Microsoft says the outbreak of WannaCry ransomware on 12 May reveals why governments shouldn’t stockpile software vulnerabilities.
Microsoft’s president and chief legal officer Brad Smith thinks governments’ hoarding of flaws is a “problem.”
These bugs might be valuable to the CIA and NSA, government agencies which can and do exploit flaws to advance the national security interests of the United States government.
As Smith explains in a blog post:
“Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen. And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today – nation-state action and organized criminal action.”
Obviously, Smith is referring to the events of 12 May.
On that day, an updated version of WannaCry ransomware infected the United Kingdom’s National Health Service (NHS), the telecommunications provider Telefonica, and other high-profile within a matter of hours. As of today, it had spread to over 150 countries and reached more than 200,000 victims in an attack that exploited CVE-2017-0143, a Windows-based remote code execution (RCE) vulnerability.
The Redmond-based tech giant patched the bug on the latest Windows versions in March 2017. But there was no fix initially for Windows XP, an operating system which many customers continue to use notwithstanding its end-of-life status.
Microsoft therefore took the highly unusual step to release an update for Windows XP users and urge them to update their software (if possible) as soon as possible.
Microsoft also had something to say to governments that make attacks like the WannaCrypt outbreak possible. Smith delivers the message perfectly:
“The governments of the world should treat this attack as a wake-up call. They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world. We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits. This is one reason we called in February for a new ‘Digital Geneva Convention‘ to govern these issues, including a new requirement for governments to report vulnerabilities to vendors, rather than stockpile, sell, or exploit them.”
WannaCry helps illustrate the importance of governments cooperating with the private sector and the security industry to protect users. But as we all know, public agencies have lots of interests besides defending ordinary people, and some of those goals don’t benefit from transparency.
Let’s just hope the memory of this outbreak leads to some governments to work towards patching rather than stockpiling vulnerabilities. The world doesn’t need another WannaCry attack months or years from now to remind us all of what could happen otherwise.
For more discussion on the issue, make sure to listen to this recent episode of the “Smashing Security” podcast.