Microsoft Says Governments Should Stop 'Hoarding' Security Vulnerabilities After WannaCry Attack
As news of the WannaCry ransomware attack broke last week, companies and governments scrambled first to keep it contained. Now, with more details about its origins and effects clear, those organizations are issuing their official responses.
Among the first is Microsoft, which rushed out an emergency patch for Windows XP on Friday, after formally ending support for the operating system three years ago. The company responded to the attacks with a strongly worded blog post, criticizing governments for "stockpiling" information about cybersecurity vulnerabilities, and likeningthe WannaCry attack to the US military "having some of its Tomahawk missiles stolen."
Microsoft references the WannaCry ransomware's source as an vulnerability known by the NSA, noting that similar security holes were revealed on WikiLeaks in documents stolen from the CIA. It says that the governments of the world should treat the WannaCry attack as "a wake-up call," to consider the "damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits," and to adopt the "Digital Geneva Convention" the company first suggested in February. That Convention would have a new stipulation, too: "a new requirement for governments to report vulnerabilities to vendors, rather than stockpile, sell, or exploit them."
But Microsoft also calls on customers to keep up their end of the bargain, too. It notes that cybersecurity is increasingly becoming a shared responsibility between tech companies and customers, the former relying on the latter to keep their critical systems updated, just as people rely on companies to put out secure systems. By keeping pace with upgrades and patches, vast networks like the UK's National Health Service will be able to avoid what Microsoft says are the "two most serious forms of cybersecurity threats in the world today — nation-state action and organized criminal action."
In the United States, the Trump administration called an emergency meeting to discuss the ongoing threat of the ransomware, which according to Europol, has already affected 200,000 computers in 150 countries. In the UK, where WannaCry impacted the work of the National Health Service, experts warned that a second wave may be incoming as still-undetected ransomware could be triggered.
But while Microsoft's advice to keep your computers updated is solid for most standard consumers, it's these government and corporate networks that remain most at risk. The NHS is a good example. The service has been the target of repeated government budget cutbacks, and the country's health minister is apparently unwilling to discuss the security of the huge, ageing network it uses. Around the world, similar organizations are likely to remain juicy targets for increasingly more organized and sophisticated attackers.