Microsoft’s President and Chief Legal Officer, Brad Smith, called the NSA the main actor to blame for the global spread of WannaCry ransomware. The attack started on Friday, when many companies were ending their work days, especially in Asia, and it has already spread to over 150 countries. We may see many more reports about WannaCry infections starting today, as organizations around the world see how their networks have been impacted over the weekend.
NSA’s Harmful Hoarding Of Security Vulnerabilities
As a signal intelligence agency, the NSA comes across (or creates) many vulnerabilities in software that it can then use to achieve its intelligence goals. That may be mission critical for the agency, but it doesn’t mean the NSA should use those vulnerabilities without regards for any other consequences. In the end, the agency’s mission is to protect the United States, not just to hack and attack other countries. Those are just means to the end goal of protecting its nation, not the goal itself.
As such, when the NSA stumbles upon serious vulnerabilities that could cause devastating damage in the wrong hands, it should probably refrain from abusing those vulnerabilities itself for too long (if at all). It should also alert the vendors of vulnerable software about the flaws as soon as possible eliminate the risk from the beginning.
Real physical weapons can be stolen, of course, but “cyberweapons” can be stolen even more easily, as they don’t need to be physically transported. Even worse, they can be much more easily replicated, and the exact same cyberweapon can be used not just by a group or two, but by potentially thousands of criminal groups around the world.
Microsoft Blames NSA For WannaCry Ransomware
NSA has a tendency to exploit the flaws instead of telling vendors about them, as we’ve learned from Edward Snowden’s revelations. Microsoft’s Smith believes this is the main reason why the WannaCry ransomware so effectively reached a global impact. Smith stated:
Finally, this attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem.This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen. And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today – nation-state action and organized criminal action.
Smith also added that:
The governments of the world should treat this attack as a wake-up call. They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world. We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits. This is one reason we called in February for a new “Digital Geneva Convention” to govern these issues, including a new requirement for governments to report vulnerabilities to vendors, rather than stockpile, sell, or exploit them. And it’s why we’ve pledged our support for defending every customer everywhere in the face of cyberattacks, regardless of their nationality.
A Wake-Up Call
Not everyone has taken ransomware seriously enough, and that includes organizations and users that need to defend against ransomware; companies that develop the software platforms and can create better protections against ransomware; and governments, which prefer to hoard vulnerabilities instead of aiding firms in fixing the flaws in their software.
Microsoft may share some blame here, too, as a platform vendor. Microsoft could and should focus even more aggressively on anti-exploit technologies that are built into the Windows operating system. The company has been working on transitioning to such built-in technology from its now deprecated EMET exploit mitigation tool, something we’ve hoped Microsoft would do even before releasing Windows 10. However, the company may be doing it too slowly, in order to avoid disrupting the functionality of too many applications.
The company has also begun experimenting with virtualization for its Edge browser, but even so, the technology seems to be limited to enterprise customers. If Microsoft is serious about protecting all of its users, then such technology needs to be available not just to enterprise customers, but also to regular consumers. It should also be available such that users can enable at will for all or most of the applications that connect to the internet and can be remotely exploited, and not just Microsoft's own first-party applications.
Stay on the Cutting Edge
Join the experts who read Tom's Hardware for the inside track on enthusiast PC tech news — and have for over 25 years. We'll send breaking news and in-depth reviews of CPUs, GPUs, AI, maker hardware and more straight to your inbox.
When tools (and their knowledge/flaws) like these escape into the wild, you don't get to choose who uses (abuses) them. This is true whether the intentions are honorable, or not.Reply
And so Microsoft will be charging double for the information they sell to the NSA in this backlash. Also, don't leave RDP and SMB/CIFS exposed to the net, it's just stupid.Reply
Blaming Microsoft for this issue is pretty weak.Reply
Imagine if Apple agreed to allow CIA/other agencies or gave them a way to break their phone security to access the phone!!!Reply
19693702 said:Blaming Microsoft for this issue is pretty weak.
It is their software, so they are accountable for it.
That doesn't mean what they're saying is not correct: if you discover a bug, and more importantly, a SECURITY HOLE, it is your duty to report it. Unfortunately, there's no gap-closing between what is (and we should all agree here) morally right and legally right. I would imagine, if there's a way to prove it, MS could sue the agencies, but that is just getting into the pockets of tax payers at the end of the day... So many things gone wrong here for everyone it's amazing this is not getting more regular press. Or maybe I'm under a rock, lol.
The way Apple's Secure Enclave is designed, Apple shouldn't be able to even if it wanted to unless it issued an OS update to decrypt phones the next time they are unlocked and stopped using SE-based encryption afterward.19693708 said:Imagine if Apple agreed to allow CIA/other agencies or gave them a way to break their phone security to access the phone!!!
Microsoft can't be blamed for not fixing bugs that haven't been disclosed. Let us hope that this will serve as a lesson for every intelligence agency advocating intentional backdoors in software and systems. Secrets want to be shared and if you want to keep backdoors or exploit secret, you had better be ready for the consequences when they inevitably get leaked or re-discovered in the wild.19693716 said:19693702 said:Blaming Microsoft for this issue is pretty weak.
It is their software, so they are accountable for it.
Microsoft knew for this exploit, it is Microsoft who let them do it. Those f. crooks at Microsoft have courage to even f. comment it. I don't blame NSA for anything. It is f. MS. to blame for cause they are the ones who made the f. deal with NSA to start with.Reply
Just keep in mind that not only MS products have been exposed by the leaked NSA knowledge/tools. This is a broader issue and affects far more than just the MS landscape.Reply
19693754 said:Microsoft can't be blamed for not fixing bugs that haven't been disclosed. Let us hope that this will serve as a lesson for every intelligence agency advocating intentional backdoors in software and systems. Secrets want to be shared and if you want to keep backdoors or exploit secret, you had better be ready for the consequences when they inevitably get leaked or re-discovered in the wild.
I don't know if "blamed", but they are "accountable". That is why I used that word in particular.
"Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage." Ya I bet they were "leaked" and no money was exchanged.Reply