It is, of course, appropriate to condemn those who have written the virus that has deliberately crippled the NHS and put lives at risk and I do so, unreservedly.
That said I think it wholly appropriate to ask three further questions. The first is why the NHS was at risk because so many of its units were running machines using Windows XP that has not been supported by Microsoft for years?
Second, it is fair to ask is why Microsoft can leave the world at risk by not supporting its software?
Third, it's appropriate to ask what economic system can result in such a combination of circumstances arising?
The first question is easy to answer: it is a policy of deliberate austerity that has left the NHS denuded of sufficient funding to ensure that people are safe that has resulted in this situation arising. The blame can wholly appropriately be laid at the door of the last two governments. If appropriate funding for the NHS had been made available, and it had not been forced to operate at and beyond financial limits, this attack need not have had the impact it has.
Second, Microsoft deliberately left the world at risk in pursuit of relentless profit. Windows XP was a strong and stable operating system that was more than adequate for the vast majority of the world's business (and NHS) needs. It was only deliberate technical and commercial obsolescence that left it unsupported when many users had no reason at all to update because it very successfully let them achieve all they wanted of IT. This vulnerability to attack was, then, deliberately made possible by a company refusing to support a product simply to extract revenues from those who had no need to pay it.
Third then this situation arises because we live in a political economy that grants corporations that are effective monopolies (as Microsoft and other such companies clearly are) the right to hold us to ransom by refusing to support perfectly useable product that we have purchased, which refusal does in turn lead us vulnerable to quite literal attack, which has a wholly foreseeable consequence. The cost is very obviously to us all. The benefit is equally obviously to a very few.
And let me be clear, this is not about profit maximisation. That can, even by its firmest enthusiasts only be justified when competitive environments prevail. That is not true in the market for IT operating systems. Sio this then is rent extraction and not profit maximisation. This is what the goal of modern multinational corporations is. Innovation is limited, and designed only to render obsolete systems that can be discarded when still useful to force customers to unnecessarily spend, in the process limiting choice, stifling real opportunity and ultimately imposing untold externalities on society at large.
Is this the direction in which we wish the world to continue to progress? I personally don't think so. Regulation to control this abuse seems as essential as measures to prevent hacking.
In the meantime it seems we can't run the NHS on Windows XP. Those who have made it do so must be held to account for that.
But we should also ask why we can't do so. And that puts Microsoft firmly in the firing line.
After the criminals who, predictably, hacked it, of course.
Thanks for reading this post.
You can share this post on social media of your choice by clicking these icons:
You can subscribe to this blog's daily email here.
And if you would like to support this blog you can, here:
Also, you might like to consider the money that has been wasted on IT systems for the NHS : 11+ billions ?. This money, the management time and technical resources devoted to these systems could have been used to keep operational systems up-to-date.
Although it might be easy to blame politicians who made the decision to invest in such schemes for supporting a “vanity project”, a significant amount of blame rests with the IT industry and the associated professional bodies through not providing good advice and control. Perhaps a this is a situation similar to your complaints about audit.
I do blame them
They promised the earth
And sold dud products
http://www.majorgeeks.com/files/details/windows_xp_service_pack_4_unofficial.html Microsoft do support XP as I understand it, they just keep quiet about it. I have this patch and it was updating this morning. I believe a lot of airports still use XP, alarmingly. I’m hearing too it’s not XP itself which is the problem, rather it’s the softwares used, they only run on XP. So if you’re going to move to Windows 10, say, for a start you’ll need new machines as most of those old XP clunkers won’t run 10, and you’ll need upgraded, maybe new, programs to boot, and training in how to use them too. That’s assuming anyone wrote updated versions of the software involved. Windows 10 has its benefits. Could 3d printing modules, for instance, have been included in XP with its 32 bit architectural limitations? There will no doubt be advancements and improvements possible in upgraded X-Ray software, the ability to port the info straight into 3d printing springs to mind. I’m being measured for my new hip in a couple of weeks. Imagine if they can take the x-rays, press a button or two and have the unit printed and ready, all from one unit? No version of XP could cope with that. There’s reasons for moving on that aren’t simply commercial.
