A Microsoft blog post on Lessons From Last Week’s Cyberattack blasted the NSA and the CIA for for “stockpiling vulnerabilities” to exploit them rather than report them to Microsoft to be fixed.

The blast was well deserved. In its blog, Microsoft also discusses “shared responsibility” of users not keeping up to date with software. I certainly agree on that point, but there is no excuse for US government agencies to seek out these vulnerabilities and use them without reporting them.

Early Friday morning the world experienced the year’s latest cyberattack.

Starting first in the United Kingdom and Spain, the malicious “WannaCrypt” software quickly spread globally, blocking customers from their data unless they paid a ransom using Bitcoin. The WannaCrypt exploits used in the attack were drawn from the exploits stolen from the National Security Agency, or NSA, in the United States. That theft was publicly reported earlier this year. A month prior, on March 14, Microsoft had released a security update to patch this vulnerability and protect our customers. While this protected newer Windows systems and computers that had enabled Windows Update to apply this latest update, many computers remained unpatched globally. As a result, hospitals, businesses, governments, and computers at homes were affected.

As cybercriminals become more sophisticated, there is simply no way for customers to protect themselves against threats unless they update their systems. Otherwise they’re literally fighting the problems of the present with tools from the past. This attack is a powerful reminder that information technology basics like keeping computers current and patched are a high responsibility for everyone, and it’s something every top executive should support.

Finally, this attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem. This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen. And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today – nation-state action and organized criminal action.

The governments of the world should treat this attack as a wake-up call. They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world. We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits. This is one reason we called in February for a new “Digital Geneva Convention” to govern these issues, including a new requirement for governments to report vulnerabilities to vendors, rather than stockpile, sell, or exploit them. And it’s why we’ve pledged our support for defending every customer everywhere in the face of cyberattacks, regardless of their nationality. This weekend, whether it’s in London, New York, Moscow, Delhi, Sao Paulo, or Beijing, we’re putting this principle into action and working with customers around the world.

We should take from this recent attack a renewed determination for more urgent collective action. We need the tech sector, customers, and governments to work together to protect against cybersecurity attacks. More action is needed, and it’s needed now. In this sense, the WannaCrypt attack is a wake-up call for all of us. We recognize our responsibility to help answer this call, and Microsoft is committed to doing its part.

Brad Smith
President and Chief Legal Officer

NSA Guilty of Criminal Negligence

Microsoft is spot on with its blog post. As an alleged protector of US security, the NSA sure did a piss poor job. More accurately, the NSA is guilty of criminal negligence for its role in this mess.

I repeat my questions from WannaCry Cyber Attack Hits 99 Countries, FedEx, Nissan, Hospitals, Universities with NSA Developed Malware: Five Questions.

Questions Abound

  1. Just how stupid was the NSA to get hacked itself?
  2. Just how stupid was the NSA for attempting to utilize the hole instead of informing Microsoft?
  3. Did the NSA demand that backdoor?
  4. Do we thank the folks who hacked the NSA for publicizing the backdoor necessitating the need to patch the hole?

Bonus fifth question: When does the Congressional investigation start?

Mike “Mish” Shedlock