures at scale within public services, and which allowed small companies to innovate. The opportunity that our citizens might interact electronically, in a trusted way, with our police forces or health care still seems a long way off.

One of the reasons given is that there is still operational software on some of the machines, which worries me even more, that we have software which is "stuck" on these old machine. The world has moved on since Windows XP, and we write code with Web services now, and use robust data architectures.

Personally I don't see the advantage of a "rip and replace" (getting rid of a PC with Windows XP and replacing it with Windows 10), and it doesn't really change much. So here is the case for not ripping and replacing: