‘Like letting Tomahawk missiles get stolen’: Microsoft slams NSA mishandling of exploits
“We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world,” Microsoft President and Chief Legal Officer Brad Smith said in a blog post on Sunday. “This attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem.”
The NSA exploit codes were leaked earlier this year by the Shadow Brokers hacking group which had previously been offering the US government cyber weapons in exchange for millions of dollars in Bitcoin.
Microsoft, however, released a patch against the vulnerability on March 14, which could indicate that the company was notified by the US intelligence agency that their tools using that particular backdoor had been compromised.
However, older, unsupported operating systems were not included in the update, in addition to millions of used who do not update their systems regularly. As a result, the WannaCry malware infected more than 100,000 computers worldwide on Friday, extorting victims to pay hundreds of dollars worth in Bitcoin or face losing their files.
The US government’s repeated mishandling of exploits in their possession allows them to leak into the public domain and cause “widespread damage,” Smith wrote, adding that an “equivalent scenario… would be the US military having some of its Tomahawk missiles stolen.”
“This most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today – nation-state action and organized criminal action,” Smith stated.
Smith said the latest attack should serve as a “wake-up call” to world governments who should urgently establish a common set of strategies to deal with cyber threats.
“The governments of the world should treat this attack as a wake-up call. They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world,” Smith wrote. “We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits.”
While acknowledging Microsoft’s responsibility for failing to prevent the attack by failing to notify all customers to install the patch on time, Smith also noted that cybersecurity is a “shared responsibility” between tech companies and customers.
“We take every single cyberattack on a Windows system seriously, and we’ve been working around the clock since Friday to help all our customers who have been affected by this incident,” Microsoft 's President added.
An investigation is currently underway to determine the source of the cyberattack. According to the European Cybercrime Centre, Europol is “working closely” with countries affected by the blitz to identify the culprits. Microsoft too is contributing to the investigation.
“Working through our Microsoft Threat Intelligence Center (MSTIC) and Digital Crimes Unit, we’ll also share what we learn with law enforcement agencies, governments, and other customers around the world,” Smith wrote.