Government departments and their agencies have just weeks left to upgrade the software that keeps thousands of their computers running – or accept they are at increased security risk. But some are being more open about their progress than others.
From 14 January next year, Microsoft will no longer provide free technical help with Windows 7, nor any updates to help protect against new threats. Extended support is available until as late as 2023 – although this will require escalating payments.
Microsoft warns that any computer running an unsupported version of Windows 7 “will be at greater risk [of] viruses and malware”.
“Microsoft strongly recommends that you move to Windows 10 sometime before January 2020 to avoid a situation where you need service or support that is no longer available,” the vendor says on its website.
As of June, some 1.05 million NHS computers across England – out of a total of 1.37 million – still ran on the 10-year-old operating system.
CSW’s sister title PublicTechnology recently submitted Freedom of Information requests to a wide range of public-sector bodies, including all central government departments, seeking data on how much of their computing estate is still on Windows 7.
Several responded that they have already upgraded their entire organisation to a new system. These include the Cabinet Office, which has updated 6,551 machines; the Department for Business, Energy and Industrial Strategy, with 5,685 PCs; and the Crown Prosecution Service, with 9,557.
The Office for National Statistics said that, while almost 60% of its computers – 5,089 out of 8,570 – still run on Windows 7, it plans to upgrade to Windows 10 across the board by the end of March 2020.
Most departments, however, refused not only to disclose this information – but even to confirm or deny whether they held it. Those that refused cited FoI exemptions allowing non-disclosure in cases where an increased vulnerability to crime outweighs the public interest in transparency.
In several cases, this decision was maintained following an appeal in which it was pointed out that the arbiter of the FoI legislation, the Information Commissioner’s Office, had itself been happy to disclose that 927 of its 1,037 computers still run on Windows 7, pending an upgrade programme due to complete sometime in December.
Following an initial refusal endorsed by an internal review, the Department for Exiting the European Union said any public knowledge or inference of the operating systems it uses – whether Windows 7 or newer iterations – “could assist those with malicious designs in the planning of cyberattacks on DExEU”.
“Because of the purpose and function of DExEU, the information which it has in its possession is often of a very sensitive nature,” it says. “The theft of such information by parties which are intent on causing harm to the UK would compromise national security. Hence the need to reduce the threat to such information by neither confirming nor denying which operating system is used on computers owned by DExEU.”
HM Land Registry is another government organisation to conclude, after an internal review, that it is exempt from confirming or denying whether it holds information on its operating systems.
The ICO found that a complaint from PublicTechnology about HM Land Registry’s decision was “eligible for further consideration”. The issue is now being examined by one of the regulator’s caseworkers.