Microsoft has lashed out at security agencies for stockpiling cyber-attack weapons which are now being stolen and used by hackers with destructive results.
Microsoft has urged nations to report vulnerabilities than to stockpile, sell, or exploit them for their own gains.
Microsoft has responded to last week's WannaCry ransomware attack that affected 200,000 systems across 150 countries. In a detailed blog post, the technology company has not only explained how it worked with customers to fight the ransomware, but has also offered a word of advice to nations in general and the NSA in particular.
As it turned out, the WannaCry ransomware was initially stored in the NSA's servers for use in future surveillance. Suspected hackers, who are yet to be identified, stole the malware from NSA and used it to wreak havoc across the world. Among affected institutions, the NHS stood out with as many as 16 NHS organisations unable to take calls or render services to patients on Friday.
Microsoft finds it strange that instead of reporting cyber-weapons or building antidotes, security agencies chose to store them for use in future operations. "This attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem," notes the company.
"Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen. And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today – nation-state action and organized criminal action," it adds.
"The governments of the world should treat this attack as a wake-up call. They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world. We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits," Microsoft concluded. The company has called for a “Digital Geneva Convention” where governments would pledge to report vulnerabilities to vendors, rather than stockpile, sell, or exploit them.
Back in March, a list of potent hacking tools employed by the CIA was published by WikiLeaks after it came to light that the said tools were passed on to the company by a suspected CIA insider. The data leak in question pertained to the CIA's ability to hack into smartphones, smart televisions and computer systems using advanced tools.
Some of these tools were developed in partnership with UK spy agency MI5 and were being used to hack into popular platforms including Windows, macOS, iOS and Android. Microsoft has referred to the said data leakage and has expressed concern on security agencies harbouring such cyber-weapons instead of destroying or reporting them. WikiLeaks editor Julian Assange has expressed a similar concern in March.
“There is an extreme proliferation risk in the development of cyber weapons. Comparisons can be drawn between the uncontrolled proliferation of such ‘weapons’, which results from the inability to contain them combined with their high market value, and the global arms trade," he said.