Today I asked the Commission the following written question:
The recent Wannacry and Petya ransomware attacks once more highlighted the need for using the most up-to-date software to secure communications, data and critical infrastructure. Microsoft XP was particularly vulnerable to Wannacry, especially since no security-updates were provided by the company after 2014. Providing software updates after sales is a public good when critical infrastructure depends on legacy software.
1. The desktop computing environment of European institutions is dependent on Microsoft software products since 1993. What is the total value of all ongoing contracts between Microsoft and the European Commission?
2. DG Digit states that one of the 'main challenges in the area of vulnerability management will be to systematically target and reduce structural vulnerabilities due to a legacy of information systems that have not been developed with security in mind and to achieve target patch rates of days and in critical cases of hours across the Commission".(*) How does the Commission assess its cooperation with Microsoft in this context?
3. In what ways can the European Union instutitions, as customers of legacy software, and as guardians of the public interest, ensure software remains updated and safe, to avoid vulnerability to attacks?