While some may believe that the Windows XP issue is finally and truly gone, and that IT shops everywhere have moved on to more modern operating systems, there are still organizations that just will not let XP go. Not only that, they are willing to pay millions to Microsoft to continue support that will allow the obsolete OS to continue to remain useful and secure awhile longer. One very notable example is the the U.S. Internal Revenue Service (IRS).
The IRS met with less friendly treatment when it was put on the hot seat for not completing a conversion from the end-of-life Windows XP machines before the April 8th deadline.
At an April 7th IRS budget hearing before the House Financial Services and General Government subcommittee, the chairman, Rep. Ander Crenshaw (R-Fla.) stated, “Now we find out that you’ve been struggling to come up with $30 million to finish migrating to Windows 7, even though Microsoft announced in 2008 that it would stop supporting Windows XP past 2014. I know you probably wish you’d already done that.”
In response, IRS Commissioner John Koskinen admitted the agency knew about XP’s end of support deadline for years but added that budget constraints caused almost $300 million worth of unfinished IT projects within the agency. “So we are very concerned that if we don’t complete that work, we’re going to have an unstable environment in terms — in terms of security,” he said.
According to the Washington Post, the IRS has stated it has upgraded more than 52,000 of its 110,000 workstations to Windows 7 and is working to complete updates by the end of the year. The actual cost of supporting the outdated Windows XP OS is not yet known, although some reports believe the IRS Commissioner understated the cost considerably. With almost 58,000 machines remaining to be converted, and even with a significant discount from an estimated Microsoft street price of $200 per machine, the expected cost could be in the millions.
Although Microsoft pulled the plug and XP is no longer supported, the security issues related to an outdated XP OS are not the only security issues the IRS Commissioner was likely referring to in his response to the committee.
A U.S. Government Accountability Office report released this month titled Information Security – IRS Needs to Address Control Weaknesses That Place Financial and Taxpayer Data at Risk (PDF available here) cited other issues where the IRS had not always, “(1) installed appropriate patches on all databases and servers to protect against known vulnerabilities, (2) sufficiently monitored database and mainframe controls, or (3) appropriately restricted access to its mainframe environment.”
The report also noted the IRS did not follow established change control procedures and allowed individuals to make changes to mainframe data processing before ensuring the changes were authorized. Another issue is the agency did not setup applications to use strong encryption in order to lower the risk of unauthorized access.
To ensure unsupported Windows XP systems were not going to be a risk, the IRS published a technical memorandum (PDF available here) on April 9th warning internal users that, “The IRS Office of Safeguards requires that all systems that receive, process, store, and/or transmit FTI (Federal Tax Information) must be supported.” The technical assistance memorandum further acknowledged that while the end-of-life Windows XP and Office 2003 would still run, they would not be considered secure and could not store, process or transmit FTI.
Excluding the IRS bureaucrats and politicians, the IRS information technology people who support the IRS systems appear to have much the same budget, project, and procedural problems many large organizations have and it will be interesting to see if they are able to meet next year’s deadline for the agency’s proposed conversion of the now unsupported Windows XP OS.
Around the world, other government agencies are also paying Microsoft for extended support of XP, but with less scrutiny.
According to DutchNews.nl, the Dutch government is willing to pay Microsoft millions to cover between 34,000 and 40,000 Dutch national government civil servants until all of their desktop PCs can be switched to a newer version of Windows OS.
In the United Kingdom, a ComputerWeekly.com report states the public sector centralized purchasing and commercial department, Crown Commercial Service (CCS), negotiated a deal with Microsoft for 5.5 million GBP (approximately 9.2 million USD) for a one year deal which not only covers Windows XP but includes Microsoft Office 2003 and Exchange 2003, both of which also reached end-of-life status.
The UK and Dutch governments made what they considered to be positive moves and the millions they are spending for additional support apparently did not meet with any significant unpleasantness, at least not in the media.