Lead UK Aircraft Carrier's Use of Outdated Windows Could Backfire, Get It Hacked

The carrier, which was assembled in the Scottish port of Rosyth and was specially designed to duck under the Forth Bridge in London, left the Forth estuary in the early hours of Tuesday (June 27), and will spend a week in the North Sea doing sea trials.

​The software used by the £3.5 billion (US$4.46 billion) aircraft carrier is the same kit which let down the NHS, which was hit by a ransomware attack last month.

The Wannacry ransomware hit 300,000 computers in 150 countries.

Windows XP is no longer supported by Microsoft, meaning it does not receive updates which might protect users from hackers.

"Best security practice dictates you always have everything up-to-date that's pretty simple and relatively easy to do for you and your users. But when you have very specific software that handles very specific hardware such as an MRI or a CT machine, or something defending the boys or the offensive utility the navy has onboard, you're left with a can of worms in regards to having the software updated to current operating systems, and the problems they present to old software and support agreements to those that fix bugs or enhance it," a cybersecurity expert told Sputnik.

"If, as suggested, they are using Windows XP, I would expect the additional security controls would be put in place through threat modeling the likelihood of adversarial reach," they added.

​Britain is set to renew its fleet of submarines equipped with nuclear missiles at a cost of £31 billion (US$39 billion) and last year former defense secretary Lord Browne said there could be no guarantee of a reliable nuclear deterrent without an "end-to-end" assessment of the cyberthreat to the system.

The idea of a rogue nation taking control of one of the Royal Navy's aircraft carriers may seem like a plot of a James Bond movie, but cyber warfare is real.

In 2010 a computer worm called Stuxnet was discovered by researchers in Belarus. 

The digital warhead had been created by the US and Israel to derail the Iranian nuclear program, and it apparently succeeded.

​The US spent millions of dollars creating the Stuxnet malware and then infecting the computers of contractors who passed on the virus to the computers at a vital centrifuge in Iran.

Earlier this year, Russia's President Putin and Iran's President Rouhani condemned the use of Stuxnet after a US general admitted to lying about it during a federal investigation.

Kim Zetter, who wrote a book, Countdown to Zero Day, about Stuxnet, said: "Modern computer-controlled hardware will always have someone trying to gain access to it and someone will always be trying to gather information on their enemy so it is important for these systems to be secure and always checked for vulnerabilities."

"Cyber is the new battlefield for intelligence and posture, that's clear everyone has enemies, I would go as far to say that your allies and friends would be considered fair game too. The military do a great job of suppressing knowledge of incidents," a cybersecurity expert told Sputnik. 

​He said: "If they expose anything to the public internet, it would become a target just like everything else online, your IoT [Internet of Things] toaster, your website.

"If vulnerabilities exist they will be found and exploited — whether that be a crypto locker attack or more likely exfiltration of military data. Flaws can always be found, it might take longer depending on the technology, but security is always done in layers, and decisions are usually well informed at this level," they told Sputnik.

​Commander Mark Deller, who is in charge of the aircraft on HMS Queen Elizabeth, said this week: "The ship is well designed and there has been a very, very stringent procurement train that has ensured we are less susceptible to cyber than most.

"We are a very sanitised procurement train. I would say, compared to the NHS buying computers off the shelf, we are probably better than that. If you think more Nasa and less NHS you are probably in the right place," he said.