Skip to main content

Microsoft fires back at governments stockpiling vulnerabilities following 'WannaCry' ransomware attack

Following the massive "WannaCry" (also known as "WannaCrypt") ransomware attack that began rapidly spreading last week, Microsoft President and Chief Legal Officer Brad Smith had some sharp words (opens in new tab) for governments stockpiling software vulnerabilities. The National Security Agency (NSA) in particular drew Smith's attention for its role in creating the exploit, which was later leaked, upon which WannaCry is based.

Following leaks from the CIA and NSA, Smith argues, governments stockpiling vulnerabilities, is becoming a worrying trend. Says Smith:

This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen. And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today – nation-state action and organized criminal action.

WannaCry initial started spreading around the world on Friday, May 12, initially impacting the National Health Service (NHS) in the UK and Telecom providers in Spain. A "killswitch" for the ransomware was eventually discovered by accident by a cybersecurity researcher in the UK, but not before it had spread to hundreds of thousands of computers at major organizations in 150 countries. Now, a second wave of the same malware appears to be spreading with the killswitch patched.

'WannaCry' ransomware: Everything you need to know

For its part, Microsoft had already patched the vulnerability in question as of March, and anyone running Windows 10 with Windows Update and Windows Defender on was automatically protected. The cause for concern was mostly due to the impact at major organizations and companies that hadn't updated their systems with the patch for one reason or another. The NHS, for example, was heavily impacted due to its reliance on Windows XP, which hasn't been supported for some time. Due to the widespread impact of the malware, Microsoft took a major step in issuing a patch for the vulnerability for unsupported systems.

Though there's still a relatively heated debate surrounding who is to blame for the problem, Smith argues it's time for government agencies to take more responsibility in disclosing vulnerabilities so the tech sector, customers, and governments can work together to prevent such attacks. From Smith:

The governments of the world should treat this attack as a wake-up call. They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world. We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits. This is one reason we called in February for a new "Digital Geneva Convention" to govern these issues, including a new requirement for governments to report vulnerabilities to vendors, rather than stockpile, sell, or exploit them. And it's why we've pledged our support for defending every customer everywhere in the face of cyberattacks, regardless of their nationality. This weekend, whether it's in London, New York, Moscow, Delhi, Sao Paulo, or Beijing, we're putting this principle into action and working with customers around the world.

Dan Thorp-Lancaster is the Editor in Chief for Windows Central. He began working with Windows Central as a news writer in 2014 and is obsessed with tech of all sorts. You can follow Dan on Twitter @DthorpL and Instagram @heyitsdtl. Got a hot tip? Send it to daniel.thorp-lancaster@futurenet.com.

