Sweden leaks secret intranet and databases to Russia

This is about a week old, but a pretty big deal. What a monumental screw up:

The Swedish administration is leaking its secret intranet and databases to Russia, via its Transport Agency, via the IBM cloud, via IBM’s subcontractor NCR (formerly AT&T) in Serbia, which is a close Russian military ally. Giving staff in Serbia administrative access to these networks practically guarantees that Russia also has access to the network. The European Union’s secure STESTA network is also connected to the leaked intranet. But this is not about geopolitics and who’s allied with whom, but about how an administration tries to quiet down and gloss over an apocalyptically stupid and monstrously damaging data leak.

That the procurement procedure did not take into account how to handle classified data (let alone the bog standard data protection rules) is beyond comprehension. Well, not really: it is another piece of evidence that even supposedly capable procurement bodies do not understand technology or the implications arising from their choices. Let alone how to deal with the risks arising from the contract.

European Commission fines Google €2.4B but that is just the start of the story

The European Commission has just fined Google for abuse of dominant position for giving an illegal advantage to its own comparison shopping service on search results. The fine is big €2.4B but it is simply the beginning of a long story instead of the closure of another.

The decision also requires Google to cease its infringing practice within 90 days, leaving squarely on the company's shoulders the explanations of how it intends to comply with the order. As the Commission did not mandate any specific remedies, this is due to become particularly problematic. 

It is likely Google will appeal the fine and drag its feet on changing the way it operates for two reasons. First, there is no incentive to do so otherwise - paying the fine and changing practice would be an admission of wrongdoing and no manager wants to have a €2.4B hole on its finances to explain. So we can expect Google to drag this through the courts. Second, the process takes so long that the real final decision (assuming it maintains the current one) may well be 10+ years away from now. What will be the purpose of changing search results then? And inflation will eat into that €2.4B fine. Plus, from the perspective of Google's executives a protracted court battle means that it is likely that when closure happens they will all be long gone.

As I argued last year in this blog, current abuse of dominant position rules are not the correct deterrent to solve this issue as they are too slow to be useful. In a world where technology waves become shorter and shorter, speed is of the essence also for competition enforcement. I called at the time for abuse of dominant position enforcement to either be sped up or in alternative dropped all together. I maintain most of that view and would suggest looking into merger control rules as an alternative.

In any event, today's decision is simply the start of a long drawn out process.

Information security needs to be taken seriously in public procurement

Good article on the Local Government Lawyer about information security:

Information security encompasses the strategies for managing the processes, tools and policies to prevent, identify, document, and counter threats to both digital and non-digital information. Procurement practitioners must be aware of the potential risks of information breaches in their day-to-day business. The nature of public procurement demands that measures to protect information security are an integral part of the process throughout the cycle of the procurement, including at the point of service delivery. The handling of sensitive information and the sharing of information with suppliers makes the topic a key concern for procurement officials. Information at risk includes:

bid information;
financial information;
organisation information, such as intellectual property; and
service user information.

That is all true, but the problem of information security/management is not valid for the duration of the procurement procedure only. It is valid for contract performance as well, something that as we saw a few weeks ago with the NHS ransomware attack is not really taken into account today.

Not all contracts are showing up on ContractsFinder

Last week Ian Makgill from OpenOpps and SpendNetwork published this stat:

Having compared all of the opportunities that we’ve gathered over the past two years, with all of the opportunities on Contracts Finder, we found nearly 100,000 tenders that never made it to Contracts Finder, that’s 73% of all the tenders published in England.1 This is despite the recommendations in Lord Young’s 2015 report that all opportunities above certain thresholds should be published to Contracts Finder.

It's a big number, but one we should not be surprised to see. First, according Regulation 109 PCR2015 below the EU financial thresholds the obligation covers Central Government (from £10,000 upwards), NHS and sub-central contracting authorities (from £25,000 upwards) but not those from authorities based in Scotland, Wales or Northern Ireland.

Nonetheless this is another example of poor legislative drafting, one that does not take into account neither incentives nor the usual way contracting authorities operate. Assuming the legislative change was introduced because not enough contracts were being advertised, the status quo ante is contracting authorities do not see an advantage in advertising. As such, specific incentives need to be provided to get contracting authorities to change their practice.