No software needs to deal with that
That would be massive over-engineering
Well said Richard. Also don’t forget the role of GCHQ (I thought they were supposed to protect us) and the NSA who should be sued for firstly developing the malware and then releasing it into the hands of criminals’.
Top Tip:
if HMG converts to Linux it would escape the Microsoft rentier trap,
HMG could maintain it’s own Linux installations indefinately,
the British Armed forces still use Windows 2000, why not Linux?
Linux is free and open source,
Britain should also have it’s own open source search engine and web browser,
I’m sure British universities would be delighted with being funded to and tasked with creating such a thing, nothing drives inovation like involvement in a real project,
the BBC could host it, remember the BBC micro? a modest project that created the most advanced pc on the market at the time, the BBC pioneered streaming video online with iplayer yet this is also being relinquished to American based private companies,
the BBC should be the hub of Britains IT infrastructure working hand in hand with our universities, we need our own silicon valley, the Americans financed all their IT development with defence spending, why shouldn’t our government underwrite our IT infrastructure, it’s a matter of national security,
the British are not too stupid to do any of this, much of the technology associated with the digital revolution was developed by British minds,
it is the sheer laziness of British Government and Commerce that has outsourced software to the American giants of Silicon Valley,
not only do we, as a nation, rent all our software from American private companies we even lease hire our nuclear deterrent from them,
if we don’t do anything for ourselves we will always be at the mercy of the people we subcontract stuff out to,
my stepfather spent his life working in the civil service and says we don’t have a functioning government anymore, we just have highly paid people who commission outsourcing projects to people who charge us a fortune and screw up the service they provide,
once we become totally dependent on a private American monopoly to provide a service we are too afraid to even ask them to pay us some tax out of the wealth they extract from our economy,
every outsourcing strips well paid jobs from Britain, what do we get in return? a job flipping burgers at McDonalds or delivering Domino’s Pizzas,
where do the profits from those enterprises go?
how can we take back control from Europe if we have already handed control of the country to American Corporations?
but hey… what do I know about anything….!
May I tidy this and post it as a blog?
sure, I’m afraid it was a bit of a rant that got a bit out of hand!
it might be prudent to cross check my assertions, I’m no expert, more an enthusiastic and self taught layman!
Ok
I’ll look again
Yes, Linux is the answer. It is stable and safe and constantly monitored and updated. Most commercial servers run on it.
I agree
It baffles me why the NHS does not use it
Are the specialist Windows XP programs the NHS uses available on Linux? There may be your answer.
The reason Linux isn’t used by more people is that it isn’t supported by any sigle enity, its open source so anyone can fix or write in some malware to it, BASH is a good example (BASH allows the user to type commands into a simple text-based window, which the operating system will then run).
I do however think the UK government should create its own operating system, but it could be a money pit rather than competition to other operating systems.
And the banks! I forgot, a lot of banking systems are still XP-based. Upgrade them and you have to find new software for new machines and then train people in how to use both. Very expensive indeed. A reluctance to address this may well be what ends the dominance of the current financial Big Beasts.
Every cash machine runs on XP as far as I know
And of course, it’s just fine for the job
Barring Microsoft’s neglect of the its product
We forgot these too 🙂 http://www.popularmechanics.com/military/weapons/a19061/britains-doomsday-subs-run-windows-xp/ Let’s hope these got upgraded 🙂
The whole history of information technology and the NHS is a sad one: Billions spent on failed systems with IT engineers milking the healthcare system for every penny.
In the early 90’s I remember a friend doing some NHS IT work earning £400 a day for consulting work. I was disgusted and appalled at the time that such rates were seemed acceptable to a health service that is for the whole community. In the end, much of this work was scrapped and billions wasted (from the NHS point of view).
No doubt the Tories will use it as an argument for further privatisation.
It does raise the question of how this happened. personally, it should be a good excuse to roast the incompetent Hunt but this will not happen and people much further down the line will cop it. The people at the top never go.
