Microsoft Accuses Federal Government of Stockpiling Cyber-Vulnerabilities

This is an interesting twist on things that I did not realize had happened, see Microsoft slams U.S. government for 'stockpiling' cyberattack vulnerabilities.

This coming from Brad Smith, Microsoft's president, in a corporate blog post. Quoting from a Puget Sound Business Journal story:

"In a corporate blog post Sunday, Microsoft President and Chief Legal Officer Brad Smith said the attack exposed the problem the world faces because governments are stockpiling such vulnerabilities, which has become invitations for hackers to steal them.

'Finally, this attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem. This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage,' Smith said.

'An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen. And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today — nation-state action and organized criminal action,' Smith said.

The virus, which first hit victims around the globe last week, exploits a vulnerability in Microsoft’s Windows operating system. The vulnerability was discovered by the NSA. It was later stolen by hackers, who publicized it online.

Smith said that Microsoft has been working to fix vulnerabilities to Microsoft products, including building a team of 3,500 security engineers who act as “first responders” to hacks. Smith called for governments to sign a treaty agreeing to report vulnerabilities to vendors, rather than stockpiling, selling or exploiting them.

The governments of the world should treat this attack as a wake-up call, Smith said.

'They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world. We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits,' Smith said."