Those incentives tend to be of the "stick" kind, ie negative consequences for non-compliance. But in a country with limited use of judicial review mechanisms and where secrecy of contracts awarded is the norm and not the exception the risks of being found out are quite limited. I am not arguing for the courts to be stuck with low value procurement challenges (ahem, I'm looking at you Portugal) but without clear consequences and enforcement mechanisms practice will not change.

This is, after all, the country where it is apparently acceptable for a contracting authority in large scale projects to take shortcuts with its record keeping, so who cares with what is happening in low value contracts?

Some further thoughts on the European Single Procurement Document

A couple of days ago, Timo Rantanen posted on Facebook the following comments about the ESPD (reprinted with his permission). I will provide my own responses inline, and expand a little bit on some of the ideas included in my recent paper about the ESPD.

"- not all countries and CAs have required the attestations from EOs when submitting the tender when 2004 Direcrive was in power. At least in Nordic countries it was already common to require self-declarations from EO at the time of submitting the tender. Most of these were not standardised like ESPD is - so the EO had to fill in different styles of self-declarations for each procedure and CA. However, these were MUCH easier and shorter for EOs to reply."

Agreed, that was the case as well in Portugal (and in the small number of pilots I ran here in the UK). However, the problem with that approach from a systems perspective is that "national islands" are created ending up making life more difficult for economic operators wanting to bid for cross-border contracts. The ESPD trades flexibility (to be shorter and easier) for a standardised approach in all Member States. The same way the container traded flexibility for standardisation of cargo.

"ESPD on lots: planned new 2.0.0 version includes 'improved handling of lots (See: https://github.com/ESPD/ESPD-EDM). However, to me this is far too complicated for EOs and I hope it would vanish from the final version. If the CA uses lots it can do separate XML files for each lot if and when the selection criteria vary (the exclusion criteria are in most cases always the same). Hence, EO would only need to read in and fill in XML files for those lots that it bids for. Personally, I think this importing and exporting of XML files is a crappy solution. We can no much better (and at least we have in 🇫🇮) by doing our own national solution inside our eTendering platform that still complies with the Commission Data Model."

I don't know enough about the technology implications (hey, I could not code an "Hello World!" if my life depended on it!) but if I read correctly, there is still room for improvement both on the standard and even on national implementations if the standard does not offer the granularity required.

"A philosophical thought: in eTendering and when making the invitation to tender as structured data (I wish everyone would get rid of those darn PDFs) it is very easy to make each lot a separate call for tender. Why do we need this lot thing anymore? I think the main reason for using lots was the CAs laziness in paper world to provide separate piles of paper for each call for tender. But in electronic form is just copy-paste and changing information in the few places where it varies between lots. Or actually this can and should be done even without copy-paste as one call for tender can act as master to all others."

That's a very good point and drives home the message that lots are in reality no more than smaller contracts which could be disaggregated if it wasn't for the current "bundle up everything up as much as possible" mantra. What you have highlighted here is a permanence of the previous paradigm irrespective of the technological change that was introduced. We used PDFs and not structured data because doing it in plain text is what we have been doing so far in paper. Even the PDF is a representation of the paper we used before!

Remember when in the 90s the internet was referred to "cyberspace" (still is in the criminal area...) and we would "surf" the internet as one surfs the waves? Those metaphors are quite useful of describing the new world for a transition period from technology A to technology B. It can be quick or slow. For example, we still refer to car power in "horsepower," but at least that metric is not present in electric cars!

"- ESPD and other entities: (relied or not relied on): when discussing the version 2.0.0 it was decided to use term 'entity' in meaning of both relied on other companies and those that are not relied on. So the version 2.0.0 no longer uses term subcontractor but talks about entities relied on and entities not relied on. Tricky!"

Well, if that is the case then we are bound for some confusion down the line. Any idea on the rationale to use the same term to describe two very clearly distinct underlying concepts?

"- Commission ESPD Service: I would like to see the Commission ESPD Service to be shut down soonest possible. It contains too many errors, particularly translation errors, that using it may causes also legal problems if a country has not transposed the Directives 'as is' but has done some 'gold plating'. The Commission should maintain the ESPD data model and require the Member States to comply with it in their national solutions (build inside eTendering solutions). Further, the ESPD Service is written in 'the Commission English' or 'the Commission Portuguese" that is very alien to sales reps in companies - especially SMEs. Can you imagine them understanding what 'entity relied upon' means! Also, the Commission has indicated that it would like to shut down the ESPD Service in 2019 by which time all countries and suppliers of eTendering solutions should have implemented their own ESPDs. At the moment I do not see this happening and the big MS have done little to implement national ESPDs that would comply with the commission data model."