‘Jeremy Hunt has been accused of ignoring “extensive warning signs” that could have an unprecedented global cyber-attack that plunged the NHS into chaos this weekend.’ (Grauniad)
No doubt Hunt will use it as an excuse to promote privatisation which would be ‘so much more efficient’ (not!).
Matt makes excellent observations and recommendations. I hope, Richard, with his cooperation you can, as you say, ‘tidy it up’ as a blog in its own right. Maybe even a piece for ProgressivePulse?
We certainly have a bed-rock of technical expertise – e.g. https://www.ft.com/content/a6165cd6-2f89-11e7-9555-23ef563ecf9a
One of the many devastating draw-backs (not the word I was looking for) of the neo-liberal economic model (ideology) is its ‘inability’ to make long-term investments. As Matt states, the UK government has an exciting opportunity to develop independent, world-leading IT technology that would unshackle the nation from its American rentier masters. It makes perfect sense. With historically low interest rates, never has there been a more opportune time.
Will it happen? No.
Worth saying though
Although Microsoft no longer supports XP for the public, they have sold support to users of the system such as the NHS. And in 2014 the Crown Commercial Service bought a year of support for 5 million pounds. Support ended in April 2015 and it was decided not to renew. See https://www.theguardian.com/technology/2015/may/26/uk-government-pcs-open-to-hackers-as-paid-windows-xp-support-ends
It appears that the problem of XP vulnerability was passed onto individual government departments. No doubt requiring much duplication of effort. The National Cyber Security Centre published a document “Obsolete Platform Security Guidance” (see https://www.ncsc.gov.uk/guidance/obsolete-platforms-security-guidance). But a quick read suggests that much of the guidance amounts to disconnecting the XP systems from other networks or systems. Helpfully, at the end of the document, para 6.3, it suggests that the user can purchase a Microsoft Support Agreement for XP security patches.
So the greater burden is on the government
I get where you are coming from Richard as far as Microsoft profiteering is concerned. However, if technology did not advance, we’d still be using hot metal printing in Fleet Street.
By the way, ss far as I hear, Microsoft were providing support Windows XP for the NHS until the contract was terminated. Either that, or they offered support, which was not taken up. Either way, the problem was lack of government funding. If anyone knows the correct story for certain, please let me know (preferably with evidence).
I do not object to software advancing
BUT for large numbers of users most of what most software does is just bloat we are forced to but quite unneccasrily
If this mess says anything it is time for someone to produce functional business software that would also meet 90% of hosuehold needs
After all, most of use are not teenage gamers
Just a point, the average gamer is in their thirties now.
https://www.google.co.uk/search?q=age+of+average+gamer
Microsoft withdrew support and security patches for XP in 2013, for the consumer.
Governments and corporations were offered a support contract, at a price that encouraged upgrading to more recent releases. Some are still paying: banks with ’embedded XP’ in their cash machines, for example.
Our Government imposed a very specific cut on the NHS; they stopped paying for this service in May 2015.
The results are exactly as everyone in IT predicted.
But I am not sure that changes my point
The point isn’t XP: the point is technically-competent management, responsible management, strategically farsighted management with a commitment to securing long-term funding.
Microsoft moved on from XP because it’s limitations and inherent security flaws were better addressed by redesigning, rather than merely patching the existing code. Yes, they seek a profit from selling the next big upgrade, much like motor manufactures sell a new and shiny ‘latest model’. And yes, there is some cynicism in that; but there are good reasons – not just bad ones – why you cannot make and sell a forty-year-old car, or a fourteen-year-old operating operating system, in the safety- and security-conscious marketplace we’re living in today.
Microsoft did provide continuing support, for a fee, to organisations capable of keeping up with the increasing workload of maintenance and patching and increasingly-restrictive security configuration. It’s a losing battle and there’s no economic point in fighting it.
However, this isn’t about Microsoft; not their greed, nor their competence. Nor, indeed, the economics of providing legacy support, even for a fee that I am told is pretty much ‘at cost’.
This is all about the minister, motivated by a toxic micture of malice, wilful ignorance, indifference and incompetence, deciding to cut off essential funding that would have prevented this disaster.
