Microsoft’s President and Chief Legal Officer, Brad Smith, called the NSA the main actor to blame for the global spread of WannaCry ransomware. The attack started on Friday, when many companies were ending their work days, especially in Asia, and it has already spread to over 150 countries. We may see many more reports about WannaCry infections starting today, as organizations around the world see how their networks have been impacted over the weekend.
NSA’s Harmful Hoarding Of Security Vulnerabilities
As a signal intelligence agency, the NSA comes across (or creates) many vulnerabilities in software that it can then use to achieve its intelligence goals. That may be mission critical for the agency, but it doesn’t mean the NSA should use those vulnerabilities without regards for any other consequences. In the end, the agency’s mission is to protect the United States, not just to hack and attack other countries. Those are just means to the end goal of protecting its nation, not the goal itself.
As such, when the NSA stumbles upon serious vulnerabilities that could cause devastating damage in the wrong hands, it should probably refrain from abusing those vulnerabilities itself for too long (if at all). It should also alert the vendors of vulnerable software about the flaws as soon as possible eliminate the risk from the beginning.
Real physical weapons can be stolen, of course, but “cyberweapons” can be stolen even more easily, as they don’t need to be physically transported. Even worse, they can be much more easily replicated, and the exact same cyberweapon can be used not just by a group or two, but by potentially thousands of criminal groups around the world.
Microsoft Blames NSA For WannaCry Ransomware
NSA has a tendency to exploit the flaws instead of telling vendors about them, as we’ve learned from Edward Snowden’s revelations. Microsoft’s Smith believes this is the main reason why the WannaCry ransomware so effectively reached a global impact. Smith stated (opens in new tab):
Finally, this attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem.This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen. And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today – nation-state action and organized criminal action.
Smith also added that:
The governments of the world should treat this attack as a wake-up call. They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world. We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits. This is one reason we called in February for a new “Digital Geneva Convention” to govern these issues, including a new requirement for governments to report vulnerabilities to vendors, rather than stockpile, sell, or exploit them. And it’s why we’ve pledged our support for defending every customer everywhere in the face of cyberattacks, regardless of their nationality.
A Wake-Up Call
Not everyone has taken ransomware seriously enough, and that includes organizations and users that need to defend against ransomware; companies that develop the software platforms and can create better protections against ransomware; and governments, which prefer to hoard vulnerabilities instead of aiding firms in fixing the flaws in their software.
Microsoft may share some blame here, too, as a platform vendor. Microsoft could and should focus even more aggressively on anti-exploit technologies that are built into the Windows operating system. The company has been working on transitioning to such built-in technology from its now deprecated EMET exploit mitigation tool (opens in new tab), something we’ve hoped Microsoft would do (opens in new tab) even before releasing Windows 10. However, the company may be doing it too slowly, in order to avoid disrupting the functionality of too many applications.
The company has also begun experimenting with virtualization for its Edge browser, but even so, the technology seems to be limited to enterprise customers. If Microsoft is serious about protecting all of its users, then such technology needs to be available not just to enterprise customers, but also to regular consumers. It should also be available such that users can enable at will for all or most of the applications that connect to the internet and can be remotely exploited, and not just Microsoft's own first-party applications.