Why is the US Navy using obsolete operating system Microsoft Windows XP to run critical tasks?

The US Navy has just paid Microsoft millions of dollars in order to keep using Windows XP, on which many of its critical warfare computer systems reside.

The Navy wants to keep using the obsolete operating system and programs such as Office 2003, Exchange 2003 and Windows Server 2003, which Microsoft no longer supports.

To get around this and to keep the Space and Naval Warfare Systems Command, which runs the Navy's communications and information networks, working smoothly, the Navy has signed a $9.1m (£5.8m) contract with Microsoft so it continues to provide security patches for the obsolete programs.

But it is not the only major organisation that still uses software that is out of date. A 30-year-old Commodore Amiga computer is still being used to control the heating and air conditioning for an entire district of 19 schools in Michigan, US.

And in Japan, the Tokyo Electric Power Co was ordered in May to stop using Windows XP to run 48,000 computers at the Fukushima nuclear power plant as a way to save money since the power plant meltdown in 2011.

So why do corporations and big governments continue to leave critical systems to obsolete operating systems even though security vulnerabilities and large-scale hacking are now a dime a dozen, which puts the public at risk?

Trying to save money only to spend more later on

"It all comes down to money and resources. There can be a significant cost in terms of time, people and software licences when it comes to rolling out new versions of operating systems. Hardware may need to be upgraded to run new operating systems for instance, which may require computers to be visited in person and replaced," security analyst Graham Cluley told IBTimes UK.

"If the IT department hasn't got the buy-in from the bosses, then budgets may not have been released to do the work. Of course, organisations have known for years that Windows XP's days are numbered, so my sympathy is limited."

But sometimes it is not just about it costing too much to migrate to a new system, as the US Navy has shown by willingly spending millions with Microsoft to stick with Windows XP.

"Companies prefer to save money by outsourcing, so rather than outsourcing to companies that respect secure coding standards, when companies buy software, they just tend to choose the cheapest options they can find," High-Tech Bridge CEO Ilia Kolochenko told IBTimes UK.

"They forget that the software code must be compatible with being upgraded. They just check the software works OK today, and then say OK thanks, goodbye."

Ending up with a system no one knows how to use or update

By buying software and only caring whether it works today, companies and governments are setting themselves up for a fall, as programs can often be built out of "spaghetti code" that is incredibly difficult to understand, making it impossible to update.

In one extreme case, the British Army built an artillery ballistics system in the 1960s and continued to use it until the late 1980s, when there was only one person in the world who still knew how it worked – a 70-year-old woman.

Kolochenko says if the obsolete operating system or software is not accessible from the outside world or on any network, it can still be considered to be secure, but he says that is not the point.

"It's not a matter of security, it's more that if someone is obliged to keep something running on an obsolete system, it's the wrong approach to information security completely. When software is designed, it should be designed in such a way as to allow engineers to port the software to a new system," he said.

Apart from the money they will waste in the future, companies also need to consider their customers and users too.

Cluley said: "It's worth remembering that anyone running an obsolete operating system is not only putting themselves at risk, but also other computers on the internet at risk too, as poorly protected PCs are often used to launch attacks on others."