Top Microsoft lawyer slams government for ‘stockpiling’ vulnerabilities


As IT departments around the world are still reeling from the weekend’s spate of ransomware attacks, Microsoft’s head legal counsel has slammed the United States government for “stockpiling” vulnerabilities.

In a blog post, Microsoft president and chief legal officer Brad Smith criticized the NSA for collecting and storing zero-days that it could lose control of. That appears to be exactly what happened this past weekend when the WannaCry ransomware was unleashed on companies like FedEx, NHS hospitals in the United Kingdom, car manufacturers, and telcos. The malware is believed to have been stolen by a mysterious hacker group called the Shadow Brokers and leaked online.

Smith said this case and the recent case around WikiLeaks publishing details of hacking tools and vulnerabilities used by the CIA are causing “widespread damage”.

“An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen,” he said. “And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today — nation-state action and organized criminal action.”

The culprits behind the attacks remain unknown. On Monday morning, businesses returned to work with apprehension as their IT departments were still assessing the damage. Staff in NHS hospitals in the U.K. were advised to not log in to their computers this morning as it was still awaiting a new antivirus installation.

The global incident should be a “wake-up call” to governments, Smith said in the blog post, which pulled no punches. Smith suggested that governments need to treat malware with the same rules as physical weapons and the effect they can have on ordinary people. In the case of hospitals attacked by WannaCry, there were reports of some important patients’ procedures being postponed.

Smith went on to reiterate Microsoft’s call for a “Digital Geneva Convention” to regulate how governments handle zero-days, requiring them to disclose these vulnerabilities to vendors so they can be patched promptly.

“We should take from this recent attack a renewed determination for more urgent collective action. We need the tech sector, customers, and governments to work together to protect against cybersecurity attacks.”