The Top 2014 Government IT Headache: Windows XP Migration

by / December 10, 2013 0

Image: Flickr/Energetic Spirit

As 2014 priority lists are drawn up for government technology teams around the world, migrating off of the Microsoft’s Windows XP operating system is at or near the top of the list for many public-sector organizations. The problem is that too many organizations aren’t ready and will miss the April 8, 2014 end of life deadline for XP migration.

And the consequences will be severe for the migration laggards, with security, financial and other ramifications. One estimate from back in August predicted that 10% of U.S. computers will still be running XP after the deadline, but as much as 65% of Chinese computers will be running XP.  

However, I think these "not-yet-migrated" numbers will be substantially higher in the public sector – and probably higher for the private sector as well.

In conversations with state and local governments this fall, XP migration is a very hot topic with plenty of scrambling infrastructure teams trying to respond. In fact, this topic has become a mini-crisis for many – in December 2013. In recent months, the full costs and impact of XP migration is coming into view for technology leaders who were focused on other priorities in 2012 and 2013.

Why is XP Still Around?

There are many reasons that XP is still around. Quite a bit of software does not run well on other operating systems, and many business and technology leaders have not taken the time over the years to make upgrading off of XP a priority.

Why? We all know the phrase – “if it isn’t broke, don’t fix it.” Or, in other words, there was minimal cost for staying with XP. But since many good things come to an end, that luxury will soon no longer be available.

Many veteran computers specialists point to previous Microsoft end-of-life operating system stories, such as Windows 2000, and say that the same pattern is repeating itself.  

The reality is that this issue affects worldwide users, and the reasons for waiting until now are all over the map.

Windows XP-Migration Background

It wasn’t supposed to be this way.

Despite years of advance notice and the reality that staying with Windows XP can be three times more expensive than buying Windows 8, many system administrators proclaimed that dumping XP was just too expensive.  (Since many older computers often cannot support Windows 7, much less Windows 8, the migration costs often mean buying new computer hardware as well.)

The trouble is that staying with XP after support ends could open the door for many security vulnerabilities which won’t be patched on XP computers without paying for additional support.  Here’s an excerpt of the PC World article:

“Tim Rains, director of Trustworthy Computing for Microsoft, has
warned Windows XP users of another potential concern. Attackers often wait for a vendor to release a patch and then reverse-engineer it to discover the flaw and craft an exploit to take advantage of it. Once Microsoft support for Windows XP expires, malware developers will reverse-engineer Microsoft’s Windows 7 and Windows 8 patches and then verify whether those same flaws exist in Windows XP. In many cases, they will—and there will be no patch available to protect Windows XP.”

In addition, governments and private sector organizations that don’t have XP computer support may open themselves to compliance risks such as Payment Card Industry (PCI) compliance trouble and other audit issues.

Can You Buy XP Support After April 8, 2014?

Another trouble is that buying additional support for XP after April (for the enterprises that can even buy it at all) is very expensive. Without going into too many details, Microsoft has recently raised the cost dramatically – in an effort to push migration to Windows 7 & 8.  This is a major sore point for many Microsoft customers, but that is another article for another day.

There is also non-Microsoft support for XP that is cheaper.  

Some government organizations, who thought that buying an additional support contract would actually help push customers off of the operating system, now face sticker shock as they look at hundreds of thousands or millions of dollars in extra costs in 2014 for just staying on current XP technology. This legacy problem is complicated by a late push by many customers who all want to get off of XP at the same time.

What Now?

Technology leaders have a few immediate tasks after understanding their current inventory of XP PCs and servers, including:

1)    Migrate computers still running XP. This includes testing of software, embedded systems, etc.
2)    Plan (with Microsoft or other companies) for those computers that will not make the deadline.
3)    If a system is still running XP on April 9, 2014, and additional system support (with patches) is not purchased, take other steps. That is, unplug the system, or determine how to protect the environment without support (not recommended.)


There are many good migration guides to help technology teams migrate off of Windows XP – such as this one from Microsoft.

The issue is not that this is too hard. The main issue is generally that most organizations have not been able to make this a priority soon enough. Too much work is left before the deadline.

The other issue is that the costs to buy support for XP after April 8 may be too great for some. That means that security issues will almost certainly arise and new headaches will be born if you do nothing.

Only time will tell whether a surge in breaches will occur after April on XP computers. No doubt, there will be plenty of headlines in 2014 on this topic.  Sadly, this short-term issue will be hot throughout 2014 and take away from other more value-added work for businesses.

My advice is to try to upgrade to other operating systems in such a way as to add business value and security protections at the same time. I realize that this is easier said than done for many readers. I don’t advise staying on XP without proper support.

Do you have any other advice for others on Windows XP migration? Where is this issue on your government’s priority list? Feel free to leave a comment.

Dan Lohrmann Chief Security Officer & Chief Strategist at Security Mentor Inc.

Daniel J. Lohrmann is an internationally recognized cybersecurity leader, technologist, keynote speaker and author.

During his distinguished career, he has served global organizations in the public and private sectors in a variety of executive leadership capacities, receiving numerous national awards including: CSO of the Year, Public Official of the Year and Computerworld Premier 100 IT Leader.
Lohrmann led Michigan government’s cybersecurity and technology infrastructure teams from May 2002 to August 2014, including enterprisewide Chief Security Officer (CSO), Chief Technology Officer (CTO) and Chief Information Security Officer (CISO) roles in Michigan.

He currently serves as the Chief Security Officer (CSO) and Chief Strategist for Security Mentor Inc. He is leading the development and implementation of Security Mentor’s industry-leading cyber training, consulting and workshops for end users, managers and executives in the public and private sectors. He has advised senior leaders at the White House, National Governors Association (NGA), National Association of State CIOs (NASCIO), U.S. Department of Homeland Security (DHS), federal, state and local government agencies, Fortune 500 companies, small businesses and nonprofit institutions.

He has more than 30 years of experience in the computer industry, beginning his career with the National Security Agency. He worked for three years in England as a senior network engineer for Lockheed Martin (formerly Loral Aerospace) and for four years as a technical director for ManTech International in a US/UK military facility.

Lohrmann is the author of two books: Virtual Integrity: Faithfully Navigating the Brave New Web and BYOD for You: The Guide to Bring Your Own Device to Work. He has been a keynote speaker at global security and technology conferences from South Africa to Dubai and from Washington, D.C., to Moscow.

He holds a master's degree in computer science (CS) from Johns Hopkins University in Baltimore, and a bachelor's degree in CS from Valparaiso University in Indiana.

Follow Lohrmann on Twitter at: @govcso