Friday 30th July 2010
A petition on the HMG.gov.uk website recently asked the government to upgrade away for IE6, and make sure that all its browser software was patched to the latest version of IE8. This seems like a fairly reasonable thing to ask our government to do, both in respect of our information security, which is compromised by this old insecure browser, and in respect of our national reputation as a technology leader and innovator.
However, government has responded to say they won't be upgrading from IE6, and have issued a fairly lamentable statement explaining why they won't.
Here below we are going to quote and translate that response:
In response to the concerns of many people regarding the security of Internet Explorer 6 and the use of this software by Government Departments the Cabinet Office can confirm that the Government takes internet security very seriously.
Government departments lost personal details on millions of people over the past few years. We even posted a large unencrypted database of personal data and bank details via normal postal service and lost it. That should be an indicator of just how seriously we take information security.
This has been reflected in recent changes to the Information Security and Assurance team and the Office of Cyber Security within the Cabinet Office which are in the process of merging together to lead a joined-up approach to information assurance and cyber security strategy and policy.
Because we've so demonstrably cocked up in the past, we've created a special team who can be blamed for future cock ups.
Complex software will always have vulnerabilities and motivated adversaries will always work to discover and take advantage of them.
This absolutely true and irrefutable. We're hoping to blind you with a small truth here.
Of course, logically, this in turn means that a ten year old piece of software such as Internet Explorer 6 will have lots and lots of known and proven security issues. Some of which won't be patched properly, because the software is now out of core support with its manufacturer.
However we're hoping that you won't pick us up on this point.
There is no evidence that upgrading away from the latest fully patched versions of Internet Explorer to other browsers will make users more secure.
This is deliberately misworded. We are about to tell you that we won't be upgrading to the "latest fully patched versions of Internet Explorer" (IE8) - In fact, we're refusing to upgrade away from a fully patched version of a ten year old browser, (IE6). There's lots of evidence that IE 6 creates security problems. The famous Google systems hack last year was entirely down by a hacker remotely exploiting a vulnerability in IE 6.
Google know what they are doing, and they still got caught out by using IE 6. they have since removed it entirely from their network.
Regular software patching and updating will help defend against the latest threats.
Of course, the fact IE 6 is no longer fully supported by Microsoft means that these patches are becoming fewer and are less comprehensive. We're hoping you won't pick us up on that either.
When IE6 loses support altogether in 2014, we will have to upgrade. In the meantime, we're going to store up a huge IT problem for the country, and compromise every UK voter's security for the next 4 years.
The Government continues to work with Microsoft and other internet browser suppliers to understand the security of the products used by HMG, including Internet Explorer and we welcome the work that Microsoft are continuing do on delivering security solutions which are deployed as quickly as possible to all Internet Explorer users.
Microsoft has delivered their definitive secure solution. It is called Internet Explorer 8; we are refusing to use it.
Each Department is responsible for managing the risks to its IT systems based on Government Information Assurance policy and technical advice from CESG, the National Technical Authority for Information Assurance. Part of this advice is that regular software patching and updating will help defend against the latest threats. It is for individual departments to make the decision on how best to manage the risk based on this clear guidance. Public sector organisations are free to identify software that supports their business needs as long as it adheres to appropriate standards. Also, the cost-effectiveness of system upgrade depends on the circumstances of the individual department’s requirements.
Were going to put this off until it a disaster happens, or it becomes impossible to support this creaking old software any longer.
It is not straightforward for HMG departments to upgrade IE versions on their systems.
...therefore we're not going to even start doing doing it, or make a plan to do so until it turns into an embarrassing catastrophe.
Upgrading these systems to IE8 can be a very large operation, taking weeks to test and roll out to all users. To test all the web applications currently used by HMG departments can take months at significant potential cost to the taxpayer.
Rather than mandate a plan for change, we're going to bury our head in the sand until the eventual bill for fixing this has doubled.
It is therefore more cost effective in many cases to continue to use IE6 and rely on other measures, such as firewalls and malware scanning software, to further protect public sector internet users.
The people who are advising us on data security have given up and are currently crying into their beer.
There. We hope that's helped clarify things for everybody. Always glad to be of service.