Organisational inertia means we’re saddled with an ageing, vulnerable browser across our hospitals and key government departments. That’s not good
Don’t worry, said Microsoft a few days ago: the zero-day vulnerability that Chinese hackers exploited to infiltrate Google’s network only affects Internet Explorer 6 (released in 2000) running on Windows XP (released in 2001).
The implication being that nobody uses that still, do they? Ed Bott, who has forgotten more about Microsoft than many people know, says in a vehement blogpost at ZDNet that:
“Any IT professional who is still allowing IE6 to be used in a corporate setting is guilty of malpractice. Think that judgment is too harsh? Ask the security experts at Google, Adobe, and dozens of other large corporations that are cleaning up the mess from a wave of targeted attacks that allowed source code and confidential data to fall into the hands of well-organized intruders. The entry point? According to Microsoft, it’s IE6.”
By Bott’s measure, we’d have to conclude that there’s a lot of malpractice going on in UK government. More than 750,000 workstations in the NHS and 500,000 in the Department of Work and Pensions use exactly that combination. The DWP installation of IE6/XP in 2002/3 took a total of three years, he suggests.
In fact it is still a requirement of any new web application being deployed in the NHS that it works on IE6/XP. You can see the 2008 machine requirements for the Primary Care Trust Prescription services report deployment, for example, which specifies machines that these days you’d have trouble finding outside eBay:
Client Machine Requirements for Report Deployment:
Windows: Microsoft Internet Explorer 5.0, 5.5, 6.0; Netscape Navigator 4.7, 6.2; Acrobat Reader 3.0, 4.05, 5.0 (If PDF viewing/printing is required)
Mac OS: Microsoft Internet Explorer 5.0, Netscape Navigator 6.2, Acrobat Reader 3.0, 4.05, 5.0 (If PDF viewing/printing is required)
OS/2: Netscape Navigator 4.61, Acrobat Reader 3.0 (If PDF viewing/printing is required)
Solaris: Netscape Navigator 6.2, Acrobat Reader 3.0, 4.0 (If PDF viewing/printing is required)
A year ago, Microsoft itself posted an NHS advisory recognising the problems around backwards compatibility with IE6, and noting that virtual machines (VMs) could do the job on newer machines, by hosting an instance of IE6/XP.
Neil Slater, who wrote the note, commented that he knew
“that the [NHS] IM&T Tools Project needs to remain focussed on the challenges you are facing today. One of these challenges is applications that require Internet Explorer 6 (IE6).”
“Incompatibility of applications with Internet Explorer 7 (and soon 8) has been a much discussed problem for NHS Trusts planning upgrades to Windows Vista. Testing and migrating applications can be time consuming, and meanwhile users are unable to take advantage of the new capabilities and enhancements offered by the new OS. By delivering applications in a Virtual PC that runs Windows XP and IE6, IM&T teams can remove the barriers to OS upgrades. If you have an application that requires IE6, please get in touch. Whether it is a widely-deployed national application or a bespoke Trust-specific application, I would like to hear from you.”
It’s organisational inertia like this which is really dangerous. It’s difficult enough of course to get the vast mass of people to upgrade their browsers; even more so to change their browsers to a different one. Yet the indications are that a significant proportion of individuals really do take an interest in what browser they’re using: how else to explain that Firefox now looks like the most popular individual browser?
Part of the incentive for those upgrades must be personal security: Internet Explorer has had so many well-documented exploits targeting it that eventually the message permeates through to individuals.
The irony is that organisations like the NHS and DWP and all sorts of other government departments control personal information that is truly valuable, connected by systems which have woeful security holes. It’s very easy to argue (and I’m sure that someone will) that the vast majority of those NHS and DWP workstations are not connected to the internet, and so don’t face the same threats that you and I browsing the web would.
While that’s true, it overlooks the point: it only takes one of those systems to be connected to the net, or to be forwarded an infected attachment over the intranet from someone – perhaps on a completely safe machine – and the entire network is, potentially, compromised. (A scenario like that is highly likely to have been the modus operandi at Google.)
The key question is, how do you solve that problem? How do you ensure that you won’t be tied to outdated browsers and operating systems? Quite simple: write to web standards. Then all you need to do is upgrade (or move) to a browser that supports those standards.
And that’s where the failing was when the NHS specification was written. In 2000, there were plenty of web standards around; IE6 didn’t meet all of them. But because the NHS was a huge project, and the government wanted to use Microsoft, it went with IE6.
Short-term gain, long-term problem. Now we have to wonder if our medical records and national insurance data are safe against malware-driven intrusion on computers that use a decade-old browser which wasn’t built for the hostile environment that the web has become.
Microsoft could make out that IE6/XP is the only system at risk (though it is now patching all versions of IE and Windows against the vulnerability – including a warning for the NHS). Unfortunately that “only” system turns out to be rather widely used.
It’s ironic that this has happened in the week of the official launch of data.gov.uk – which is a browser- and platform-independent approach to using all the (non-personal) data that the government has got squirreled away, and is now being encouraged to open up. Yesterday, the civil servants who’ve worked so hard at the launch of that site, who I discussed this issue with, were covering their faces in horror at the thought of it. But then a ray of light dawned. “I know!” said one. “We’ll replace them all with modern browsers running HTML5!” Well, we can hope. In the meantime, let’s hope that Chinese hackers just don’t think our health records or pension or national insurance details are that interesting. Fingers crossed