A top Microsoft exec criticized at the U.S. and other governments who hoard software exploits in the wake of the massive global infection by WannaCry ransomware as the company struggled to deal with the fallout from the hundreds of thousands of unpatched computers affected, for the first time offering free patches for older software products it long ago stopped supporting.
In a blog post Sunday, the Redmond, Wash.-based software giant’s President and Chief Legal Officer Brad Smith said WannaCry — which has spread across the internet due to a backdoor kept secret by the National Security Agency — should be “a wake-up call” for governments all over the world.
“They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world,” he wrote, comparing the theft of the NSA tools — publically published last month by an anonymous group calling itself the Shadow Brokers — to “the U.S. military having some of its Tomahawk [cruise] missiles stolen.”
His comments came as Computer Emergency Response Teams, or CERTs, across the globe continued to deal with the fallout from infections — a Chinese security firm said nearly 30,000 enterprises there had been struck — and as a running tally of the bitcoin accounts the malware’s authors were collecting ransom in showed they had garnered only about $54,000 by noon EDT Monday.
“We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits,” continued Smith, explaining that this was why the company had called for a new “Digital Geneva Convention” — “including a new requirement for governments to report vulnerabilities to vendors, rather than stockpile, sell, or exploit them.”
The NSA did not immediately respond to a request for a comment, but former agency senior official Curtis Dukes, now executive vice-president of the Center for Internet Security, said that would amount to “unilateral disarmament” by the U.S.
“It’s a laudable goal,” he said of the Microsoft call, “But we all know some countries would sign-up and then secretly violate it.” He declined comment on the Shadow Brokers’ claims that the tools they dumped came from the NSA.
“This is one of those moments where it feels like the operation was a success but the patient died,” joked former White House National Security Council cyber staffer Rob Knake, noting that the tools were released April 14th — a month after Microsoft had released a patch to the vulnerability WannaCry has exploited so effectively.
“While I guess it is possible that [the] Shadow Brokers shared the exploit kit with Microsoft ahead of time, it is more likely that the NSA released the vulnerability to Microsoft so they could get a patch out.
“In my view, there isn’t a policy problem, it’s an operational problem,” Knake, now with the Council on Foreign Relations, told CyberScoop. “NSA should not have lost those tools. No way for policymakers to account for that problem other than to move quickly to get info on the vulnerabilities out, which they apparently did. Loss of the tools is an operational problem. The response was appropriate and timely.”
But Ari Schwartz, another former White House cyber official agreed with Smith that “We have reached a turning point where it is not sustainable for governments to think they can retain vulnerabilities for very long.”
Dukes agreed the policy governing the U.S. use of newly discovered software vulnerabilities probably needed an overhaul. “It’s a good first step,” he said of the Vulnerability Equities Process, but noted that it didn’t apply to cyberweapons developed before it was instituted. He said U.S. agencies should probably apply it retroactively, as well.
Schwartz, now a lawyer with Venable, noted that “unpatched vulnerabilities are a danger to all no matter whose hands they are in. … One area that may be worth looking at more is disclosure procedure for vulnerabilities that are known to have been leaked or stolen, no matter how long ago those vulnerabilities were discovered.”
Over the weekend, Microsoft took the unprecedented step of offering free patches to fix the vulnerability in several software products the company long ago discontinued — including Windows XP which is still used by millions of companies all over the world.
Dukes said the most important lesson to be drawn from the ransomware was the need for enterprises to to keep their systems patched and up to date. Currently, users have to change their setting to ensure they get patches installed automatically.
“We may have reached a point where we need to make automated patching and updating opt-out rather than opt-in,” he said.
Chris Bing contributed to this story.