U.S. intelligence agencies are hoarding vulnerabilities and companies like Microsoft are saying: Stop.
Intelligence agencies may thrive on their clandestine work gathering multiple vulnerabilities, but the reality is in today’s instant social media world with WikiLeaks, Edward Snowden and Anonymous to name a few, secrets are very hard to keep and hanging on to a cache of Zero Days, is almost impossible.
WannaCry started with the National Security Agency (NSA) finding the Windows vulnerability and not sharing it with Microsoft. It continued with the agency building EternalBlue to exploit this bug. The next step was Shadow Brokers hacker group somehow getting its hands on classified documents and releasing them online. The last step was after looking through the release and understanding the Microsoft vulnerability, bad guys created the WannaCry malware, which mixes ransomware features with worm capabilities.
Therefore, at the base of it all sits the NSA’s desire to have as many undiscovered vulnerabilities on hand as possible. This has been an issue for years, but it became evident back in 2014 with the Edward Snowden NSA release.
“Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage,” Brad Smith, president and chief legal officer at Microsoft said in a blog post. “An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen. And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today – nation-state action and organized criminal action.”
The company urged governments across the globe to adhere in cyberspace to the same rules applied to weapons in the physical world and consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits.
“This attack demonstrates the degree to which cybersecurity has become a shared responsibility between tech companies and customers,” Smith said “The fact that so many computers remained vulnerable two months after the release of a patch illustrates this aspect.”