Met Police moves slowly away from Windows XP

Conservatives in GLA claim that slow progress in migration away from the operating system is creating cyber vulnerabilities

Conservative Party members of the Greater London Assembly have claimed the Metropolitan Police remains at risk of cyber attack due to slow progress in moving away from using the Windows XP operating system in its IT estate.

Assembly member Steve O’Connell has raised the issue – which surfaced last year after enquiries from his colleague Andrew Boff – after receiving a reply from Mayor Sadiq Khan to a question on operating systems used by the Met Police.

Khan said the latest figures showed that more than half of the machines – totalling 18,293 on the corporate network and 2,458 standalone – continue to run on the system for which Microsoft withdrew general support three years ago. This compares with 14,450 now on Windows 8.1 and just eight on Windows 10.

It shows that some progress has been made since August of last year but there is a still a long way to go with the migration. At the time of the earlier request the police service had a deal with Microsoft for it to provide support for machines running on Windows XP that was due to expire in April. UKAuthority has asked whether this has been extended.

Steve O'ConnellO’Connell (pictured) pointed to the recent cyber attacks that affected Parliament and the NHS to indicate that the situation creates a significant threat. In addition, the issue was noted in a recent audit of the Met Police’s data protection arrangements by the Information Commissioner’s Office.

“The Met is working towards upgrading its software but in its current state it’s like a fish swimming in a pool of sharks,” O’Connell said. “The recent patch issued by Microsoft and the ICO audit shows there is significant industry concern.

“It is vital the Met is given the resources to step up its upgrade timeline before we see another cyber attack with nationwide security implications.”

In response, the Metropolitan Police acknowledge that its IT refresh programme has run into difficulties, but said it has been taking steps to reinforce security.

Legacy software issue

“The upgrade programme is not as simple as it would be for many other organisations due to the amount of specialist legacy software upon which parts of the Metropolitan Police Service (MPS) still rely,” it said in a statement.

“Replacements or remediation for this software that are compatible with a more modern operating system have to be ready before the roll out is completed to ensure continued operational effectiveness.

“We have completed the upgrade of just over 17,000 devices to Windows 8.1, and this reduces the number of desktops running previous XP to around 10,000.

“The entire Met ICT estate has a number of layers of industry leading security, which we have been monitoring closely over the past 24 hours. The MPS estate currently remains un impacted by the cyber attack and our security checks continue.”

Image from GLA Conservatives