If I told you that in the near future your organization's information technology infrastructure's operating system would be almost completely vulnerable to cyber attacks, you'd likely ask if I was taking advantage of some new laws in Colorado or Washington. Who in their right mind would let their systems be based on a program that you knew in a few short months would be infinitely more defenseless? Turns out, way too many companies.
Starting in April 2014, Microsoft will begin its phased cessation of support for the Windows XP operating system. While many consumers moved on to new operating systems, many critical pieces of our infrastructure still use Windows XP to run its operations. Just minor things, you know, like nearly 95 percent of ATMs and much of the nation's "industrial control systems," which help make our critical infrastructure hum.
This is not a newly realized problem. Windows XP's slow demise has been discussed for several years, and Microsoft itself has made it clear that its decision to no longer support Windows XP could open up laggards to potentially unlimited "zero-day" attacks, which are attacks exploiting previously undiscovered vulnerabilities. The connective tissue with the end of life decision is that Microsoft will no longer issue security patches to fix these vulnerabilities. Thus, it will be up to the legacy users to detect these vulnerabilities, fix them or board up the virtual windows so that attackers cannot get inside the system.
There is no doubt many security companies are working hard to develop defenses that will keep zero-day attacks from reaching the Windows XP operating systems. That's not the problem -- the problem is that some companies will continue to use a system that they know can easily be compromised.
What will make this worse is the inevitable avalanche of lawsuits arguing that companies, including their executives, should have known about this problem and addressed it earlier. The lack of attention to the problem could trigger liability, and at the very least will likely trigger expensive and protracted litigation.
Bottom line: Ignoring or creating excuses for inaction around the Windows XP end-of-life situation will only get companies into trouble. To butcher an old phrase: It's not the software end-of-life that's the problem, it's the failure to patch it.