WannaCry, ransomware that disables a PC user’s file access until hackers are paid, has come back with a vengeance. It targets Windows computers, and Microsoft’s lead lawyer just put the government on notice for creating it.
The ransomware, which asks users to pay a Bitcoin ransom for file access, has hit over 200,000 people in Europe, according to authorities. It has roots at the National Security Agency (NSA), though it’s not clear if WannaCry is a branch of NSA software or a direct ‘port’ of something it created. Late Friday, White House Homeland Security Adviser Tom Bossert called an emergency meeting of the Cyber Response Group, a government committee charged with strategizing digital defense.
Politico reports the meeting involved the “National Security Council’s entire cyber directorate.”
Last month, NSA tools believed to be responsible for WannaCry were leaked online. Brad Smith, Microsoft’s President and Chief Legal Officer, says the company released a security update to protect users from an initial attack, though it was only effective for updated Windows devices. He added that an unknown number of “hospitals, businesses, governments, and computers at homes were affected.”
— Edward Snowden (@Snowden) May 14, 2017
Pointing out Microsoft’s efforts to thwart threats, Smith says cybersecurity is now a shared responsibility for all. He also suggests government is to blame, and may not be doing its part to solve the issues it creates:
Finally, this attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem. This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen. And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today – nation-state action and organized criminal action.
The governments of the world should treat this attack as a wake-up call. They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world. We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits. This is one reason we called in February for a new “Digital Geneva Convention” to govern these issues, including a new requirement for governments to report vulnerabilities to vendors, rather than stockpile, sell, or exploit them. And it’s why we’ve pledged our support for defending every customer everywhere in the face of cyberattacks, regardless of their nationality. This weekend, whether it’s in London, New York, Moscow, Delhi, Sao Paulo, or Beijing, we’re putting this principle into action and working with customers around the world.
We should take from this recent attack a renewed determination for more urgent collective action. We need the tech sector, customers, and governments to work together to protect against cybersecurity attacks. More action is needed, and it’s needed now. In this sense, the WannaCrypt attack is a wake-up call for all of us. We recognize our responsibility to help answer this call, and Microsoft is committed to doing its part.
Smith’s commentary is evergreen. WannaCry’s effects are diminishing, and experts say it could have been “much worse,” but it’s not the first – or last – of its kind we’ll see. Unfortunately, it’s hard to take preventative measures when a mostly-secretive government agency is involved.