Whether we like it or not, the Commission ESPD service is fundamental at this time since the Commission guessed (correctly) that Member States would not do their home work in time for the transposition of the Directives even if they made use of the extension for electronic procurement until 2018. Upon reflection, I think you are right however that by making the service available for longer than needed will reduce the incentive for Member States to actually implement the ESPD on their national systems. After all, why spending money if the canonical version is available for free?

An alternative would be instead to keep it going for the foreseeable future, keeping it sync with updates to the underlying data model and working out its kinks. You correctly highlighted one: language. The more inaccessible language is, the more SMEs will be turned off from participating in public procurement. This is an area of interest to me and one I hope to work in the future. Had not considered to do so within the context of an ESPD, but perhaps that would be an interesting angle.

"- Costs related to ESPD: while it is true and I do agree and support reducing transactions costs related to bidding, everything that is 'won' by introducing ESPD is lost with the need for awarded supplier to present the except of criminal records. This is an arising issue at last in the Nordic countries. Let me give a real life example: the Directive requires the self-declaration to be replaced by official documents - in this case excerpt of criminal records. With the 2004 Directive we only requested these documents If we had a hunch that something fishy is taking place (as professional buyers we are pretty good 😊 in detecting this kind of foul play. Often we can smell it when opening the bids). Now we need to get this damned criminal records excerpt from numerous persons and we have no idea who should present us their records. We had a case that included awarded suppliers for Finland, Denmark and the UK. We searched far and wide (eCertis was of little help) what we should request from the supplier and its relied on partners. Finland was easy for us, somehow also Denmark but the UK proved difficult as we found out that there was no criminal records database and self- declaration (that we already had in ESPD) would be the only thing we'd get from the 🇬🇧. Now, this puts suppliers in unequal ground: Finnish supplier needed to present us some 20 excerpts of criminal records each costing 12 € + the company criminal record costing 22€. I do not know what the Danish costs were but the UK relied on company only needed to provide us one piece of paper stating the all persons (see the exact wording for the Directive) involved do not have entries in criminal records. In an other case we had a FA where we needed to see some 200+ persons criminal records. It took nearly two months to get these as some people were away and could not request their except online. In many countries there are serious data protection and privacy issues with the criminal records."

Let's unpack this: self-declaration is different from providing documentary evidence afterwards. By internalising the cost in the contracting authority it forces the contracting authority to consider which information to request and also from which economic operators. If you use the open procedure, there is no obligation for you to check the information of all economic operators and you can simply check the information of the winner. Therefore you will be simply incurring in the transaction cost for one economic operator instead of all of them. Why do you need to check that information from everyone? What is the added value?

The inequality you mention was already present in some Member States that required criminal records. Portugal and Spain would traditionally ask for those certificates in each tender although Portugal switched to self-declaration with information checking of the winner only in 2009. By asking for evidence only from the winner you are negating that unequal treatment: costs of certificates are different in all Member States the same way corporate tax rates or minimum wages are (and we don't consider those as being a source of unequal treatment).

It is true that the final bit of Article 57(1) is too broad by demanding checking the information from administrative(?), management, supervisory bodies or those individuals with powers of representation, decision or control. It would be preferable to have restricted that to management and those with powers of representation, decision or control relevant for that contract. That is not the case and so, another reason to simply ask those certificates from the winners. Having said that, I would argue that on a de minimis principle,  there is reason to interpret the requirement as for those involved in the tender at least for those with powers of representation, decision or control.

As for who is going to be more affected by this measure: clearly bigger economic operators with complex governance structures will face higher costs. They will also adapt more quickly to those requirements. SMEs will have more difficulty if those requirements were not already common in the country and yet again that is a reason to interpret the requirements in the lightest way possible.

One final word for eCertis: yes it is not useful today because there is no information in there - a classical chicken and egg situation. eCertis is subject to Metcalfe's law, as its usefulness grows proportionally to the square of the nodes (data sources in this case) present. It can be useful in the future if everyone pulls their weight instead of waiting for the others to do their bit.