I have made clear I blame government too
But let’s be clear: XP worked and still does
The upgrades demanded higher fees and related hardware costs – and Microsoft has an interest in that too
I can blame Microsoft for not delivering a suitable product for the business market because competition does not force it to do so
And that is the point I made that you are missing
Richard
I believe the Windows Server was also afflicted and with lots of things Windows this would probably require a reboot after updates should have been applied in March. Rebooting servers tends to need lots of scheduling which is bit of an issue with a server of any type.
So Linux all the way. My server in the cellar is running Ubuntu on a PC that is nearly twenty years old. It stayed up for nearly nine years before somebody accidental pulled it’s plug out (not me). The government and NHS would probably save millions if they used opensource. LibreOffice is free why would you use anything else and it works on Linux, windows and OSX. What’s not to like?
For 99% of government users things like Libre Office on Linux mixed with some good template writing and some intelligent macros would cover every need
If you think that Linux is secure then I have got a bridge to sell you.
Nevertheless, there is a case to be made for OpenOffce and a ubuntu rollout in a government department. It is more secure than Windows, but it needs a major organisation to commit the resources to a rollout big enough to reap significant economies of scale, because the cost-of-ownership is actually very high – higher than Windows, for a user base with common-or-garden IT skills – and that, in turn, requires money and staff and political will and technically-competent managers.
There was a time pre 90s when government departments had their own software staff. Projects always overran and it was decided to put all the contracts out to tender. That was a good idea, wasn’t it?
🙂
They’ve left because of IR35.
The issues with XP in general-purpose computers (desktop workstations) are well-known, and fixable. Single-purpose devices running embedded software are another matter: the line between hardware and software is blurred and they are almost never updated once they leave the factory.
Between these two extremes are medical devices: many run their software on embedded XP, although other operating systems are quite common. They are rarely if ever updated or patched; and older models are simply not supported at all. The major manufacturers – GE, Siemens, and others – never, ever patch their older models and they will not release the source code. So the owners cannot patch them either.
All of these devices are laughably insecure: many have wide-open internet connections.
Remote exploits for an insulin pump were demonstrated almost a decade ago and the responses were, at best, bland and unconvincing. IT professionals are done with warnings in the face of indifference – or threats of legal action – and we await the coming holocaust.
The NHS is better-placed to deal with this than any of the fragmented healthcare providers in Europe and America; but the NHS will not be given the resources until there’s a disaster; and maybe not even then. And they won’t be given the source code unless the manufacturers are forced to do so by the law, and that will need legislation – if the code and documentation actually still exists at all.
Only a national organisation can provide the resources, and the economies of scale to use them efficiently, for the analysis, the software engineering, and – above all – for the testing: these devices are critical to human life, and the necessary certification and insurance (or legal indemnity provided by the state) require as much work as the coding.
As the UK no longer has a competent testing and certification authority, I guess that this is the in the hands of the EU.
You get it
Thank you
The Trust in my region (one affected by the virus) posted a £17 million deficit for 15/16. It borrowed £19 million from the DH Revenue Support facility and now has total debts exceeding £40 million. The finance charge has doubled.
Firstly the only way that such borrowings can be repaid is through the production of an annual surplus. This means that steps have to be taken to 1)achieve the savings necessary to deliver the global funding plan and 2)enable the Trust to repay the historical loans. Clearly this is the logic of the financial madhouse, what we will see is the continuous growth of an already huge creditor balance, a periodic increase in total borrowings and an annual finance charge that assumes an ever larger proportion of operating expenditure.
Against this background IT updates now assume priority status, but how can they be delivered without pushing the Trust into further debt and turning the whole entity into penny pinching chaos.
And the majority of the electorate seem to want a continuation of austerity.
I cannot make sense of the current climate, why are so many people intending to vote against their own interests.
Keith
You are right: NHS deficit accounting is pure madness
The only way out of an arbitrary outcome set by accountants is to impose harm on patients
And the deficit is designed to spiral increasing the risk of real harm
It is pure financial madness
Richard
‘I cannot make sense of the current climate, why are so many people intending to vote against their own interests.’
