US Navy Pays Millions for Extended Windows XP Support

The US Navy last year entered into a Microsoft Custom Support Agreement (MCSA) so it can continue using Windows XP past that OS’s support expiration. And the Navy is paying big bucks to stay this far behind: that MCSA set it back $9.1 million for one year, and could cost up to $30 million before the OS migration is complete.

News of the Navy’s plans was first spotted by Ars Technica.

“Windows XP has reached end of life and the vendor will no longer employ support system upgrades or mitigation of vulnerabilities,” the Navy notes a 2014 internal memo. “To ensure end-to-end cyber security posture and enterprise configuration management, Navy will accelerate the process to eradicate the remaining WIN XP instances and support a migration effort to Microsoft’s Windows 7.”

The Navy contracted with Microsoft in April 2014, around the time of XP’s support expiration, to extend support for approximately 100,000 workstations that still use Windows XP and Office 2003. The support contract also includes Exchange 2003, which the Navy notes has also “reached the end of maintenance period.” The Navy is also using Windows Server 2003, for which support expires on July 14, 2015, just a few weeks from now.

The Navy has allegedly been working on migrating from these systems since 2013. And according to a September 2014 memo, the Navy’s MCSA originally extended through April 2015, so it was supposed to be a one-year contract. But the Ars report suggests that the Navy was not able to complete its migration to Windows 7 by that time, and that “many shipboard systems would need support long after April 2015.” (That memo explains that such an extension was likely.) So the assumption is that the Navy is still using Windows XP today.

What’s odd about this affair is that the Navy doesn’t mention in its memos the typical compatibility issues that accompany most decisions to remain on an older, out-of-date Windows version. Instead, it only cites the use of equally out-of-date Office and Exchange versions, both of which are also made by Microsoft and available in newer, more secure renditions.

But a Navy spokesperson says such issues do exist.

“The Navy relies on a number of legacy applications and programs that are reliant on legacy Windows products,” Space and Naval Warfare Systems Command spokesperson Steven Davis says. “Until those applications and programs are modernized or phased out, this continuity of services is required to maintain operational effectiveness.” That might not happen until as late as 2017, which would raise the value of the support contract past $30 million.

And while even $30 million is a drop in the bucket for an arm of the US military, it’s still reasonable to question why the Navy is using tax dollars to fund the ongoing use of expired, insecure software, especially in this age of cyberwarfare and rampant attacks on the US government. Indeed, one of the publicly-available Navy memos says that it uses unsupported Microsoft software in “critical command and control systems” on both ships and land-based installations. And the Navy admits that a successful intrusion “could lead to loss of data integrity, network performance and the inability to meet mission readiness of critical networks.”

Of course, the US Navy isn’t alone in sticking with the obsolete Windows XP. The Internal Revenue Service and other US governmental agencies are still using Windows XP as well and have signed expensive support contracts while they plot migrations to newer Windows versions.