27 Comments
  • I'm absolutely on Microsoft's side on this one.  While, yes, it's their operating system and they should be doing everything they can to eliminate vulnerabilities over which they have control (you can't legislate or program out idiocy of users, of course), when government finds a vulnerability and specifically does NOT expose it just so they can exploit it, that is a foul.
  • I agree. A big issue is that many companies treat software updates, and generally upgrading to newer software & hardware, very slowly and already discovered & fixed vulnerabilities are often still unpatched in many systems for month if not a full year or longer. Recent event prove that.
  • you should ask yourself WHY? Why are they updating slowly? Because it costs MONEY! Buying 100 new PCs with W10 costs a LOT and nobody wants to give so much money for computers. Microsoft is pushing hard because its a good oportunity for them to 1. make money of new contracts 2. raise the numbers of used W10 easiest solution is to migrate to LINUX if the used SW is not W- only
  • @Pappale, moving to Linux is not a cost savings at all (except in some server situations). For many Enterprises under support agreements, the licenses are per seat and the version of OS doesn't matter (same annual license payment to MS whether they update or not). For them, Windows is cheaper than Linux because it eases IT burdens and provides access to tools that make their businesses more cost effective where those tools simply don't exist on Linux, or where they would need to be custom built, costing much more than off-the-shelf solutions for Windows. Obviously, sites still running XP, which is past EOL, aren't still paying per-seat licensing costs, but that is now down to a fairly small minority of sites. In the case of most of those that do still run XP (including the NHS, I believe), they run it because they need to for certain legacy applications. Moving to Linux would be HARDER and MORE EXPENSIVE to update those apps than the relatively small changes needed to get a Windows XP application to run on Windows 10. In neither case is Linux superior from a cost perspective. That's not to say that Linux doesn't have its uses, such as for certain server applications where, like with Windows on the desktop, there are robust solutions readily available, but in most cases, pushing desktop or laptop users to Linux would not be a cost-savings measure. No, it would be the work of a Linux fanboy who somehow made it to a senior IT position. And they tend to either come around to seeing the cost benefits of Windows or they cost their organizations a lot of money, and most likely themselves a job.
  • Well didn't they slowly migrate? Thru could have gone Vista, win 7, and now win 10. If you ask me, they have a lazy IT staff. I migrate by department until I'm finished throughout the organization.
  • In some cases they need XP because of a special driver for a lagacy device who would not work on Vista, Win 7... They should not use does XP pc on the network They should not use those XP pc like  regular PC (email, word...).
  • You must not work for, well anyone, if you think moving to Linux is the answer. Even if it was free and possible for every company to move to Linux, that would be where the next vulnerability is. No software is 100% safe, and no company should do everything for free, so yes MS expects to get paid for updates.
  • Windows is overpriced People, and specially organizations, should be able to buy it way cheaper. It really needs to be more accessible.
  • And then there's the fact that it leaked in the first place. Doesn't exactly make you feel good about the NSA and its own data security, right?!
  • thats another mystery for me. I dont think it leaked just like that... it must have been a planned leak. Just think about it, NSA is not like a random BANK or a big coorporation. Even if they hacked their systems those hack tools wouldnt be available just like that in the first file on server A
  • There's rumours that this is actually the work of the CIA making it out to be NSA's fault for the NSA exposing the CIA in its ultra shady ****.  NSA are on the side of the government and are mostly loyal nationalists.  CIA are their own government  FBI are somewhere in between the 2.   Its like a bloody movie. 
  • Thanks NSA!!! /sarcasm
  • we always thought a dirty bomb or bioterror would bring down society.  Now it's clear a simple destruction of the Internet infrastructure would do it.  Remote capability and completely harmless to the health of the person enacting it.
  • Did the government planned the release to submit the MS or other software company for cooperation in the future?
    Apple refusal to help the government, by unlocking the Iphone from Bernadino shooting makes them in the difficult position.
  • Creating tools for offensive cyber warfare (which is what the NSA has done) as opposed to digital security and defense... Who would have guessed it could backfire??? :(
  • That is BS. It is MS who should allow for longer life cycle of perfectly functional hardware for vulnerable entities like governments that can't replace their entire equipment every couple of years unlike customers. Many governments design programs and synergies around a specific OS release and changing is not just a matter of resources or IT but by an entire vertical change of organizational structures and procedures.
    MS wants is for all to keep buying new hardware by phasing out software. Look what they did with creators mobile and the capable L830, L950, L1520. Actually many people I tried to bring to windows Phone back in the 3% market share heyday would tell me they wouldn't do it for fear of viruses. MS has a very sad track record on keeping up with security threats. Besides, MS has also created a reputation of releasing "work in progress" OSes. In government I remember that a research lab would not update to vista or w7 because they were infamously unstable and would first let people try do that MS Got it together. Same happens with W10m. The first release was a headache: Buggy, slow, battery drain and though it was released. In part many left not because of the app gap but because of the less than promising OS. Only now that Creators was released I would recommend it and the OS should be pushed...
  • Are you talking about XP? Microsoft support XP for more than 8 year and more than 14 year of extended support...This is a lot of time and money. If a user or organization need windows XP PC, they should have taken some precautions. Like removing access of those PC to network, internet… I agree with you about user perception for viruses. Microsoft should educate users about security. Not an easy task. Some users, in our nice windows Central community, don't like that Microsoft force OS and Security update in Windows 10…  
  • Longer lifecycle? XP was launched in 2001! Vista came out in 2006. Hardware that wouldn't support Vista is therefore over a decade old, don't think that's MS's fault. To be honest when Vista came out, hardware that wouldn't work on Vista would have been outdated/borderline obsolete even then. I've had very little difficulty getting W10 onto devices that came with Vista, even managed it on stuff that came with XPsp2. I had to go back to 2003 to find some old hardware that wouldn't run W10, but even that managed W7. If MS kept supporting such obsolete hardware then current OS features wouldn't exist as the older hardware wouldn't be able to handle them.
  • Which modern features?
  • If Microsoft wants governments to stop stockpiling vulnerabilities maybe Microsoft should create fewer vulnerabilities, be more aggressive towards finding them and working faster to patch they ones they do find.
  • What do you know?
  • I know only what I discern from what I read and I think the Tech Industry as a whole has made everyone believe that writing secure code is impossible and we've all fallen for it.  All tech companies are guilty of this but because they say its impossible to write code free of vulnerabilities they think they should get a pass.  I'm just simply saying that I don't agree.
  • I agree that every software/hardware company should be more careful before releasing software. They should also release fixes faster or even recall faulty product (IP cam,...). But I don't think anybody should hide software vulnerabilities. 
  • I wasn't agreeing with what governments do.  I was just reacting to the fact that Microsoft is acting like they carry no responsibility.
  • Running an OS that Microsoft said years ago that they are not longer supporting and please upgrade to a newer OS or you will be exposed to security vunerabilities.  They, shockingly, years later, a security vunerability in the obsolete software brings down their system.  And this organization is in charge of making sound judgements concerned with healthcare?   Amazingly enough, at the company where I work, updates are forced to any computer on the domain and we do not have unsupported OSes and no computer in the company fell victim to this attack.
  • That is BS. It is MS who should allow for longer life cycle of perfectly functional hardware for vulnerable entities like governments that can't replace their entire equipment every couple of years unlike customers. Many governments design programs and synergies around a specific OS release and changing is not just a matter of resources or IT but by an entire vertical change of organizational structures and procedures.
    MS wants is for all to keep buying new hardware by phasing out software. Look what they did with creators mobile and the capable L830, L930, L1520.
    Actually many people I tried to bring to windows Phone back in the 3% market share heyday would tell me they wouldn't do it for fear of viruses. MS has a very sad track record on keeping up with security threats.
    Besides, MS has also created a reputation of releasing "work in progress" OSes. In government I remember years ago that a research lab would not update to vista or w7 because they were infamously unstable and would first let the general public try it first and wait for ms to get it together.
    Same happens with W10m. The first release was a headache: Buggy, slow, battery drain and though it was released. In part many left not because of the app gap but because of the less than promising OS. Only now that Creators was released I would recommend it and the OS should be pushed. And still needs a graphic design (blurs and types) revamp.
  • What will work is for Microsoft to offer the operating system completely free of charge for everyone everywhere, forever. They can charge for the other software such as office etc and perhaps governments can all add a tiny % of funding (without any influence) to allow MS to keep it free. Oh and offer backwards compatability so all the old systems like the ones the NHS has built work on the newer OS.