Keith, I would say it is the result og the following:
1) the media parroting the ‘unaffordability’ myth
2) 30-35% of the populace are ‘alright-Jack’ and doing ok in the present system
3) The economic illiteracy that the country will go ‘bankrupt’ and investors will leave and the currency will collapse if Labour spend. Labour need to counter these myths but don’t.
4) Tories have jumped on the ‘national identity’ bandwagon of UKIP despite the fact that they are proponents of neo-liberalism which erodes state sovereignty!
5) Tories are seen as the Party of ‘security’ as they will press ‘the button.’
6) Flag waving makes people feel good.
I have to say that when I first heard of this the bullshit alarm at the back of my head started flashing amber and hasn’t stopped.
There is something wrong about this – all kinds of wrong in my view. I smell mischief – and not just from the hacker.
Who will get the blame I wonder?
The NHS or the Government? I hope the latter.
Mr Murphy,
The fact is that Windows XP has been out of support for three years. Microsoft’s support policy was and is well known. XP extended support was scheduled for withdrawal in April 2014, and that date was known years in advance – in fact, it was known over five years in advance, because it is usually five yeas after development support ends. The same is true of Windows Server 2003.
The fact is that Microsoft have actually broken their own rule, and have provided a patch for XP/Server 2003 that addresses the flaw that is allowing this ransomware to spread. That is pretty well unprecedented, (and also represents a very significant amount of work) and a great many of us are sincerely hoping that it will not be used as an excuse to delay upgrades.
There is a simple answer to ransomware. Namely: back up your data, do it regularly, check that the backups are working, and keep a recent backup in a location that is not connected to your network. If the NHS trusts do not have adequate resources to do that, heads need to roll so that those resources are provided. Likewise, if they are running ordinary services on XP computers (yes, we know there are specialist applications they can’t port to supported operating systems: in which case someone’s going to have to find the cash to replace them), heads need to roll. But that is not Microsoft’s responsibility.
Believe me, this is one case where you do not know what you’re talking about and I do.
Let me assure you: you have utterly missed the point of what I wrote
I suggest you go and read it again because you’re clearly an unwitting victim
Impressive James, apart from taking a lot of words to say little you had the hilarious closing line claiming you knew what you were talking about…that was a joke wasn’t it?
Go back and read the piece again, if you don’t get it then go do some background reading on monopolies and rent extraction. You could even go a little deeper and look at all the big technologies around and how their development was originally funded. You may come to the remarkable conclusion that without state funding the much vaunted private sector R&D comes up with very little. You may also find that, left to their own devices, markets tend to monopolies and very non optimal outcomes for the majority.
You may indeed know a lot on a micro level around one subject but your ability to tie things together into a macro picture is laughable.
“it is fair to ask is why Microsoft can leave the world at risk by not supporting its software?”
I avoid Microsoft’s products whenever I can; but I have to say you are not being fair to them here. All users of MS products are told when free support and updates are likely to end: for Windows 10, it’s 2025, for example. My local hospital was unaffected by the hack because it had upgraded its computer OS and systems. So the question is: why were so many NHS bodies negligent? They should have been planning and budgeting for an upgrade years in advance.
I am not being unfair: I made the point that this is deliberate technical obsolescence of no use to society that a monopolist can dictate
I am being unambiguous as to where the unfairness is. I am saying we should not permit such monopoly or the power it affords
Sure, Richard, Microsoft are dominant in the marketplace, but they do warn potential customers of the deliberate technical obsolence – which is one reason why I don’t use their products – so it’s a case of caveat emptor. And there are alternatives.
The alternative is ending their right to a monopoly
Unfortunately, it is not quite as simple as deliberate technical obsolescence (it would make my job much easier if it was). Technology does change, and ideas that previously seemed sensible can turn out to be less effective when newer technology comes along, or where shortcomings in design become apparent (email being a great example of the latter with regards to spam), or changes in architecture are required. You would not be able to install Windows XP on a modern machine without making significant changes to the install CD, simply because XP is not able to understand how to talk to the hardware. Technology does change, and this requires Windows to change too.
