On the heels of a widespread ransomware attack that may have used leaked National Security Agency hacking methods, Microsoft is calling for governments to cease stockpiling secret means of bypassing software security.
“Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen,” wrote Brad Smith, president and chief legal officer at Microsoft, on a company blog Sunday evening.
WanaDecrypt0r, alternately known by names like Wanna Cry, struck hundreds of thousands of computers in more than 100 nations since the attack began Friday morning, with victims ranging from hospitals in the U.K. to a telecom in Spain, U.S.-based FedEx to the Russian Ministry of the Interior.
WanaDecrypt0r was so virulent in part because it used a Windows hacking tool that appears to have been stolen and leaked from the NSA. Though Microsoft had patched the security hole in Windows that tool used in March before it was leaked in April, businesses often lag in installing updates for reasons including industry-specific software being incompatible with the most current version of operating systems.
“[I]n February [we called] for a new “Digital Geneva Convention” to govern these issues, including a new requirement for governments to report vulnerabilities to vendors, rather than stockpile, sell, or exploit them,” wrote Smith.
By reporting bugs instead of using them to conduct hacking espionage, manufacturers would be able to increase cybersecurity for all of its users — but that would come at the cost of intelligence and sabotage operations.
There have been rules concerning under which circumstances U.S. agencies can keep security vulnerabilities they discover secret. The Obama administration set up the Vulnerability Equities Process (VEP) to require agencies to presume they will report software flaws they discover to manufacturers. It also gave the option of arguing to third-party panel why they should keep a vulnerability secret.
The VEP is opaque. It is varying degrees of unclear how good agencies were at following it, how often vulnerabilities were kept or whether the Trump administration changed any standards.
Legislators have toyed with the idea of codifying the Obama rules in the past.
On Friday, as WanaDecrypt0r raged out of control, Rep. Ted Lieu (D-Calif.) touted legislation he was creating with “industry stakeholders” that would make the process more transparent.
“It is deeply disturbing the National Security Agency likely wrote the original malware,” wrote Lieu in a statement.