Fully funded PhD opportunity in public procurement

My good friend Martin Trybus from the University of Birmingham is looking for a Ph.D candidate for his EU-funded Horizon 2020 Marie Skłodowska-Curie Actions Innovative Training Network (ITN) on transatlantic trade and investment. Here's the low down:

"The ESR will work within Birmingham Law School and enrol for a 3-year PhD programme under the supervision of Professor Martin Trybus. The research project has the provisional title “Towards a Transatlantic Public Procurement Market” (details to be agreed between ESR and supervisor).

The objective of the ITN is to foster interdisciplinary research into transatlantic trade and investment. The network will have 15 ESRs at 11 different partners across Europe. The ESR will benefit from a wide-ranging training programme consisting of Advanced Training Courses and topical conferences organised by ITN partners across Europe. The ESR will contribute to ambitious and carefully planned research, outreach, impact and dissemination activities benefiting from the expertise of world-leading senior academics. Planned secondments (to be confirmed) include the University of Turin (work with co-supervisor Professor Roberto Caranta), George Washington University in Washington DC, the International Training Centre of the International Labour Organisation in Turin, Baker McKenzie in Berlin, and CEPS in Brussels."

This is a great opportunity for those of you wanting to do a Ph.D in procurement. Martin is great to work with and so is Roberto Caranta, both of which I can vouch for having known and worked with them over the last 6 years on the European Procurement Law Group.

How to go about and do real world experimentation in procurement

Albert put the ball rolling (or kicked the hornets' nest, depending on the perspective) yesterday by calling for more experimentation in public procurement. He is putting a finger on a particular wound - innovation in public procurement - and my comments (for now) can be found on this twitter thread:

There is a lot more to be said about the topic, but that is my hot take for now.

New paper: The European Single Procurement Document

This paper will show that the European Single Procurement Document (ESPD) introduced by Directive 2014/24/EU and Commission Implementing Regulation 2016/07 constitutes a paradigm shift on how public procurement procedures are run in the EU and one with unintended consequences. Before its introduction, each economic operator wishing to take part in a public procurement procedure had to submit all qualifying information at the start of the procedure. This mean incurring in transaction costs that are certain to have the opportunity of an uncertain benefit: winning the contract. The ESPD alters the balance of power (and costs) by replacing the full documentation requirement with a simple self-declaration form, aiming for a reduction in transaction costs and the removal of a barrier to the participation of economic operators in public procurement procedures. It is unclear if in reality its use will amount to savings in transaction costs or if those will actually increase and if the change in incentives may lead to more strategic non-compliance by economic operators and reduced legal compliance by contracting authorities, which may be tempted to overlook at least minor shortcomings by winning bidders.

The paper is published on the most recent issue of Upphandlingsrättslig Tidskrift journal.

Commission publishes ESPD review

The Commission has just put out its European Single Procurement Document review covering what has been done so far to get it to work and what is the current status of its implementation. The report makes for grim reading with most Member States still fumbling their way around with the majority using the paper version (!) at the end of 2016.

The Commission suggested that the current electronic ESPD service provided by itself is a transitional measure (I assumed as much in my paper about the ESPD) but the fact that 16 Member States are still using it instead of implementing national versions is worrying, since it now anticipated the electronic ESPD system will be shut down after April 18th 2019. On a more positive note, Bulgaria, Croatia, Denmark, Latvia, Lithuania, the Netherlands and Romania have made the use of the ESPD also mandatory for contract below-thresholds, with Hungary, Italy, Slovenia, Slovakia and Spain accepting their use without it being mandatory.

As expected, most countries are woefully behind when it comes to integrate databases where data that feeds into the ESPD may be accessed and until that happens, the real benefits of the system will not be felt. Nonetheless, the Commission claims Denmark and Croatia have been able to quantify the benefits (I would love to see the research and data) while no "Member State has tried yet to quantify the benefits deriving from a reduced administrative burden for buyers." Again, that will take a while and a painful adaption period.

While criticism by some Member States, suppliers and buyers is briefly mentioned, the report is silent on any particular difficulties in implementation or improvements necessary. As for the drawbacks, yesterday's post gives a flavour that is missing from the Commission's report.



