Microsoft is criticizing government agencies for hoarding software flaws and keeping them secret, calling this weekend’s massive ransomware attack a “wake-up call.”
Brad Smith, Microsoft’s chief counsel, wrote Sunday in a company blog post that by keeping the vulnerabilities secret from vendors, it opens users open to attacks like the WannaCry hack, in which malware locked down computers while demanding a hefty sum for freedom. He compared the WikiLeaks release of NSA hack tools to a theft of weapons from the US military.
“An equivalent scenario with conventional weapons would be the US military having some of its Tomahawk missiles stolen,” Smith wrote. “And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today — nation-state action and organized criminal action.
“The governments of the world should treat this attack as a wake-up call,” he wrote. “We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits.”
This isn’t the first time US spy agencies have been accused of knowing about vulnerabilities and keeping them secret. The NSA reportedly knew of the Heartbleed bug for at least two years before the security vulnerability was revealed in 2014, keeping it secret and exploiting it to gather intelligence.
The WannaCry attack has hit thousands of computers across around the world, but hospitals in England have attracted the most attention because lives are at risk while hospital systems are locked down. As of Sunday morning, more than 100,000 organizations in at least 150 countries had been affected, according to Europol, the European Union’s police agency.
Ransomware is malware that encrypts important files, essentially locking people out of their computers unless they pay up to prevent their entire system from being deleted. Attacks of this kind have spiked in the last year, jumping from 340,665 in 2015 to 463,841 in 2016, according to Symantec. The healthcare industry has become a major target, with ransomware making up more than 70 percent of malware attacks against hospitals, pharmacies and insurance agencies.