Microsoft’s president and chief legal officer, Brad Smith, wrote a strongly worded statement that read in part: “This attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem … Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage.”
The National Security Agency — like other spy agencies — works to secretly develop “zero day” exploits that a software’s developers aren’t aware of, letting it break into targets’ computers. But critics argue that this “stockpiling” of vulnerabilities makes ordinary people less safe, as they can leak and fall into the wrong hands.
This is exactly what happened with the ransomware attack. The WannaCry ransomware software — which encrypts the victim’s data and demands a bitcoin ransom to unlock it — was fairly ordinary. But it was paired with the “EternalBlue” exploit that was developed by the NSA and leaked online earlier this year by a hacking group called Shadow Brokers, and it spread across the globe.
Organisations in more than 100 countries were affected, including Britain’s National Health Service, the Spanish telecoms giant Telefónica, and the logistics firm FedEx. Microsoft had already patched the exploit at the time of the attack — but because many organisations hadn’t updated their software, they were still vulnerable.
In short: A US government cyberweapon was repurposed by criminals to wreak havoc in hospitals and telecoms firms around the world.
“An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen,” Smith wrote. “And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today — nation-state action and organized criminal action.”
The Microsoft exec said “governments of the world should treat this attack as a wake-up call.”
He once again called for a “Digital Geneva Convention” that would regulate how software vulnerabilities and cyberweapons be handled globally, specifically one that would force governments to disclose vulnerabilities in a responsible manner.
He wrote: “They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world. We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits. This is one reason we called in February for a new ‘Digital Geneva Convention’ to govern these issues, including a new requirement for governments to report vulnerabilities to vendors, rather than stockpile, sell, or exploit them.”
Security expert Graham Cluley summarised Smith’s argument on Twitter as: “Microsoft is royally f—ed off with the NSA.”
Exiled NSA whistle-blower Edward Snowden hailed the statement as “extraordinary.”
Get the latest Microsoft stock price here.
This article was originally published on Business Insider. Copyright 2017.
