In a lengthy attempt to find out about the security of government’s software systems, PublicTechnology finds a very uneven approach to transparency and what constitutes sensitive information
—————————————————————————————————————-
On 14 January this year, Microsoft ended support for Windows 7, more than a decade after the operating system was first released.
This means that the vendor will no longer provide software and security updates for the product – leaving machines still running on the OS more vulnerable to cyberthreats.
The scale of the global upgrade programme that Microsoft hoped to encourage is demonstrated by the fact that even now, six months on from the cessation of support, as many as one in four PCs around the world still run on Windows 7.
The system’s popularity translated to widespread use across the public sector; less than six months before the deadline, the government admitted that more than three quarters of the 1.37 million PCs in use across the NHS still used the 10-year-old software. This was despite a £150m deal between Microsoft and the Department of Health and Social Care, signed in May 2018, that included a pledge to update all machines to Windows 10 by the end-of-life date.
A deal was ultimately struck ensuring support until January 2021 – which is just as well, as it was reported in February that the health service’s upgrade process was still only two-thirds complete.
Shortly after the revelation about the scale of the continued use of Windows 7 across the NHS, PublicTechnology set out to try and find out how prepared the wider public sector was for the looming support deadline.
Beginning in summer last year, we submitted freedom of information requests to more than 50 public-sector bodies, including all major central-government departments and various other agencies, a wide range of local councils, NHS trusts, and education institutions.
We asked how many of their machines still ran on Windows 7 – or an even older Microsoft operating system – and what proportion of their overall PC estate this constituted. We also asked if they had set a deadline for upgrading to Windows 10 across the board.
Many organisations, particularly in local government, responded quickly and fully, regardless of what stage they had reached in their migration process. Across a representative group of 14 local councils, plus the Scottish and Welsh governments, our research found that, a few months ahead of the cut-off date, 37% of PCs were still operating as Windows 7 machines.
Some organisations had more or less completed their upgrade process, others were yet to begin in earnest, and others still were somewhere in the middle.
The central-government entities that responded painted a similar picture.
The Cabinet Office, the Department for Business, Energy and Industrial Strategy, and the Crown Prosecution Service had, when we asked them, all upgraded their entire estate – a cumulative total of almost 22,000 machines.
The Office for National Statistics said that almost 60% of its computers still used Windows 7, but that it had set a timeline – albeit one that extended two months past the end-of-life date – to migrate to a newer version.
The Information Commissioner’s Office, which serves as the arbiter of FOI regulation, admitted that close to 90% of its 1,000-plus PCs still ran on Windows 7, pending an upgrade programme scheduled for December 2019.
Most departments, however, refused not only to disclose this information but – somewhat disingenuously – even to confirm or deny whether they held it. Those that did so cited FOI exemptions allowing non-disclosure in cases where an increased vulnerability to crime, or a threat to national security, outweighs the public interest in transparency.
Good reviews
In all these cases we requested an internal review of the decision, asserting that simply knowing what operating systems are in use does not make an organisation substantially more vulnerable to cyberattack and that any minimal increase in risk was far outweighed in the public interest in releasing the information. We also stressed that the ICO itself had happily disclosed the same information and not invoked any exemptions, suggesting that it believed the information to be legitimately under the scope of FOI laws.
14 January 2020
End-of-support date for Windows 7
37%
Proportion of PCs across 16 representatively selected local-government organisations that still ran on Windows 7 shortly ahead of the deadline
1,781
Number of Windows 7 machines still in use at HMRC as of December 2019
44%
Proportion of FOI requests to central government in Q3 2019 that the IfG finds were wholly denied – treble the amount that were in 2005
HM Revenue and Customs, which had initially told us it would neither confirm nor deny its possession of the information requested, changed its mind following our appeal.
“Your email… challenges the view that knowing which operating systems are in use by a specific department makes that department susceptible to cyberattacks,” it told us. “Having reconsidered your original request, we agree that telling you about our operating systems would not in itself increase the risk to our systems. We have, therefore, looked at your request again and answered each question.”
