Microsoft criticized U.S. government agencies for “stockpiling of vulnerabilities” in light of the recent widespread ransomware attack targeting institutions around the world.
Microsoft President and Chief Legal Officer Brad Smith penned a blog post Sunday about the massive cyberattack that used a ransomware known as “WannaCry” which locked down hundreds of thousands of computers at hospitals, businesses, governments, and more around the world over the past several days.
Smith said agencies like the NSA and CIA should disclose vulnerabilities so that they can be fixed, rather than keeping them secret.
“This is an emerging pattern in 2017,” Smith wrote. “We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen.”
Added Smith: “We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits.”
WannaCry reportedly took advantage of a vulnerability in Windows that Microsoft patched earlier this year. Microsoft on Saturday took the “highly unusual step” of releasing a public patch for older Windows versions that are otherwise only eligible for custom support — Windows XP, Windows 8 and Windows Server 2003 — to fix the vulnerability being exploited by the ransomware attack.
In the post today, Smith noted the tech sector, customers, and government need to work better together to protect consumers. He referenced Microsoft’s proposed initiative from February called the “Digital Geneva Convention” that would set standards for protecting civilians from cyberattacks by nation-states.
Smith also wrote that “cybersecurity has become a shared responsibility between tech companies and customers.”
“This attack is a powerful reminder that information technology basics like keeping computers current and patched are a high responsibility for everyone, and it’s something every top executive should support,” he said.
In an internal email sent to employees, Judson Althoff, EVP of Microsoft’s Worldwide Commercial Business, wrote about the importance of helping customers affected by the attack. Here’s the email in full:
Earlier today, Brad Smith posted a blog looking at the broader implications of the malicious “WannaCrypt” software attack that took place over the last few days. If you haven’t yet, please take a few minutes to read through it.
As you know, many of our customers were affected by this attack. We have been in contact proactively and reactively with all customers we can identify to offer assistance. More immediately, all of our customers are aware of what happened and will have questions and concerns of their own. The most important thing we can do right now is to be in touch with them, and to offer reassurance and guidance as appropriate. You will have already received much of the technical guidance, and of course it is fine to share this with customers as it makes sense. Our key direction to you is to remember that we are in this with our customers – we are trusted advisors, counselors, and suppliers to them. More than technical guidance, I want you to make sure you are spending the time needed to understand the concerns they have and that they know we are here to help.
One sign of this is our decision to release the collective update to all systems, even those out of support. We took this action because we put all of our customers first, and knew this was a step we could take for maximum global protection. If we identify more opportunities to take action, we will do so.
Thank you for your focus on this and the reassurance you can provide for our customers.
Editor’s note: The email from Judson Althoff was added to this story.