The "WannaCrypt" ransomware has proven to be a disaster globally. This malware will encrypt a user's files and then demand some Bitcoin ransom to decrypt them. While the amount being demanded is relatively low at $300 or $600, the scam can be modified for even larger amounts. Heck, even after the ransom is paid, there is no guarantee that the bad guys will follow through with the decryption, making it quite the gamble. As the ransomware has disrupted government agencies, medical services, and other critical computers, the ransom is being paid by some, as it can literally be the the difference between life and death -- surgeries and other procedures have been delayed.
While there are many directions in which you can point the finger of blame, Microsoft should absolutely not shoulder any of the responsibility. After all, the vulnerability that led to the disaster was patched back in March. It never even affected the most recent version of the operating system, Windows 10. The company has even since patched the archaic Windows XP! So who is to blame? Users and administrators that failed to keep their systems up to date are partially at fault. The biggest blame belongs to an unlikely party -- the US Government! You see, an agency of our own government -- the NSA -- knew about the exploit, and rather than alert Microsoft, it chose to stockpile it for intelligence purposes. Sadly, the exploit itself got leaked, and as a result, it landed into the hands of evildoers.
"This attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem. This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen. And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today – nation-state action and organized criminal action," says Brad Smith, President and Chief Legal Officer, Microsoft.
ALSO READ: Microsoft wants to avoid 1984
Smith further says, "The governments of the world should treat this attack as a wake-up call. They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world. We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits. This is one reason we called in February for a new 'Digital Geneva Convention' to govern these issues, including a new requirement for governments to report vulnerabilities to vendors, rather than stockpile, sell, or exploit them. And it's why we've pledged our support for defending every customer everywhere in the face of cyberattacks, regardless of their nationality. This weekend, whether it's in London, New York, Moscow, Delhi, Sao Paulo, or Beijing, we're putting this principle into action and working with customers around the world."
Is Microsoft putting all the blame on government agencies such as the NSA and CIA? No. In a classy move, Microsoft does take some responsibility for the disaster, calling itself out first and foremost. In fact, even as the Windows-maker points to IT administrators and users that failed to update systems, it too says it could have done a better job in helping them along. Smith says as much below.
"At the same time, we have a clear understanding of the complexity and diversity of today’s IT infrastructure, and how updates can be a formidable practical challenge for many customers. Today, we use robust testing and analytics to enable rapid updates into IT infrastructure, and we are dedicated to develping further steps to help ensure security updates are applied immediately to all IT environments."
As people continue to decry the Windows 10 policy of "forced updates," this ransomware shows us that Microsoft had the right idea all along. On an increasingly more dangerous internet, it is imperative that machines are constantly being updated to address new threats. Heck, if everyone using Microsoft's operating system was on the most recent version, Windows 10, WannaCrypt never would have happened.
ALSO READ: Microsoft HoloLens can improve surgery
Of course, another way this could have been avoided is if the US Government chose to protect the US people by informing Microsoft, as opposed to keeping the vulnerability secret to infiltrate the computers of potential enemies. True, it can be argued that data collected from accessing enemy computers with a vulnerability could potentially keep US citizens safe too. Still, WannaCrypt shows that the risks far outweigh the benefits.
We need all governments to work with technology companies -- not against them. Don't you agree?