Business model implications of the NHS ransomware attack

Blame the Business Model

Still, even if the U.S. government is less to blame than Smith insists, nearly two decades of dealing with these security disasters suggests there is a systematic failure happening, and I think it comes back to business models. The fatal flaw of software, beyond the various technical and strategic considerations I outlined above, is that for the first several decades of the industry software was sold for an up-front price, whether that be for a package or a license.

This resulted in problematic incentives and poor decision-making by all sides:

Microsoft is forced to support multiple distinct code bases, which is expensive and difficult and not tied to any monetary incentives (thus, for example, the end of support for Windows XP).
3rd-party vendors are inclined to view a particular version of an operating system as a fixed object: after all, Windows 7 is distinct from Windows XP, which means it is possible to specify that only XP is supported. This is compounded by the fact that 3rd-party vendors have no ongoing monetary incentive to update their software; after all, they have already been paid.
The most problematic impact is on buyers: computers and their associated software are viewed as capital costs, which are paid for once and then depreciated over time as the value of the purchase is realized. In this view ongoing support and security are an additional cost divorced from ongoing value; the only reason to pay is to avoid a future attack, which is impossible to predict both in terms of timing and potential economic harm.

The truth is that software — and thus security — is never finished; it makes no sense, then, that payment is a one-time event.

Ben is on the right track when arguing that the lack of alignment of business models is at the heart of the problem. However, the problem itself is more complex than Ben perhaps realises since many of the "computers" affected by last week's attack are not "computers" in the traditional sense of the word, but medical devices where the software is embedded as part of the whole widget. As such, his proposed solution does not address the problem within the medical context.

Medical devices such as MRI scanners have a lifecycle that does not necessarily match that of the embedded software. For example, Microsoft sold Windows XP until 2008 and supported it until 2014. MRI scanners have a lifecycle of 10-12 years (and I have been on a few older ones myself...), so a scanner built in 2008 using Windows XP would only have its software supported for half of its lifecycle. Now you may ask why on earth a vendor would still be selling products with Windows XP in 2008 but that is due to the high certification costs of medical equipment (no one wants a repeat of the Therac-25 disaster) and the "shelf life" of those machines: new MRI scanners are not designed every year like an iPhone, so companies have the incentive to sell existing models for as long as possible to defray the development costs through a larger number of units sold. Plus, since software is embedded in the machine there is usually no competitive pressure applied to it itself (if you doubt me, check you car entertainment "software" and compare it with your smartphone).

The above is the main reason why Ben's proposed business model of Software As a Service would not work within the context of the NHS attack: Microsoft does not have a commercial relationship with the final acquirer of the machine, but with the vendor, therefore Microsoft's business model is irrelevant to change reality at the proverbial coal face. Even if Microsoft supplied its software under a SaaS model, there are currently no incentives for the device manufacturer to actually incur the certification costs of pushing it to the machines in use (another smartphone example: how many Android smartphone vendors actually update hardware that has already been sold to new versions of the OS?).

How do we align the business models then?

It is possible to align the business models in two different ways. First, by changing the way the way those devices are acquired by hospitals and NHS trusts. Second, by extending the liability of the manufacturer.

An easy way to look at aligning the incentives of different business models would be to lease instead of outright buying the medical devices where possible, thus transforming a capital expense into an operational one (as suggested by Ben). With the right contractual incentives in place (ie that the embedded software must be kept up to date at least in what concerns security patches) it would be possible to create in the device vendors the incentive to keep their machines secure.

A fancier approach is to follow the example I saw in Spain when doing my Ph.D research. At least one regional health board was doing public-private partnership (PPP) contracts with medical equipment providers. In practice this ends up being quite close to Ben's suggestion of SaaS but with hardware instead. For a period of up to say 12 years the public sector was "buying" the availability of imaging equipment in their premises from a vendor.

What made those contracts so interesting is that they included upgrade clauses, so that when a new machine was released, those in service needed to be replaced with the new model, creating in the vendor an obligation to cascade updates to the customer during the whole lifecycle of the contract. I am not aware that they covered software updates although maintenance and servicing were included. Even if they did not, it is conceivable to design future contracts as to include software updates for machines in service.

