Global governments should treat a massive international cyber attack that struck last week as a wake-up call and should feel a “renewed determination for more urgent collective action,” the chief legal officer of Microsoft has said.
Writing in a blog post, Brad Smith said that the multinational technology company had been working around the clock since Friday to help customers affected by the attack, but that there were lessons to be learned on how to work together to avoid these types of incidents in future.
He said that the WannaCrypt ransomware used in the attack was “drawn from the exploits stolen from the National Security Agency, or NSA, in the United States”.
That theft, he said, was publicly reported earlier this year, and in March Microsoft released a security update “to patch this vulnerability and protect our customers”.
“While this protected newer Windows systems and computers that had enabled Windows Update to apply this latest update, many computers remained unpatched globally,” he said. “As a result, hospitals, businesses, governments, and computers at homes were affected.”
As a result, Mr Smith said, the attack demonstrates the degree to which cybersecurity has become a shared responsibility between tech companies and customers .
“As cybercriminals become more sophisticated, there is simply no way for customers to protect themselves against threats unless they update their systems,” he said. “Otherwise they’re literally fighting the problems of the present with tools from the past.”
He also said that the attack highlights “why the stockpiling of vulnerabilities by governments is such a problem”.
“We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world.”
He likened the most recent cyber attack to “the US military having some of its Tomahawk missiles stolen” and said that it “represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today”, namely nation-state action and organised criminal action.
Governments, he said, must treat the attack as a wake-up call.
“They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world,” Mr Smith said.
“We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits,” he said.
“We need the tech sector, customers, and governments to work together to protect against cybersecurity attacks. More action is needed, and it’s needed now.”