Microsoft: Ransomware Illustrates Danger of Government 'Exploits' - Broadcasting & Cable

Microsoft: Ransomware Illustrates Danger of Government 'Exploits'

Company renews call for digital 'Geneva Convention'
Author:
Publish date:
Keyboard_Jeroen Bennink.jpg

The worldwide malware/ransomware attack provides an object lesson in not allowing helping the government hack into devices or providing it with technological workaround to security.

That is according to Microsoft president and chief legal officer Brad Smith, who pointed out in a blog post that the ransomware employed information stolen "exploits" from the National Security Agency--"exploits" are ways to exploit computer vulnerabilities, which governments use to attack each other on the field of cyber battle.

Microsoft and the government has said that a Microsoft patch would prevent the attack, but many computers lack that patch.

"[T]his attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem," he said. "We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen."

Microsoft has called for a digital Geneva Convention to establish some rules of cyber war.

The recent worldwide malware/ransomware attack provides an object lesson in not helping the government hack into devices or providing it with technological workarounds to security. 

That is according to Microsoft president and chief legal officer Brad Smith, who pointed out in a blog post that the ransomware employed stolen "exploits" from the National Security Agency—"exploits" are ways to exploit computer vulnerabilities, which governments use to attack each other on the field of cyber battle.

Microsoft and the government have said that a Microsoft patch would prevent the attack, but many computers lack that patch.

"[T]his attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem," he said. "We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen."

Microsoft has called for a digital Geneva Convention to establish some rules of cyber war.

Republican leadership in the House Energy & Commerce Committee said they were monitoring the cyber threat closely.

“We continue to closely monitor the events surrounding the global ransomware infection and have been in contact with the various agencies and people with knowledge of the situation,” they said. “We understand the gravity of the situation as this infection has affected businesses, hospitals, and universities across the globe and poses a significant risk to consumer safety, privacy, and data security. We look forward to receiving updates on the situation and eagerly await additional information as it becomes available.”

The "they" are Oversight and Investigations Subcommittee Chairman Tim Murphy (R-Pa.), Communications and Technology Subcommittee Chairman Marsha Blackburn (R-Tenn.), Health Subcommittee Chairman Michael C. Burgess, M.D. (R-Tex.), and Digital Commerce and Consumer Protection Subcommittee Chairman Bob Latta (R-Ohio).Republican leadership in the House Energy & Commerce Committee said they were monitoring the cyber threat closely.

Elsewhere on the ransomware front, Sen. Mark Warner (D-Va.) vice chair of the Senate Intelligence Committee and a co-founding member of the Senate Cybersecurity Caucus, has asked the Administration what it is doing to insure federal IT systems have installed security updates to defend against that ransomware.

“Both within the federal government and across critical infrastructure sectors, IT security has too often been either, at best, addressed as an afterthought in the product development cycle or, at worse, simply neglected. While appropriate policy responses will depend on a fuller accounting of this outbreak’s attribution, an inescapable conclusion is that we must immediately address the insecurities embedded in commercial software,” Warner to Office of Management and Budget Director Mick Mulvaney and Secretary of Homeland Security John Kelly. “This devastating ransomware worm propagates within networks by exploiting a vulnerability in the network protocol that hosts running Windows operating systems used for providing shared access. As you know, Microsoft issued a security update to remediate this vulnerability two months ago. Ensuring that patches are implemented in a timely, and secure, manner is an entirely different matter, however.”

(Photo via Jeroen Bennink's Flickr. Image taken on Feb. 6, 2017 and used per Creative Commons 2.0 license. The photo was cropped to fit 9x16 aspect ratio.)

Related