Do we need Windows patch legislation?
Should vendors be obliged to maintain ageing, unsafe PCs?
Poll Microsoft has got off remarkably lightly from WannaCry, as the finger pointing between Whitehall and NHS trusts began. But that might be beginning to change.
The NHS had 70,000 Windows XP PCs, but only after the ransomware hit did Microsoft issue a patch. Officially, support had ended in 2014, spurring an upgrade cycle.
In a letter to The Times [paywalled, of course], former GCHQ chief Sir David Omand has put the moral responsibility on Microsoft for withdrawing support from Windows XP three years ago, knowing the OS was in frontline use worldwide.
Omand raises the question of whether vendors like Microsoft should continue to secure systems long after their support "expiry date".
"Should Microsoft have stopped supporting Windows XP so soon, knowing that institutions had invested heavily in it (at the urging of the company at the time)? At least a Windows XP patch for the flaw that allowed the worm to spread so readily has now been issued, but it would have been better if it had been released a month earlier, when the company first became aware of the problem," he writes.
The withdrawal of security patches is a big stick, perhaps the biggest stick, that Microsoft possesses to oblige customers to upgrade their archaic systems. (Windows XP will be 16 years old in September – that's an eternity in computing, longer than the time elapsed from the first microprocessor to the launch of OS/2.)
Sympathy for the vendor comes from many who work in health and public sector IT, who blame poor management for mission critical services retaining decrepit and ageing PCs. Microsoft gave the NHS years of notice that support would cease. But isn't there a social responsibility to maintain even the most inept NHS manager?
An analogy may be vehicles that develop a dangerous defect. Would we excuse the manufacturer and allow unsafe vehicles on the road?
So we'll throw this open to you. The question is straightforward. Should the government regulate (or legislate) that "unsafe" public services must be patched, and if they are not, place those vendors on a blacklist?
It's over to you. ®
Sponsored: Becoming a Pragmatic Security Leader