WASHINGTON — The deadline for installing secure operating systems on federal government computers will pass next month with the job incomplete, leaving hundreds of thousands of machines running outdated software and unusually vulnerable to hackers.
Federal officials have known for more than six years that Microsoft will withdraw its free support for Windows XP on April 8. Despite a recent rush to complete upgrades, an estimated 10 percent of government computers — out of several million — will still be running the operating system on that date, company officials said.
That includes thousands of computers on classified military and diplomatic networks, U.S. officials said. Such networks have stronger defenses generally but hold more sensitive material, raising the stakes for breaches if they occur.
Security experts warn that hackers have been preparing for what Microsoft calls the “end-of-life” for Windows XP by stockpiling “vulnerabilities” that amount to skeleton keys that can give intruders remote access.
Hackers who break into a single computer on a network can use the passwords they steal to work their way into other machines, even ones that have updated operating systems and other protections, experts say. Intrusions often are limited to espionage but can be the first step toward cyberattacks capable of disabling critical systems.
“Once XP goes out of support and is no longer patched, you’ve just raised the vulnerability significantly on the whole Windows platform in your organization if you haven’t moved off XP,” said Richard Spires, a former Department of Homeland Security chief information officer. He called the problem “urgent.”
Microsoft won’t extend deadline
Some federal officials said that they asked Microsoft to extend its deadline for ending support for Windows XP. The company declined and instead offered — for new fees — “custom support agreements” that give protection that probably will fall short of what the company long has provided to most XP users for free, experts say.
That included routine security patches whenever a cyberattack, virus or other intrusion revealed an exploitable weakness in the operating system anywhere in the world. That comprehensive protection, amounting to a global early-warning system based on data from hundreds of millions of computers, is slated to disappear after the April deadline. Some agencies have declined to contract for custom support agreements because they deemed them an unnecessary expense.
“For all the money we collectively give Microsoft, they were not too receptive to extending the deadline,” said a senior State Department official, speaking on the condition of anonymity to be candid about relations with a major vendor. “There was some grumbling that they were not willing to extend.”
Microsoft said that, based on its surveys with federal agencies, it expects the transition to continue during the next several months and be virtually complete by year’s end, although there are likely to be a small number of Windows XP machines operating into 2015.
“Because we are tightly working with our customers, and because of the types of systems that have yet to make the move off XP, we do not feel there is a substantially greater risk for the federal government on April 9 than there is on April 7,” Mark Williams, Microsoft’s chief security officer for federal systems, said in an email. “That being said, at the end of the day, it’s important to remember that the most safe system is a modern one.”
Windows XP, released in 2001, is the last operating system that Microsoft built before the company made significant security improvements, including systems that limit the ability of hackers who break into one program to move into others and gain control of the computer’s most basic functions.
Private sector further behind
Federal officials have been working on the transition — which involves buying hundreds of thousands of new computers, updating operating systems on older machines and revamping custom software designed to run on Windows XP — for more than two years and express optimism that the bulk of the work will be completed in time.
They note that private companies and individual users are lagging even further behind, with analysts reporting that nearly 20 percent of computers worldwide are still running the outdated operating system.
The government’s move away from Windows XP has been hobbled by budget crises and a shortage of top-level coordination despite regular warnings from top U.S. officials that the threat of cyberattack is one of the leading national security concerns facing the nation, current and former federal officials said.
“There is something broken in the process if they are letting this many machines be un-updated at this point,” said Steve Bellovin, former chief technologist for the Federal Trade Commission, now a computer science professor at Columbia University. “Some of it is budget cuts. Some of it is not very good management, I suspect.”
Homeland Security warned in 2012
Responsibility for overseeing cybersecurity policy at federal agencies is shared — somewhat uneasily — by the Department of Homeland Security and the White House’s Office of Management and Budget. In April 2012, DHS sent OMB a draft plan for warning federal agencies that they needed to prioritize moving their computers off of Windows XP before Microsoft ended support, but OMB officials never acted on the plan, several current and former government cybersecurity officials said.
