Microsoft criticizes governments for stockpiling cyber weapons, says attack is 'wake-up call'

Key Points
  • Microsoft President Brad Smith addressed the WannaCry (WannaCrypt) ransomware attack, which is affecting old Windows computers that have not been patched.
  • In a blog post on Sunday, Smith said that the "stockpiling of vulnerabilities by governments" is a big problem.
  • Smith called for governments to take the same approach to cyber weapons as they do with physical weapons
Cybersecurity expert: Think before you click
Cybersecurity expert: Think before you click

Microsoft criticized governments for stockpiling secret exploits of computer systems, calling the ongoing WannaCry ransomware attack a "wake-up call."

The ransomware, also called WannaCrypt, was first noticed on Friday, and has affected at least 200,000 computers in more than 150 countries, including some in hospitals, locking them until their owners pay a Bitcoin ransom to the attackers.

Some security experts expect a second wave of the attack to start Monday morning, as employees arrive at work and turn on affected computers.

The WannaCry software is particularly virulent because it doesn't necessarily require users to take any action, like clicking a link or downloading software, to spread; it can also spread automatically through file-sharing systems on networks.

Microsoft General Counsel and Executive Vice President Brad Smith addresses shareholder during Microsoft Shareholders Meeting December 3, 2014 in Bellevue, Washington.
Getty Images

WannaCry uses a vulnerability in old versions of Windows that was originally discovered and exploited by the U.S. National Security Agency as an offensive cyber-weapon.

"This attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem," wrote Microsoft President Brad Smith in a blog post on Sunday.

"We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage."

Smith's post deflects criticism of by noting that the company issued a patch for the vulnerability earlier this year, but many organizations didn't patch older computers. Smith also said that Microsoft has been "working around the clock" to assist affected customers, even those on older operating systems that are no longer supported.

But he also warns that similar attacks will recur unless governments stop stockpiling these kinds of vulnerabilities:

The governments of the world should treat this attack as a wake-up call. They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world. We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits. This is one reason we called in February for a new "Digital Geneva Convention" to govern these issues, including a new requirement for governments to report vulnerabilities to vendors, rather than stockpile, sell, or exploit them.