Microsoft criticizes governments stockpiling software vulnerabilities following WannaCrypt ransomware attack

Laurent Giret

Last Friday, a global ransomware attack caught the world by surprise as the malicious “WannaCrypt” worm was targeting Windows-based machines across the world. Since then, the worm has spread to close to 200,000 PCs worldwide, affecting utility companies and health services including the UK’s National Health Service (NHS).

Though Microsoft released a security update in March to patch the vulnerability on modern versions of Windows, the company quickly released another security update this weekend to address the security exploit on Windows XP, 8 and Server 2003. Since then, Microsoft’s Chief Legal Officer explained in a blog post yesterday that this latest cyberattack should be a wake-up call for governments, organizations, and consumers.

“This attack is a powerful reminder that information technology basics like keeping computers current and patched are a high responsibility for everyone, and it’s something every top executive should support,” explained Smith. But more importantly, the Chief Legal Officer criticized governments for stockpiling software vulnerabilities instead of reporting them to vendors. Because yes, the Wannacrypt worm is based on an NSA exploit codenamed “EternalBlue,” which was recently released on the Internet by a hacker group called the Shadow Brokers. Smith added:

This attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem. This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen. And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today – nation-state action and organized criminal action.

Drawing a comparison with the international rules that apply to conventional weapons, Smith is urging governments to act more responsibly with what are basically cyber weapons. “We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits,” he explained. “This is one reason we called in February for a new “Digital Geneva Convention” to govern these issues, including a new requirement for governments to report vulnerabilities to vendors, rather than stockpile, sell, or exploit them.”

As of today, the world is still figuring out if the worst is now behind us or if we should expect new attacks based on modified versions of the Wannacrypt worm. Smith said that Microsoft has been “working around the clock since Friday to help all our customers who have been affected by this incident,” and we’ll let you know if we learn anything new about the cyberattack.