Some federal agencies face a race to upgrade their computers with less than six months to go until Microsoft stops providing free patches to an older, still prevalent operating system.
As of the end of July, 31 percent of federal civilian agency computers still run on Windows 7, according to an official from the Cybersecurity and Infrastructure Security Agency (CISA), an entity inside the Department of Homeland Security that protects critical infrastructure from cyberthreats.
Microsoft’s free support for Windows 7 ends Jan. 14, 2020. After that date, enterprise customers that have not completed an upgrade to Windows 10 will have to pay for extended security updates to receive security updates, a Microsoft spokesperson said. Those updates are available for three years.
A CISA official said that the agency is “currently monitoring” the use of Windows 7 within civilian agencies.
“I don’t think it’s acceptable,” said retired Brig. Gen. Greg Touhill, the U.S. government’s first federal chief information security officer and current president of Cyxtera Federal Group, an enterprise IT and infrastructure security company, of the government’s current Windows 7 exposure.
“This is adding extensive risk because older operating systems that are not supported by the manufacturers ... are increasingly adding significant risk exposure in the cyber domain."
The CISA official said that civilian agencies have reduced exposure to the operating system by 26 percent from the fourth quarter of 2018.
“We continue to work to raise awareness of the associated risks of legacy software, provide risk mitigation recommendations for the instances where the continued use of legacy software is required, and provide support through direct agency engagement,” a CISA official said in a statement.
Within the Department of Homeland Security, home to CISA, Windows 7 exposure sits around 3 percent, a CISA official said.
The Department of Defense declined to say what the DoD’s current mix of operating systems is, but Elissa Smith, spokesperson for the Pentagon, said that in February 2016 the department “initiated the rapid transition to Microsoft Windows 10 Secure Host Baseline (SHB) in order to strengthen our cybersecurity posture while concurrently streamlining the IT operating environment.”
As of June 2019, she said, the upgrades are “substantially complete.”
Inquiries to all 24 CFO Act agencies found that there is still work to be done across several civilian agencies, including Cabinet departments. For instance, the Department of Veterans Affairs told Federal Times that more than 40 percent of its 500,000 computers have upgraded to Windows 10. It is “on track” to finish the upgrade before the January date, a spokesperson said.
The Small Business Administration is “actively rolling out” Windows 10, an agency spokesperson said. The agency is “about 50/50” on migration of its 4,350 computers, according to the spokesperson, and plans to finish the migration at the end of October.
The Department of Education led among cabinet agencies, with a total of zero computers running on Windows 7, according to a spokesperson. A Department of Labor spokesperson said that, as of January 2019, it upgraded 16,810 computers to Windows 10, with just 400 left to upgrade. Those computers are “being actively replaced” and will be upgraded before January 2020.
The State Department and Interior both declined to provide information regarding Windows 7 use, citing security concerns.
The Department of Transportation said that it was “aware” of the Jan. 14 date and is “actively working” to update machines, but did not go into specifics.
A USAID spokesperson said that it plans to fully migrate to Windows 10 by the end of December “with a significant amount of coordination and work.”
The Departments of Energy, Agriculture, Commerce, Housing and Urban Development, Justice, Treasury and Health and Human Services, as well as the Environmental Protection Agency, did not respond to multiple requests for comment. NASA and the Social Security Administration also did not respond.
A General Services Administration spokesperson said that less than 7 percent of its system run on Windows 7 and plans to finish the migration by the end of the year. The National Science Foundation has no physical machines running Windows 7, a spokesperson said.
The Nuclear Regulatory Commission, which regulates commercial nuclear power plants and nuclear materials, has migrated almost 87 percent of its computers to Windows 10. It plans to finish the upgrade by the end of November and is ahead of schedule, an NRC spokesperson said.
The Office of Personnel Management, which experienced a massive data breach in 2015, said it will be prepared for Microsoft to stop servicing Windows 7, spokesperson said.
“The vast majority of OPM’s IT assets run on the latest operating systems. We do have some specialized applications running on Windows 7, but we have a program in place to update these systems in advance of Jan. 14,” an OPM spokesperson said.
Itzik Kotler, co-founder and chief technology officer of SafeBreach, a breach and attack simulation company, said that the numbers weren’t too alarming.
“Accepting the fact that the government has many assets to manage, has many projects to do, it’s understandable that it’s never going to be a zero,” Kotler said.
“Obviously we would all like that number to be zero; that’s the best-case scenario. But what we’re missing here is … where are those assets and what are they connected to.”
Microsoft declined to tell Federal Times how much the security updates cost for agencies. However, in a statement the company said that it is “committed to helping our customers remain secure.”
“While we provide long lead times for upgrades, we understand that some customers still need more time, which is why we have several options for our customers — services like Microsoft FastTrack to expedite migrations, desktop virtualization using Windows virtual desktop or paying for extended security updates annually for up to three years,” a Microsoft spokesperson said.
Touhill said that, given the vast amount of sensitive data the government collects, the federal government needs to look beyond temporary fixes and ensure that it has upgraded to the latest operating systems.
“It’s critically important that we minimize the risk exposure to commensurate with our risk appetite,” Touhill said.
Andrew Eversden covers all things defense technology for C4ISRNET. He previously reported on federal IT and cybersecurity for Federal Times and Fifth Domain, and worked as a congressional reporting fellow for the Texas Tribune. He was also a Washington intern for the Durango Herald. Andrew is a graduate of American University.