Patching up old systems prolongs the problem
Imagine a world in which cars have a life of only two or three years, but where customers are happy to keep upgrading models given exciting new uses for their vehicles. That describes the PC business in its heyday. The combination of increasingly powerful chips from Intel and operating systems from Microsoft made possible new applications. Customers were happy to switch to new machines. But what happens when the reasons to keep upgrading recede and the streets start to fill with old — and potentially unsafe — bangers?
That problem struck home with a vengeance with last week’s global contagion of the ransomware known as WannaCry. An estimated 7 per cent of PCs — and an unknown number of other pieces of digital equipment — still depend on Windows XP, which dates from 2001. Microsoft stopped providing its standard support for the software in 2014. That meant users did not automatically get fixes if new flaws were uncovered, which is not unusual for such a complex piece of software. The unpatched software provided fertile ground for the malware.
The results highlight the problems caused by a business model that was not designed for keeping technology on long-term life support. While software makers are not legally liable for their products, companies like Microsoft typically provide fixes for a set period. At some point, however, the cost of providing maintenance to a dwindling number of machines makes it uneconomic to continue.
Customers cannot say they were not warned. Microsoft put them on notice that XP’s days were numbered when it moved the software on to “extended support” in 2009 — an indication that the clock was ticking. It ended up supplying fixes for another five years: after that, using an unpatched machine with XP was like driving a car when no one would vouch for its safety.
But moving to a new IT system is not as simple as buying a new car. Companies sometimes run custom applications for some tasks, and may face high costs if they have to rewrite them to run on a new operating system. The software is also embedded in pieces of equipment designed to have a much longer life than the average PC. The UK’s National Health Service has MRI scanners that depend on XP — although it was not the MRI machines that succumbed to the ransomware attack and forced hospitals to turn away patients. As a result, Microsoft has been left with a predicament. On the one hand, it has an obligation to its customers — and other road users — to make sure all the old vehicles on the streets are safe. On the other, it has to persuade people that the only truly safe option is to buy a new car.
Its answer has been to keep providing patches — but only if customers pay for high-priced “custom” support contracts. The cost of these arrangements escalates over time, with prices rising to $1,000 a year for each device. The price might seem reasonable to keep an expensive piece of gear like an MRI machine in service, although it far exceeds the cost of today’s cheapest PCs. This gives customers a financial incentive to upgrade their equipment. Instead of biting the bullet, however, some choose simply to drop the tech insurance.
The arrangement risks tarnishing Microsoft’s reputation — and not just because it produced the flawed software in the first place. The company makes no friends by charging high prices for custom support. It also ends up in a position where it has the patches needed to make all XP machines safe but then withholds them from some users. The severity of the WannaCry attack forced it to bend last week and make the fix available free of charge to all.
The ransomware shock may finally prompt more XP users to upgrade. Microsoft may also end up rethinking its policy and providing all urgent patches for old software free of charge, although it has given no indication yet of doing so.
There is also reason for optimism with the shift to cloud computing. This business model involves customers paying a regular subscription to use technology as a service: it is up to the cloud companies to maintain IT systems to the highest standards so that service levels do not suffer. Microsoft has been working hard to convince Wall Street that this also opens up a much bigger market for the tech companies.
Old IT systems, however, often live many years longer than their designers expected. Despite the recriminations left in its wake, WannaCry is not likely to mark an end.
The severity of the WannaCry attack forced it to make the fix available free