Fixing problems within a piece of software generally requires the developers to be familiar with how the code fits together. Unfamiliarity with the code does tend to result in fixes that have unexpected side effects, as components tend to be intricately linked together. As you might expect, the older software is, the fewer people who understand how it fits together. This means that the older the software is, generally the higher the costs to maintain it. How long should a company continue to support/maintain software? How far should that maintenance go – should it just be corrective or should it move into adaptive or preventative?
Microsoft had published how long they intended to provide support for the various different versions of Windows. Organisations chose to use Windows XP with this end of life information being available. An organisation who knows this, buys Windows XP and fails to identify the total cost of ownership including replacement is foolish. Other platforms are available!
But you still miss my point
We grant Microsoft (and others) a licence to exploit
And they do, at cost to the vast majority
And I read all the above as an excuse
The LP should make a media ‘meal’ out of this, avoiding any of the complexities articulated above. A straight forward simple message – vote for the Tories and this is what you get. Austerity that puts people’s lives at risk. It’s basic stuff anyone can understand. Chris Dillow coincidentlly makes the same point today – http://stumblingandmumbling.typepad.com/stumbling_and_mumbling/2017/05/counter.html.
That works
PS – they should also launch an unambiguous direct attack on May for a total abrogation of duty while Home Secretary. Just go for the jugular, irrespective of any nuanced detail. “In a radio interview last night an ex-hacker named a few countries who funnelled enormous resources into developing viruses and malware for offensive purposes. The UK was one of them. When later asked what measures were in place to protect UK systems from such attacks he said there was practically none.” (quoted from a comment on Craig Murray’s blog today).
You are really blaming Microsoft for not supporting a SIXTEEN YEARS OLD operating?
Yes
Would you mind sending a check for a few million dollars to Microsoft every month so MSFT can use that money to pay for its software developers to make patches for older OSes like Windows XP?
Maybe, yes
The question should be this: why NHS has a so bad software which is incompatibile with newer operating systems?
The question should be: why were many trusts, running the same OS, unaffected by the malware injection.
A fool and his open ports are soon infected!
I would like to add that the ransomeware was developed by the NSA as part of their cyber warfare aimed at Russia, and I suppose anyone else they took a dislike to in their need for global domination.
I would also like to mention that they never offered to fix the problem they created. Perhaps they were just sitting back to view how well their project was working before deciding whethere to continue to further develope their cyber-warfare capabilities. I mistrusted the U.S. black bag industry before, and I trust them even less now with Trump in charge.
Worryingly Trident also operates on XP, and that poses a problem for us all. I dislike the fact that we rent WMDs from the U.S. on the spurious grounds of self-defense, and are effectively being held to ransome by the U.S. in so many ways, including manipulating the population into believing that it is a neccessity that we should not be without but is infact what creates the greater danger to us.
Next point to make: On the morning of the ransomeware attack Corbyn was making a speech followed by Q&A in which he outlined that cyber security is one of the greatest riskss to the UK today, and that we as a country need to do more to protect ourselves, and his if in government would work to that end. Once again Corbyn appears to be on the right side of history.
The NSA discovered the vulnerability used in the attacks.
They failed to notify MS, because they didn’t want it fixed.
To say that MS is annoyed would be a massive understatement.
Irrespective of support contracts needed, the vulnerability would have been notified to system administrators if known.
No surprise really…the NSA tends to be leaky….
lets not leave the H/w monpolies out of this i.e. Intel. You will find that the new operating systems from microsoft need dramatically more cpu power and memory and disk space to do identical tasks of the venerable XP. The new processors in turn require the new operating systems . Intel and Microsoft churn the market together demanding ever more processing power. The h/w efficiency improvement is countered by the increased S/W inefficiency of the software to perform the majority of common tasks.
Agreed
I blame the sysadmins!
Leaving ports open that are prone to attack!
Whichever operating system gets used, people are the weakest link.
Never forgetting that the malware was designed by your friendly spooks to do what the miscreants used it for.
It’ll be the same for Linux….