LONDON — Microsoft has criticised the US government in the aftermath of a massive ransomware cyberattack that hit computers around the globe on Friday, after it emerged that the malware made use of a software exploited developed by the NSA (National Security Agency).
Microsoft president and chief legal officer Brad Smith wrote a strong-worded statement that read in part: “This attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem … Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage.”
The NSA — like other spy agencies — works to secretly develop “zero day” exploits that the software’s developers aren’t aware of, letting them break into targets’ computers when required. But critics argue that this “stockpiling” of vulnerabilities makes ordinary people less safe, as they can leak and fall into the wrong hands.
This is exactly what happened with the ransomware attack. The WannaCry ransomware software itself — which encrypts the victim’s data and demands a bitcoin ransom to unlock it again — was fairly ordinary. But it was paired with the “EternalBlue” exploit that was developed by the NSA and leaked online earlier this year by hacking group called Shadow Brokers, and it spread across the globe.
Organisations in more than 100 countries were affected, including Britain’s National Health Service (NHS), Spanish telecoms giant Telefónica, and logistics firm FedEx. Microsoft had already patched the exploit at the time of the attack — but because many organisations hadn’t updated their software, they were still vulnerable.
In short: A US government cyberweapon was repurposed by criminals to wreck havoc in hospitals and telecoms firms around the world.
“An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen,” Smith wrote. “And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today – nation-state action and organized criminal action.”
The Microsoft exec said that “governments of the world should treat this attack as a wake-up call.”
He once again called for a “Digital Geneva Convention” that will regulate how software vulnerabilities and cyberweapons are handled globally, and that would force governments to disclose vulnerabilities in a responsible manner.
He wrote: “They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world. We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits. This is one reason we called in February for a new ‘Digital Geneva Convention‘ to govern these issues, including a new requirement for governments to report vulnerabilities to vendors, rather than stockpile, sell, or exploit them.”
Security expert Graham Cluley summarised Brad Smith’s argument on Twitter as: “Microsoft is royally f—ed off with the NSA.”
Exiled NSA whistleblower Edward Snowden hailed the statement as “extraordinary.”