It transpired that, as of December 2019, the tax agency owned 1,577 desktops and 204 laptops on which Windows 7 was still in use. This equated to 4.3% of its PC estate.
The department indicated that it did not have a deadline for upgrading, but that it would be “actively monitoring the additional exposure caused by the end of support” for Windows 7.
In all other cases in which our initial FOI request was denied, the decision to do so was upheld after an internal review had been completed.
A confused and confusing picture was emerging.
All organisations contacted by PublicTechnology, each of which holds similarly sensitive personal citizen data, acknowledged a clear public interest in releasing the information requested.
But there are clear differences of interpretation – even within a single department – over whether the public has a right to know.
Towards the end of last year, we filed a complaint to the ICO in respect of the response we received from HM Land Registry, which was the first to complete the internal process of denying our request twice. The regulator decided that our complaint was worthy of further investigation, and appointed a caseworker.
After the submission of evidence from PublicTechnology, and engagement by the regulator with the registry, the case was closed in March this year – almost eight months after we sent off our batch of FOI requests.
The ICO wrote to us on behalf of commissioner Elizabeth Denham to report its conclusion that HM Land Registry had legitimately relied upon the exemptions it cited in refusing to disclose the information.
We were, it seemed, not entitled to know about the make-up of the organisation’s software estate.
As part of our complaint, we noted how many other organisations – including the ICO itself, as well as major departments, devolved administrations and large local authorities – had decided that public knowledge of the information did not pose a security risk sufficient to prohibit its release.
In response, the commissioner told us: “As you are aware from your previous requests to numerous public authorities, each authority is entitled to respond following consideration of the specific circumstances of that authority. Clearly many authorities have provided information whilst others refuse. One response is not binding on another public authority’s decision.”
PublicTechnology had complained that little evidence had been provided in support of the claims made by HM Land Registry. We also argued that the risk of cyberattack being perpetrated on government did not stem from knowledge of the use of unsupported systems, but from the continued use of those systems in the first place – a risk that is created by government, and in which the public has a legitimate interest.
Supporting evidence
The commissioner acknowledged that the response to our initial requests had “contained little evidence”.
But further engagement with HM Land Registry had demonstrated “sufficient real and significant risk” that supported the decision not to release the decision.
“She agrees that unsupported technology is not desirable, particularly if this increases the risk of cyberattack,” the commissioner’s office told us. “However, although disclosure of this information may inform the world at large, confirming or denying this to be the situation may flag a potential vulnerability to those wishing to make use of such an opportunity. She does not consider there to be a compelling public interest in such a confirmation or denial. She is not convinced that, as you advise; knowing whether or not the Land Registry ‘owns unsupported technology’ is in favour of the public interest.”
“Each authority is entitled to respond following consideration of the specific circumstances of that authority. Clearly many authorities have provided information whilst others refuse. One response is not binding on another public authority’s decision.”
Excerpt from ICO decision on PublicTechnology complaint
While our case was being looked at by the ICO, think tank the Institute for Government published its annual Whitehall Monitor report in which it identified several “warning signs of government becoming less open”.
As well as an increasing tendency for mandated transparency data to be released by departments “late, if at all”, the IfG also reported a marked decline, over a period of years, in the proportion of FOI requests being granted.
During the third quarter of 2019, a total of 9,654 requests were made to central government, of which just 39% were granted in full. A further 11% were partially granted.
In 44% of cases, the information requested was entirely withheld. This compares with 25% in the corresponding period of 2010, and 15% in Q3 2005 – five years after the FOI Act was introduced.
In the last couple of years, government and the wider public sector have frequently advocated the benefits of better use of data, and talked of the need to improve the ways in which information is gathered, analysed, and shared.
Just not always, it seems, with the citizens it serves.
This article is part of PublicTechnology’s Cyber Week, a dedicated programme of content focused on the threats facing the public sector and the country at large, and how government can best respond. Throughout the week, which is brought to you in association with CyberArk, we will publish interviews, features, analysis and exclusive research looking at – in chronological order – the cyber landscape for defence and national security, businesses, citizens, the NHS, and, finally, central and local government. Click here to access all the content in one place.