DHS officials said that they collect data on federal computers running Windows XP but declined to reveal it because, they said, doing so would compromise security by helping hackers target their attacks. Officials also declined to reveal the number of federal government computers overall, but several experts put the number at more than 4 million.
Several individual agencies, when queried by The Washington Post, shared estimates for how many of their computers would be updated by the deadline. DHS said that all of its systems would be off Windows XP by April 8.
Defense and State said that nearly all of their unclassified machines would be, even as some on classified networks lagged behind. The Justice Department said its goal was to have more than 75 percent of its nearly 230,000 computers upgraded, leaving tens of thousands running XP. The Department of Veterans Affairs will still have about 2 percent of its computers, up to 6,000 units, on the outdated operating system by the deadline.
Managing the costly, logistically intense transition away from Windows XP has fallen to the chief information officers of the government’s Cabinet-level departments, independent agencies and, in some cases, the bureaus within departments.
The Commerce Department, for example, said that “a majority” of its bureaus had moved off of Windows XP but that, overall, officials didn’t know how many of the department’s 85,000 machines were using the outdated operating system because updating is left to bureau-level officials.
“As a matter of law and policy, all agencies are responsible for the security of their networks and systems, and that includes addressing these known software vulnerabilities through ongoing patching,” DHS spokesman S.Y. Lee said in an emailed statement.
Critics blast policy
The inability to complete the transition from Windows XP on time has drawn fire from critics who say it highlights broader flaws in how the federal government deploys information technology and manages critical assets at a time of rising cybersecurity threats.
“It is troubling that a list of current [computer systems] isn’t more readily available,” said a congressional aide familiar with cybersecurity policy, who spoke on the condition of anonymity because he wasn’t authorized to comment publicly.
The federal government for years has been a regular target of hackers — mainly foreign intelligence services — with significant breaches at many agencies. The Navy recently battled an intrusion in which Iranian cyberspies spent several months moving within the service’s unclassified system before being detected and expelled.
The risks of running Windows XP were highlighted in 2009 when Chinese hackers managed to exploit a vulnerability in the browser on XP computers at Google, enabling the theft of valuable source code. Operation Aurora, as it was dubbed by security researchers, targeted more than 30 other U.S. companies.
The need to update computer operating systems has come at a time of major new investment in cybersecurity, including the creation of the new military U.S. Cyber Command, based at Fort Meade, Md. But the unglamorous work of updating operating systems was a lower priority than buying expensive, high-tech systems to monitor and rebuff cyberattacks, critics said.
“Nobody is going to be promoted on the back of moving from XP to Windows 7,” said Christopher Soghoian, a computer security expert and principal technologist for the American Civil Liberties Union. “It’s so mundane but so important.”
A computer’s operating system is only one factor in how secure a system is. Monitoring systems, anti-virus software and strict rules about access also contribute to better security.
“Running Windows XP is like living in a bad neighborhood. There are other things you can do to protect yourself. I can get locks for my house and reduce my likelihood of getting robbed. I can go out only in the daytime,” said Michael Silver, an analyst at Gartner Research, a consulting firm. “Hopefully the government has done something to try to make these machines less vulnerable.”
DHS is moving to deploy a government-wide program that will let agencies automatically detect which hardware and software runs on their networks, as well as whether they are configured correctly and if programs need patching.
Although the Defense and State departments together will have thousands of computers linked to classified networks running Windows XP, officials say, such networks are less vulnerable because they are not connected to the Internet, which is the source of most hacker intrusions, and do not allow the use of flash drives, another major source of infections.
The transition away from Windows XP has been slowed by the large amount of custom government software built to run on the operating system. Just a year ago, a senior State Department official said, nearly all of its 85,000 computers on unclassified systems ran on XP, even though three generations of newer, safer Windows operating systems were available from Microsoft.
Richard Hale, the Pentagon’s deputy chief information officer, said that the few Defense Department computers that will still be running Windows XP next month rely on software built for the operating system and are hard to replace amid heavy use, for example, on Navy ships. Their systems cannot be taken down without affecting operational effectiveness, he said. “So the migration requires re-engineering the entire platform,” he said.