A Microsoft executive sharply criticized a U.S. spy agency Sunday for its role in weaponizing a weakness in Windows and allowing it to be stolen by hackers and used to launch history’s largest ransomware attack.
“This attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem,” Brad Smith, president and chief legal officer at Microsoft, wrote in the wake of the “WannaCry” computer virus attack, which crippled computers worldwide.
He compared it to the U.S. military having some of its Tomahawk missiles stolen. “And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today — nation-state action and organized criminal action,” he added.
Smith’s criticism comes as the virus continues to spread around the globe, despite the efforts of companies, governments and security experts. Europe’s leading police agency said Sunday that the computer virus had reached an “unprecedented level,” claiming 200,000 victims and spreading to at least 150 countries.
With employees returning to work Monday, there were fears that more infections will be discovered. And there were also reports that new variations of the virus were appearing.
In an interview with Britain’s ITV, Europol Director Rob Wainwright said a cross-border investigation would be necessary to track down the culprits.
“It is unlikely to be just be one person, I think,” he told ITV.
The fast-moving virus, which first hit Friday, exploits a vulnerability in the Windows operating system that had been discovered by the U.S. National Security Agency. That information was stolen by hackers and published online.
In his response, Smith highlighted the work Microsoft has done to improve the security of its products, long a target of criticism in the security community. He said the company now has 3,500 security engineers, many of whom now act as “first responders” in such cases.
The company had released a security update this year to address the vulnerability that the NSA found. But that leads to the next culprit on Smith’s list.
He noted that customers, particularly large organizations and companies, are groaning under the burden of hugely complex systems that have evolved over decades and can be difficult to maintain and upgrade.
“The fact that so many computers remained vulnerable two months after the release of a patch illustrates this aspect,” he wrote. “As cybercriminals become more sophisticated, there is simply no way for customers to protect themselves against threats unless they update their systems. Otherwise they’re literally fighting the problems of the present with tools from the past.”
Indeed, Britain’s National Health Service suffered one of the worst attacks because, in part, many of its systems were running Windows XP, an older version of the operating system that Microsoft had stopped supporting long ago. Over the weekend, the company took the extraordinary step of releasing security updates for XP and other versions it no longer supported.
But Smith saved his harshest words for the NSA and called on international governments and policymakers to rethink their approaches to cybersecurity and cyberspying. In doing so, he joined a chorus of critics who had been pointing fingers all weekend at the NSA.
“The governments of the world should treat this attack as a wake-up call,” Smith said. “They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world. We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits.