Why the Military Can’t Quit Windows XP

The Pentagon’s recent push to upgrade to Windows 10 won’t leave all legacy Microsoft products behind.

GIF: A Navy ship with a rotating refresh button.
Lisa Larson-Walker

This article is part of Update or Die, a series from Future Tense about how businesses and other organizations keep up with technological change—and the cost of falling behind.

When most organizations are deciding whether to upgrade their computers to the latest version of Microsoft Windows, they don’t have to worry about life-and-death consequences. One exception to that rule is the U.S. Department of Defense: the nation’s largest employer and a globe-spanning organization that must consider both cybersecurity risks and potentially fatal consequences related to computer failures when making the choice to abandon legacy operating systems such as Windows XP.

The military’s long-standing relationship with Windows XP is not unusual. Many PC users and companies clung to Windows XP long after its 2001 debut and refused to upgrade to follow-up Windows versions. In 2014, when Microsoft officially ended support for the aging operating system, Windows XP still accounted for 30 percent of operating systems worldwide. At the time, officials estimated that 3 percent of the Pentagon’s several million computers were still running Windows XP. That same year, a Navy official issued a directive titled “Windows XP Eradication Efforts.” But the mission-critical functions of some of those computers can defy straightforward upgrades—which is why the Pentagon has often found it easier to occasionally give Microsoft multimillion-dollar contract for supporting specialized systems running on Windows XP, Windows 2003, and other legacy Microsoft products.

The downsides of legacy computing systems start to pile up as time goes on. Any legacy system will lag more behind the latest state-of-the-art computing to the point where “you start to feel like it’s being held together with chewing gum and duct tape,” says Cynthia Dion-Schwarz, a senior scientist at the RAND Corp. and former director of information systems and cybersecurity research at the U.S. Department of Defense. Military personnel may also find it more difficult to use older systems because of outdated or clunky interfaces.

But the biggest risk for the U.S. military or any organization in relying on legacy systems is in cybersecurity. The latest and most popular versions of Windows benefit from ordinary customers helping to discover security vulnerabilities or bugs through normal computer use, which reduces the risk of undiscovered system flaws remaining undiscovered and open to exploitation by malicious hackers. That’s no small consideration given how hackers would likely be looking to exploit flaws in Windows XP or other legacy systems in use by the U.S. military.

“Even if you’re paying Microsoft to patch it, what you don’t have is the benefit of millions or billions of users discovering in real-time flaws and then Microsoft jumping in to patch that,” Dion-Schwarz says.

In early 2016, the Pentagon committed itself to the unprecedented move of upgrading computers across the entire organization to run on Microsoft Windows 10. The announcement came eight months after a U.S. Navy contract asking for Microsoft support on Windows XP and other legacy Microsoft products attracted a slew of news headlines such as “U.S. Navy Paid Millions to Stay on Windows XP.” But even as the U.S. Department of Defense looks to complete the Windows 10 upgrade by the end of this year, it’s still using some legacy Windows products—and not because of nostalgia for Bliss, XP’s iconic desktop image.

The challenges of upgrading military office computers that handle administrative tasks aren’t that different from those facing any other large enterprise, says Sasha Romanosky, a policy researcher at the RAND Corp. and former cyberpolicy adviser at the Office of the Secretary of Defense for Policy in the U.S. Department of Defense. The U.S. Army alone upgraded 950,000 office IT computers to Windows 10 and became the first major military branch to complete the Windows 10 upgrade push in January 2018. The U.S. Air Force targeted its upgrade completion for March 2018, whereas the Navy has said that it hopes to complete its Windows 10 push by this summer.

But that’s only part of the story. “You’re dealing with a lot of [machines] that aren’t contained in a nice office,” says Romanosky. “They’re floating all over the seas and in the air and all around the world.” Unlike your average megacorporation, the Pentagon has to secure and update computer systems that support military operations and sometimes even directly control the navigation or weapons systems for tanks, warplanes, and warships.

Those specialized computers—what Dion-Schwartz likes to call “Windows boxes”— are crucial for military operations on land, sea, and air. Some of the Windows boxes may help issue orders or communicate information about what’s happening during both active battlefield firefights and ordinary operations, such as a Navy warship on patrol. Others may directly integrate with weapons systems.

Such Windows boxes are usually hosting specialized software packages and sometimes integrated with middleware clients. What might normally be a simple upgrade turns into a far more complex challenge of making sure that all the related software and computer systems can also run smoothly with new Windows versions. The U.S. military may also need to pay additional money for upgrades and testing regarding such software and middleware—a necessary step to ensure nothing goes haywire at the wrong time.

“Many of the systems directly affect the life, safety, and health of our soldiers and civilians,” says Thomas Sasala, director of the U.S. Army Architecture Integration Center and chief data officer. “We cannot risk deploying a mission critical solution to the field and have it fail during a critical mission.”

So it’s no surprise that the Pentagon’s current Windows 10 upgrade plans seem focused on office computers rather than mission-critical systems. The Army has just begun to upgrade specialized systems related to “industrial control systems, medical devices, and weapon systems,” and has not yet scheduled any completion dates, Sasala says. The U.S. Navy and U.S. Air Force did not get back to Slate with an official response before publication.

Getting rid of XP once and for all will probably require attempts to re-engineer some military hardware and software so they’re not as dependent upon specific operating systems, which could make future upgrades easier, according to Dion-Schwarz. But she does not envision the Pentagon getting away from the dilemmas of the upgrade cycle anytime soon.

“I think they are going to have to continue to deal with this,” Dion-Schwarz says. “You and I will have a conversation again in 10 years about DOD’s strategy to upgrade to Windows 12 or 15.”