Saturday, June 27, 2015

Fixing the Pentagon’s Windows XP Problem by Brendan McGarry


Defense Secretary Ashton Carter just announced plans for the Defense Department to collaborate with NATO allies to better protect critical infrastructure in cyberspace.
You’d be forgiven if you missed it. The big news out of his press conference on Tuesday in Estonia was how the Pentagon will ship a brigade’s worth of Abrams tanks, Bradley fighting vehicles and Paladin howitzers, among other equipment, to Eastern Europe in response to Russia’s recent military activity in the region.
But Carter also mentioned the rising threats in cyberspace.
“We must also prepare NATO and our allies for cyber challenges, particularly from Russia,” he said. “That’s why today, I visited NATO’s Cooperative Cyber Defense Center of Excellence, and I’m pleased to announce a new American initiative to bolster the center’s role in leading our partners towards improved cyber defense.”
It sounds like a worthy effort. After all, the Pentagon plans to work with NATO to develop cyber defense strategies, critical infrastructure protection plans and cyber defense posture assessments (whatever those are).
Even so, it’s also important to remember that for all the lofty emphasis the Defense Department it placing these days on various cybersecurity initiatives — it still faces the very practical problem of relying on aging software.
Case in point: The Navy recently signed a potentially $31 million contract with Microsoft Corp. so it can keep using the Windows XP operating system. Yes, that Windows XP — the one that shipped on your desktop PC more than a decade ago.
Here’s the top of the contract announcement:
Microsoft Corp., Redmond, Washington, is being awarded a $9,149,000 firm-fixed-price modification to a previously awarded contract (N00039-14-C-0101) for Microsoft Premier Support services and Microsoft Custom Support services for Windows XP, Office 2003, Exchange 2003 and Server 2003. Microsoft Premier Support services and Microsoft Custom Support services are required to provide critical software hotfixes to sustain deployed capabilities.
Windows XP came out in 2001 and has since been succeeded by Windows Vista, Windows 7 and Windows 8. Microsoft last year stopped providing free support and security updates to the software. Hence, the reason for the company’s contract with the Navy: The service still has some 100,000 workstations that run the aging operating system.
As Steven Davis, a spokesman for the Space and Naval Warfare Systems Command in San Diego, told Martyn Williams of the IDG News Service:
“The Navy relies on a number of legacy applications and programs that are reliant on legacy Windows products. Until those applications and programs are modernized or phased out, this continuity of services is required to maintain operational effectiveness.”
The article also references a Navy report that states the Microsoft applications affect key command and control systems on ships and land-based legacy systems, including those tied to the Pentagon’s non-classified and classified networks — the so-called Nonsecure Internet Protocol Router Network, or NIPRNet, and the Secure Internet Protocol Router Network, or SIPRNet:
“Without this continued support, vulnerabilities to these systems will be discovered, with no patches to protect the systems. The resulting deterioration will make the U.S. Navy more susceptible to intrusion … and could lead to loss of data integrity, network performance and the inability to meet mission readiness of critical networks.”
While unglamorous, the work of updating operating systems to better defend networks against hackers, foreign or domestic, should probably take higher priority than launching new centers of excellence or other nice-sounding cyber units.

No comments:

Post a Comment