Microsoft is trying to teach the United States government a lesson in cyber security. Following the most recent international
cyberattack on Windows systems in nearly a hundred countries, the company is calling upon the U.S. government to act immediately to secure the Internet for all its users.
The cyberattack began late last week and was transmitted via email. Nicole Perlroth and David Sanger’s New York Times report on the incident explains, “The malicious software locked British hospitals out of their computer systems and demanded ransom before users could be let back in — with a threat that data would be destroyed if the demands were not met. By late Friday the attacks had spread to more than 74 countries.”
Aside from being the largest ransomware assault on record, this glimpse of cyberwar was notable for one other reason — the attackers used a cyber weapon developed by the U.S. National Security Agency (NSA).
Starting last year, a group calling itself “Shadow Brokers” stole software tools that came from the U.S. government’s stockpile of hacking weapons and began selling them to the highest bidder; essentially, this attack was simply the first time cyberweapons funded by the American taxpayer and developed by the NSA were stolen by criminals to be used against patients, hospitals, businesses, governments, and ordinary citizens.
The NSA is believed to have seen flaws within Microsoft’s security system as a cybersecurity threat already, and an existing federal program provides for intelligence agencies to inform companies of these vulnerabilities; however, because of the secrecy of these agencies they often fail to do this, allowing cybercriminals to take advantage of known bugs. Which is Microsoft is calling for a revamp of how U.S. agencies handle cyber weapons.
In a blogpost, Microsoft President and Chief Legal Officer, Brad Smith argues, “Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen…The governments of the world should treat this attack as a wake-up call. They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world. We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits.”
Smith is absolutely correct, with over 1.7 billion desktop and laptop computers utilizing Microsoft Windows all over the world, the U.S. cannot simply remain silent in its own intelligence interest while putting the security of millions at stake. This attack alone left 128.8 million computers on Windows XP and other older operating systems absolutely exposed to ransomware, and nearly another billion users on Windows 7, 8.1 and Vista at potential risk.
Since only Windows 10 users — only about 30 percent of PCs worldwide — were immune to the attack, by keeping the vulnerability a secret, 54 percent of PCs could have been affected.
In London, hospitals and clinics were forced to turn away patients due to a complete inability to utilize computers. The healthcare sector is particularly vulnerable due to its reliance on technology and storage of critical patient information, police departments, transportation systems and utilities companies in the U.S. and Europe are also at significant risk.
A vulnerability within Microsoft Windows is a vulnerability to the entire world. Our intelligence agencies cannot prioritize their ability to offensively use these tools against foreign enemies over protecting national security when those same weapons can be used against us. If U.S. intelligence agencies discover a flaw in Microsoft’s system it has the duty to inform Microsoft so they can offer a patch.
Without this notification they are simply waiting for cybercriminals to discover it and use it against our own people and allies — putting everyone at risk.
When an American soldier was killed by a weapon our government “lost,” there is outrage. We must apply the same logic to the growing cyberwar and Congress should force our government to work alongside private companies, rather than against them. We got lucky this time.