Microsoft: U.S. should not stockpile cyber weapons

Posted at 7:00 AM, May 15, 2017

Microsoft’s president and top lawyer said Sunday that the ongoing cyberattacks, which experts are calling the largest in history, should be a “wake-up call” for governments — especially the U.S.

Hackers have used “ransomware” to freeze at least 200,000 computers so far, and they have demanded that users pay up to regain access.

The attacks exploited the computers because they were running outdated versions of Microsoft’s Windows operating system. Brad Smith, who is Microsoft’s chief legal officer, said Sunday in a blog post that his company, its customers and the government all share the blame.

Smith said Microsoft has the “first responsibility” to address the problem.

But he also placed fault in national governments. The security flaw that hackers used to launch the attacks Friday was made public after information was stolen from the U.S. National Security Agency, which routinely searches for flaws in software and builds tools to exploit them.

“This attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem,” he said. “An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen.”

The government is not legally bound to notify at-risk companies. Smith says that’s wrong.

He argued there should be “a new requirement for governments to report vulnerabilities to vendors, rather than stockpile, sell, or exploit them.”

“Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage,” Smith wrote.

The NSA alerted Microsoft about the issue three months ago and the company released an upgrade that patched the flaw. But some experts have argued this attack could have been vastly mitigated if the NSA told Microsoft sooner.

Smith also called cyberattack protection a “shared responsibility” between companies and customers.

Companies and institutions are often slow to update their computers because it can screw up internal software that is built to work with a certain version of Windows.

“As cybercriminals become more sophisticated, there is simply no way for customers to protect themselves against threats unless they update their systems,” Smith wrote. “Otherwise they’re literally fighting the problems of the present with tools from the past.”

He said tech companies, customers and the government need to “work together” to protect against attacks.

“More action is needed, and it’s needed now,” he said.