Microsoft issued an interesting statement last weekend, following Friday’s global ransomware attack. This attack, driven by the WannaCrypt worm, was one of the most destructive cyber-attacks yet, affecting more than 10 countries and screwing up everything from British hospitals and Spanish telephone companies to the Russian defence ministry.
What’s interesting is that the attack was based on a security vulnerability that was discovered by the National Security Agency. The NSA didn’t create the weakness, and it wasn’t a backdoor added to allow government snoopers, but they did find it. To give them credit they immediately told Microsoft about it, and the company released a patch for all supported versions of Windows back in March.
That’s not all they did, though. They also added the vulnerability to a list of known Windows security flaws and worked out a couple of ways of exploiting it. Well, of course, they did; the NSA’s main job is to collect information, and most information is now stored on computers. Having a list of ways to get into common operating systems is one of the things the NSA is supposed to do.
On the other hand, one of the things the NSA is not supposed to do is let its lists of security exploits get stolen and published online, which is exactly what happened with this one. A few crackpots are claiming that the NSA actually developed WannaCrypt; this is nonsense. What did happen was that once the vulnerabilities listed by the NSA were leaked, criminals were able to bolt existing malware onto a worm designed to exploit one of those vulnerabilities.
Now Microsoft is complaining about the “stockpiling” of security vulnerabilities by governments. As they point out, both the NSA and CIA have had vulnerability lists stolen and put online in the last six months, and now one of them has been used to cause massive damage worldwide. Microsoft compared this to someone stealing Tomahawk missiles from the US military.
The company is calling for what it calls a “Digital Geneva Convention”, saying that governments should take the same approach to cyber security as they do to the security of physical weapons. They want agencies like the NSA to be obliged to report vulnerabilities to software companies so they can be patched, instead of collecting them for possible use.
From a national security point of view, this is a tricky issue. The NSA, or Britain’s GCHQ, need to be able to penetrate the security of computer systems if they’re going to do the offensive side of their jobs. Set against that they have a defensive role too – protecting vital computer systems at home. The WannaCrypt attack has done harm to the USA and a lot of its allies, and by storing vulnerabilities where they could be stolen and leaked, the NSA failed in that part of its mission. Is it realistic to expect the NSA to stop looking for security exploits? Of course not. But Microsoft does have a point; in today’s connected world network vulnerabilities are weapons, and governments who possess them need to make sure they’re kept securely locked up.
Disclaimer: The content in this article is the opinion of the writer and does not necessarily reflect the policies or opinions of US Patriot Tactical.