A different avenue would be to attack the problem from vendor liability perspective, which may also be valid under the current contracts or could spring from raised awareness of the potential liability implications from last week's ransomware attack.

Bottom line

It is possible to conceive contractual and legal solutions that solve (most) of the alignment issue between vendors of medical devices and their clients going forward. What remains to be seen however is what will happen with the existing machines. Surely vendors would be delighted to replace them all, but will the courts consider that they owe a duty of care of sorts towards the users to keep them updated during a certain period of time and to provide access to the source code once they reach "end of life" support? One may dream.

Unintended consequences of using procurement as a compliance tool

About 10 days ago I gave a presentation at the CEVIA conference in Copenhagen (slides here)on how public procurement in the EU was slowly but surely being transformed into a compliance tool or enforcement system for policy objectives. 

As it happens I have also just published a paper on the ESPD* and how it internalises in the contracting authority the compliance cost which until now had been pushed out to the market via the requirement of presenting documentary evidence. Collecting all those documents and information, turns out, is not free as perhaps contracting authorities would have thought.

Today, Hansel - the Finnish Central Purchasing Body - published a blogpost aptly entitled Sometimes I feel like I am Sherlock, which included the following section:

Where it was assured that the ESPD would reduce the amount of attachments, it also included a brand-new requirement derived from the directive. As a part of the mandatory exclusion grounds set for the tenderers, they must ensure that the tendering business or any person who is a member of its administrative, management or supervisory body or has powers of representation, decision or control therein been the subject of a conviction on crimes such as corruption, fraud, terrorism and child labor etc. The contracting authority must also check the criminal records of such people from the tenderer which has been selected as a supplier. At this stage I wanted to cry a bit.

Are we becoming the procurement police?

I understand that this is an important feature. It would be nasty if the public sector would fund criminal operations through procurements. But what I don’t understand is why is checking these things the responsibility of the contracting authorities? How does making procurement units Sherlocks help the EU to reduce the black market? Do we not have any other means to prevent criminals from operating businesses’ in general?

I have completed many tender processes now where the ESPD and its requirements have been in use. The checking of the criminal records requires skills in Finland. The process consumes resources from both the private and public sector operators. The businesses’ must first ask permission in writing to retrieve the records from all the people involved. The records cannot be copied or sent via regular email. The contracting authorities can only check the records, but they can’t restore them anywhere. The records should be either destroyed, or returned to the sender. Due to the complex nature of this process, the tenderers are starting to prefer a visit the contracting authority to show the original records physically instead of exploiting the benefits of digitalization.

The rest of the entry is self-recommended but touches rightly on the nerve of the unintended consequences arising from making procurement a bona fides enforcement proxy and lack of consideration for transaction costs. We, the procurement police.


*Will give out SSRN link as soon as paper is up on there.

The procurement angle behind the NHS ransomware attack

Last week's (and today's?) ransomware attack on the NHS has a procurement angle to it. It is not the only one and maybe not the most important but procurement mattered nonetheless. Here's why:

1. Vendor lock-in

All compromised computers ran either Windows XP (unsupported) or more recent versions that have not been patched up to fix the vulnerability. There maybe very good reasons for both situations, such as critical systems depending on software available only for Windows XP; medical devices only having drivers for Windows XP; uncertainty if patching would create problems elsewhere.

Those are all valid reasons to have both XP and more modern unpatched computers. They are, however, a good example of what happens when public sector falls prey to vendor lock-in. By throwing its lot with Microsoft and equipment vendors that only support a legacy OS like XP, the NHS is no longer in full control of its decision making. It cannot decide when to patch, what to patch or when to ask another supplier to step in and help solve any problems. The NHS is at the mercy of those external players which do not have their interests aligned. Microsoft wants to sell Windows 10 copies, medical device vendors want to sell more modern machines. Even if medical device vendors have support contracts for their equipment, those may not include software updates (remember Windows XP is 15 years old) or it may not be technically feasible to update the software on those devices to make it compatible with newer versions of Windows.

I have long harped about the risks arising from possible vendor lock in on innovation contracts, but current lock in is surely a lot more important in practice. In addition, last week's attack is also another example of the risks of accepting commercial secrecy as a given in public contracts.

