Request ID: FOI-0597-2122 Date published: 14 July 2021
You asked
Dear Transport for London,
I would be most grateful if you would provide me, under the Freedom of Information Act, details in respect to the following questions;
1. How many instances of the Microsoft Windows 7 Operating System are currently in operation across your entire network? How many devices such as kiosks, lap tops etc are still running Windows 7?
2. How many instances of the Microsoft Windows XP Operating System are currently in operation across your entire network ? How many devices such as kiosks, lap tops etc are still running Windows XP?
3. Who is the officer responsible for maintaining and delivering legacy applications to all your users?
Thank you for your help.
We answered
TfL Ref 0597-2122
Thank you for your request received by Transport for London (TfL) on 22 June 2021 asking for information about Windows 7 and XP usage in TfL.
Your request has been considered in accordance with the requirements of the Freedom of Information Act and our information access policy. You asked:
1. How many instances of the Microsoft Windows 7 Operating System are currently in operation across your entire network? How many devices such as kiosks, lap tops etc are still running Windows 7?
2. How many instances of the Microsoft Windows XP Operating System are currently in operation across your entire network ? How many devices such as kiosks, lap tops etc are still running Windows XP?
3. Who is the officer responsible for maintaining and delivering legacy applications to all your users?
I can confirm that we hold the information you require. However we consider that the disclosure of information requested would assist a third party to mount an attack on our systems and therefore the information is exempt under Section 24(1) - National Security. Release of information under the Freedom of Information Act is a release to the public both at home and abroad. Therefore TfL must consider how any potential recipient of the information might use it, rather than make assumptions about the intentions of the individual making the request.
We consider that the disclosure of information requested would assist a third party to mount an attack on our systems. Windows XP and Windows 7 are obsolete Microsoft operating systems which are no longer routinely supported by Microsoft. This means that these operating systems contain exploitable vulnerabilities that are likely to increase over time. It is well known that those vulnerabilities may be exploitable intelligence for malicious threat actors seeking to do harm to TfL and/or our customers. This knowledge could be used to mount an attack at a later date. We do not publicly divulge information on the existence or otherwise of vulnerabilities within our estate.
The London transport system is a critical piece of national infrastructure and as such we employ rigorous safeguards to protect it from cyber attack. Like other organisations we are subject to these regularly. These attacks are unlawful under the Computer Misuse Act, and whilst the motive is not always apparent, we are aware of the risk to critical national infrastructure that may result from a successful attack.We consider that releasing the information you have asked for would be likely to prejudice our efforts to prevent and detect future attacks and undermine our ability to safeguard TfL’ s information systems.
MI5 (Security Services) has stated that, “Cyber espionage presents a real risk to the economic well-being of the UK. It poses a direct threat to UK national security’:https://www.mi5.gov.uk/cyber. They have assessed the current threat level from international terrorism for the UK is assessed as SUBSTANTIAL: https://www.mi5.gov.uk/threat-levels.
Each day (pre Corona virus levels) around 24 million journeys are made across TfL’s network and an attack directed at the running of the network may cause harm to national security by disrupting the operation of London’s transport network, with consequent economic loss.
Section 24(1) is subject to a public interest test, and we recognise that there is significant public interest in understanding how TfL operates and what technology it uses. However, we consider that there is a stronger public interest in protecting national security, which would be undermined by the disclosure of the requested information.
We are able to confirm, in relation to your final question, that there is no single officer responsible for application management across our estate, the different phases of an application lifecycle are looked after by different teams across the organisation.
If you are not satisfied with this response please see the attached information sheet for details of your right to appeal.
Yours sincerely
Sara Thomas FOI Case Management Team General Counsel Transport for London
