NSA-blaming Microsoft also at fault in hack, experts say
There’s a blame game brewing over who’s responsible for the past week’s cyberattack that infected hundreds of thousands of computers. Microsoft is pointing the finger at the U.S. government, while some experts say the software giant is accountable, too.
The attack started Friday and has affected computers in more than 150 countries, including severe disruptions at the United Kingdom’s National Health Service. The hack used a technique purportedly stolen from the U.S. National Security Agency to target Microsoft’s market-leading Windows operating system. It effectively takes the computer hostage and demands a $300 ransom, to be paid in 72 hours with the bitcoin digital currency.
Microsoft President and Chief Legal Officer Brad Smith blamed the NSA’s practice of developing hacking methods to use against the government’s enemies. The problem is that once those vulnerabilities become public, they can be used by others. In March, thousands of leaked Central Intelligence Agency documents exposed vulnerabilities in smartphones, televisions and software built by Apple, Google and Samsung Electronics.
The argument that it’s the NSA’s fault has merit, according to Alex Abdo, staff attorney at the Knight First Amendment Institute at Columbia University. Still, he said, Microsoft should accept some responsibility.
“Technology companies owe their customers a reliable process for patching security vulnerabilities,” he said. “When a design flaw is discovered in a car, manufacturers issue a recall. Yet, when a serious vulnerability is discovered in software, many companies respond slowly or say it’s not their problem.”
Microsoft released a patch for the flaw in March after hackers stole the exploitable feature from the NSA. But some organizations didn’t apply the patch, and others were running older versions of Windows that Microsoft no longer supports. In what it said was a “highly unusual” step, Microsoft also agreed to provide the patch for older versions of Windows, including Windows XP and Windows Server 2003.
In 2014, Microsoft ended support for the highly popular Windows XP, released in 2001 and engineered beginning in the late 1990s, arguing that the software was out of date and wasn’t built with modern security safeguards. The company had already been supporting it longer than it normally would have because so many customers still used it, and the effort was proving costly. Security patches would be available for clients with older machines, but only if they paid for custom support agreements.
But with Microsoft making an exception this time and providing the patch free to XP users, it may come under pressure to do the same next time it issues a critical security update. (These are the most important patches that the company recommends users install immediately.) That could saddle the company with the XP albatross for many years past when it hoped to be free from having to maintain the software. The precedent may affect other software sellers too.
“They’re going to end up going above and beyond and some vendors are going to start extending support for out-of-support things that they haven’t done before,” said Greg Young, an analyst at market research firm Gartner Inc. “That’s going to become a more common practice.”
On Monday, private-sector sleuths found a clue about who might be responsible for the WannaCry attack. A researcher from Google posted on Twitter that an early version of WannaCry from February shared some of the same programming code as malicious software used by the Lazarus Group, the alleged North Korean government hackers behind the destructive attack on Sony Corp. in 2014 and the theft of $81 million from a Bangladesh central bank account at the New York Fed last year. Others subsequently confirmed the Google researcher’s work.
On its own, the shared code is little more than an intriguing lead. Once malicious software is in the wild, it is commonly reused by hacking groups, especially nation-states trying to leave the fingerprints of another country. But in this case, according to Kaspersky Lab, the shared code was removed from the versions of WannaCry that are currently circulating, which reduces the likelihood of such an attempt at misdirection. Some security researchers speculated that if the perpetrators were North Korean, the goal may have been to cause a widespread Internet failure to coincide with last weekend’s latest missile test.
As for Microsoft, some intelligence agency experts questioned its NSA criticism, saying it’s unreasonable for the company to ask governments to stop using its products as a way to attack and monitor enemies.
“For Microsoft to say that governments should stop developing exploits to Microsoft products is naive,” said Brian Lord, a managing director at PGI Cyber and former deputy director at the Government Communications Headquarters, one of the U.K.’s intelligence agencies. “To keep the world safe, these things have to be done.”
He said intelligence agencies tended to be good and responsible stewards of the hacks and exploitable features they develop. “Occasionally mistakes happen,” he added.