2. The XP support contract

Microsoft stopped Windows XP mainstream support in 2014, and started charging organisations significantly sums of money to keep issuing patches for XP with consultancy/service contracts. The UK Government had a £5.5M contract with Microsoft for a year of support:

“We have made an agreement with the Crown Commercial Service to provide eligible UK public-sector organisations with the ability to download security updates to Windows XP, Office 2003 and Exchange 2003 for one year until 8 April 2015,” said a Microsoft spokesperson.

The UK's custom support agreement was not renewed or extended in April 2015, perhaps due to the costs involved: allegedly Microsoft double the cost from $200/machine to $400/machine and perhaps the UK Government was unable to negotiate a reduction on unit costs. Perhaps they even did not know how many computers in the public sector needed patching, making any negotiation difficult. As a comparison, the US Navy was paying Microsoft $9.1M for support until July 2016 and the extension for 2017 would have increased the cost once more.

From April 2015 onwards, all UK public sector XP machines became proverbial sitting ducks. The magnitude of the problem for the NHS was known since September 2016, when the Motherboard published an article based on a FoI request:

Motherboard has found that at least 42 National Health Service (NHS) trusts in England are still using the Windows XP operating system, with many of them confirming that they no longer receive security updates for the software. Legal experts say that the NHS hospitals may be in breach of data protection regulations.

As it happens the attack hit between 40 and 48 NHS trusts in England and I am sure that is not a coincidence. I suspect there is a significant overlap between those that were still using XP in September 2016 and the trusts hit last week.

I am not a data protection expert but would not be surprised if those Trusts were in violation of their obligations and remain less than assured about personal medical data having been stolen not in this attack but by others exploiting the same vulnerability since it was disclose over a month ago.

3. (Dis)Organisation and competing priorities

The final procurement angle is one of disorganisation and competing priorities. Having a decentralised health system in a day and age where IT is becoming more complex (and expensive) to manage well is a disaster (or two) waiting to happen. Procurement itself is becoming ever more complex - partly because of rules, partly because of bolt on policies, partly because of what is being procured is becoming more complex as well - and those two should dictate a move to a more centralised model.

I am not claiming that centralisation would magically solve the problems (funding would remain an issue) but that at least makes it possible to have somewhere the necessary expertise to do procurement and IT well. As it stands we expect each and all NHS trust to have that (and more) expertise on tap at any given moment. Since complexity is just going to increase (smart medical devices anyone?) the future looks grim.

Finally, time and time again I have seen IT managers pleading for resources to secure networks and/or upgrade/test their equipment. It is always a tough sell as the key decision makers simply do not understand the risks and what is at stake, preferring instead t allocate resources to priorities they understand and where they understand risk/consequences. Maybe on the NHS that will change going forward.

PS: A bit of perspective is important though. Let's not forget that those institutions have been victims of an attack, which may well constitute a criminal activity. If we should not blame victims of other crimes, the same standard should apply to the institutions involved on this.

Are UK contracting authorities publishing contract award information?

The answer is: not all and not all of the time irrespective of the clear legal commands to do so. OpenOpps looked into the practice for contracts published on ContractsFinder and this is what they found out:

On average, central government departments had 23% of tenders incomplete. For example, Department for Education has issued 70 tenders and just 43 contract awards (39% incomplete) and the Department of Health has issued 101 tenders and only 33 contract awards (67% incomplete). The better performers were FCO Services and the Department for Transport. FCO Services has issued 187 tender opportunities on Contracts Finder, but published 186 contract awards (only 0.5% incomplete). The Department for Transport has published 97 tender opportunities and 94 are complete (4% incomplete).

As I suspected, local Government is a lot worse:

This trend of leaving tenders incomplete is less greater in local government where, on average 65% of the notices are incomplete. According to our analysis, 114 local government publishers of tender notices have never published a contract award notice, whilst only 37 local government publishers had published all of their contract awards notices, and 17 of these had published just one tender notice and one contract award. Clearly, the lack of contract award notices is not the only issue, low publishing numbers are also a problem. For example, Cambridgeshire County Council managed to publish just five tenders into Contracts Finder, when they’ve managed to publish 173 tender notices elsewhere since January this year.

As the data analysis was done only on ContractsFinder it is possible that for contracts above the EU thresholds contracting authorities are complying with the requirement to publish the results instead on the Tenders Electronic Daily.