Microsoft’s president and chief legal officer Brad Smith took to the company’s website to give a post mortem on the lessons that need to be learned from the global hack that crippled businesses and government services around the world.
After walking through the ways that the “WannaCrypt” (or WannaCry) virus spread from the United Kingdom and Spain to websites around the world using exploits that were stolen from the National Security Agency in the United States, Smith said that Microsoft (and its customers) need to take more responsibility for their role; the executive laid the bulk of the responsibility for the massive cyberhack at the feet of government agencies.
Finally, this attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem. This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen. And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today – nation-state action and organized criminal action.
The governments of the world should treat this attack as a wake-up call. They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world. We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits. This is one reason we called in February for a new “Digital Geneva Convention” to govern these issues, including a new requirement for governments to report vulnerabilities to vendors, rather than stockpile, sell, or exploit them.
Put simply, cyberweapons are just that — weapons. It’s the digital equivalent of stockpiling a nuclear arsenal and keeping them in a standard safe (or keeping a deadly virus in the office fridge).
The NSA shouldn’t think that it can amass powerful hacks and be able to keep them secure, because we’ve seen just how porous the U.S. cybersecurity apparatus is.
If these were conventional weapons, the world would be up in arms. And indeed, the world should be.