As the WannaCry ransomware exploit spreads across 150 countries and over 200,000 machines blame is spreading wildly too. And Microsoft has used cybersecurity’s latest headline-grabbing moment to call for a “Digital Geneva Convention” to limit and defang future cyberattacks.
Redmond has also received some share of the blame. Although Microsoft released a security patch in March that closes the “WannaCry”/“WannaCrypt” hole, unsupported versions of Windows including the still broadly popular Windows XP were left vulnerable till last Friday, when it issued a belated patch for XP.[shortcode ieee-pullquote quote=""What the world needs is a new independent organization, a bit like the International Atomic Energy Agency"" float="left" expand=1]
On the other hand, says company president Brad Smith in a blog post over the weekend, the WannaCrypt exploit drew on vulnerabilities the NSA stockpiled but did not publicize or even report covertly to Redmond. Instead, hackers stole those vulnerabilities from NSA and reportedly used them to make WannaCry.
In addition to blaming the spooks, IT departments have also been rapped for being slow to respond to patched vulnerabilities like Microsoft’s Security Bulletin from March.
Yet above the entire chorus of blame, Microsoft is also promoting clearer cybersecurity expectations and responsibilities for companies and governments.
It’s time, Smith told this year’s RSA 2017 conference, to take a page from the atomic age.
“What the world needs is a new independent organization, a bit like the International Atomic Energy Agency that has addressed nuclear nonproliferation for decades,” Smith said in February. “We need an agency that has the international credibility not only to observe what's happening, but to call the question and even identify the attackers when nation-state attacks happen. That is the only way that governments will come to recognize that this is not a program that will continue to pay off.”
“What we need now is a Digital Geneva Convention,” Smith said. “We need a convention that will call on the world's governments to pledge that they will not engage in cyberattacks on the private sector, that they will not target civilian infrastructure, whether it's of the electrical or the economic or the political variety. We need governments to pledge that, instead, they will work with the private sector to respond to vulnerabilities, that they will not stockpile vulnerabilities, and they will take additional measures.”
Hans Klein, associate professor at Georgia Tech’s School of Public Policy, says Microsoft is taking some risk in being as pro-active as they are in the current ransomware crisis.
“In some ways it’s a daring move by Microsoft,” Klein says. “It opens up the question of global regulation of companies like Microsoft. … If we start talking about global public policy, and Geneva Conventions and industry agreements, suddenly it might not just be the governments that are being asked to behave better—and possibly with sanctions backing that up. The companies might be asked or required to behave better too. And that might not be a bad thing.”
For instance, Klein says, what if Windows XP (whose support Microsoft officially cut off in April 2014) is so broadly adopted around the world that governments begin requiring Microsoft to continue supporting XP regardless of its profitability or un-profitability for the company? What if, in other words, Windows XP has become something closer to a public utility?
“When it happened, I thought it was pretty noteworthy that a company could declare that it would no longer support a product like Windows XP,” Klein says. “Apparently there was some limited debate [in 2014] but a little less than I expected. But now WannaCry has hit, and [the XP debate] might come back. When the hospitals are getting hit hard, maybe there’s a social and public responsibility for Microsoft.”
As this story was going to press, security researchers at Heimdal Security reported a new variant of the WannaCry/WannaCrypt ransomware that did not contain the “kill switch” that had hobbled previous versions of the exploit.
So any hopes for a quick end to the current ransomware crisis have at least temporarily been quashed. All the more reason, perhaps, for Redmond to think big.
Margo Anderson is the news manager at IEEE Spectrum. She has a bachelor’s degree in physics and a master’s degree in astrophysics.