After the WannaCry ransomware attack that launched on Friday, and still continues to wreak havoc on the global internet infrastructure, it would be inevitable that top brass at Microsoft would need to make a public statement.
The reason is because the technology used by the WannaCry hackers was a stolen piece of technology developed by the US National Security Agency (NSA) specifically designed to break through Windows security.
In March, Microsoft had made a patch for the security flaw, but a significant reason for the proliferation of WannaCry was the reality that consumers are usually slow to download these kinds of updates. (A real-life reminder to constantly patch your computer).
In a “highly unusual” move, Microsoft then decided to release a public patch for various operating systems to try to stop the flood. To a certain degree, the plug worked, but today businesses are dealing with aftershocks and copycats.
This environment would prompt most corporate execs to make a public statement, but the blog post from Microsoft President and Chief Legal Officer Brad Smith was extraordinary.
Companies and consumers should receive some blame; but governments should shoulder the burden
As President of Microsoft, Smith said his company has the ‘first responsibilities’ to address security issues and protect its consumers. Smith defended Microsoft but refused to pat his company on the back, saying,
“But as this attack demonstrates, there is no cause for celebration”.
He also added that the consumer must now be a participating player in cybersecurity. The antidote to WannaCry was already developed in a security patch – but (as one would expect) it was not immediately downloaded by the consumers.
The average consumer views security updates as a minor nuisance, which suggests the problem is in communication and not apathetic customers.
What made the post newsworthy is, after Smith humbled himself and Microsoft, he lambasted the NSA and said the WannaCry hack was a “wake-up call to the governments of the world”.
The biggest issue for Smith is the strategy of hoarding security vulnerabilities to be used in the seemingly constant cyber-warfare being waged of our modern times.
WannaCry is a great example. The NSA figured out how to hack Microsoft, it then did not tell Micrsoft about the vulnerabilities. That is the standard operating procedure criticised by Smith.
This time, however, the key was stolen (which forced the NSA to publicly acknowledge the theft and Microsoft then patched the problem). Yet because of the company/consumer dynamics highlighted above, when the virus was deployed it was able to wreak major damage.
“They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world. We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits,” he said.
While the damage to civilians is less obvious that dropping bombs, some of the first targets of the attacks were UK hospitals. Thankfully, the hack did not destroy critical infrastructure, but it did infiltrate a vulnerable population and put the lives of people at risk.
Smith specifically called out the American government (the CIA and NSA) and said,
“And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today – nation-state action and organized criminal action.”
He pointed to the CIA hacking tool called ‘Archimedes’ that was stolen, and then posted publicly on Wikileaks.
Smith has been championing a Digital Geneva Convention (a reference to the post-WWII convention that established modern protocol for warfare). He wants one governments to agree to share vulnerabilities with vendors when discovered by security agencies.
He concluded with a call to action:
“We need the tech sector, customers, and governments to work together to protect against cybersecurity attacks. More action is needed, and it’s needed now. In this sense, the WannaCrypt attack is a wake-up call for all of us. We recognize our responsibility to help answer this call, and Microsoft is committed to doing its part.”
Copyright: mrincredible / 123RF Stock Photo