Microsoft fires back at governments stockpiling vulnerabilities following 'WannaCry' ransomware attack

Following the massive "WannaCry" (also known as "WannaCrypt") ransomware attack that began rapidly spreading last week, Microsoft President and Chief Legal Officer Brad Smith had some sharp words for governments stockpiling software vulnerabilities. The National Security Agency (NSA) in particular drew Smith's attention for its role in creating the exploit, which was later leaked, upon which WannaCry is based.

Following leaks from the CIA and NSA, Smith argues, governments stockpiling vulnerabilities, is becoming a worrying trend. Says Smith:

This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen. And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today – nation-state action and organized criminal action.

WannaCry initial started spreading around the world on Friday, May 12, initially impacting the National Health Service (NHS) in the UK and Telecom providers in Spain. A "killswitch" for the ransomware was eventually discovered by accident by a cybersecurity researcher in the UK, but not before it had spread to hundreds of thousands of computers at major organizations in 150 countries. Now, a second wave of the same malware appears to be spreading with the killswitch patched.

'WannaCry' ransomware: Everything you need to know

For its part, Microsoft had already patched the vulnerability in question as of March, and anyone running Windows 10 with Windows Update and Windows Defender on was automatically protected. The cause for concern was mostly due to the impact at major organizations and companies that hadn't updated their systems with the patch for one reason or another. The NHS, for example, was heavily impacted due to its reliance on Windows XP, which hasn't been supported for some time. Due to the widespread impact of the malware, Microsoft took a major step in issuing a patch for the vulnerability for unsupported systems.

Though there's still a relatively heated debate surrounding who is to blame for the problem, Smith argues it's time for government agencies to take more responsibility in disclosing vulnerabilities so the tech sector, customers, and governments can work together to prevent such attacks. From Smith:

The governments of the world should treat this attack as a wake-up call. They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world. We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits. This is one reason we called in February for a new "Digital Geneva Convention" to govern these issues, including a new requirement for governments to report vulnerabilities to vendors, rather than stockpile, sell, or exploit them. And it's why we've pledged our support for defending every customer everywhere in the face of cyberattacks, regardless of their nationality. This weekend, whether it's in London, New York, Moscow, Delhi, Sao Paulo, or Beijing, we're putting this principle into action and working with customers around the world.

Dan Thorp-Lancaster

Dan Thorp-Lancaster is the former Editor-in-Chief of Windows Central. He began working with Windows Central, Android Central, and iMore as a news writer in 2014 and is obsessed with tech of all sorts. You can follow Dan on Twitter @DthorpL and Instagram @heyitsdtl