Microsoft to governments: Stop hoarding vulnerabilities

Microsoft is full of surprises lately: first they issued patches for unsupported versions of Windows, then they publicly criticized the NSA for hoarding knowledge about critical software vulnerabilities (and exploits for them).

“We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen,” Brad Smith, Microsoft President and Chief Legal Officer, pointed out.

“The governments of the world should treat [the WannaCry attack] as a wake-up call. They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world. We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits.”

He then renewed the company’s call for a “Digital Geneva Convention” (first issued in February 2017), which would “commit governments to protecting civilians from nation-state attacks in times of peace.”

This commitment would also require governments to report vulnerabilities to vendors, instead of stockpiling or exploiting them.

Everybody has to do their part

Microsoft, for its part, is making a concerted effort to address security issues as quickly as possible, and develop “further steps to help ensure security updates are applied immediately to all IT environments.”

But as a vigorous online discussion by information security professionals, patching systems in the real world is not as easy as it sounds in theory – there are many other things that need to be fixed before that.

But Microsoft is partly right: this latest incident shows that every stakeholder – governments, legislators, standards bodies, tech companies, businesses, users – has to do their part.

Blaming others is easy. Working to fix this situation will be hard, and especially so if the stakeholders don’t make a collective, coordinated effort.

But can that become a reality? The relatively recent IoT-fuelled DDoS attack on Dyn showed that everybody is still dragging their feet. Let’s hope that we’ll not have a lot of similar attacks before decisive steps are taken to fix things.

In the meantime, users are still stuck with doing the best to mitigate threats to their systems.