Breaking News Emails
The massive malware attack that paralyzed an estimated 300,000 computers — and counting — is putting the spotlight on whether governments should be hoarding these zero day computer exploits.
The crippling attack has wreaked havoc on some hospitals, transport systems, phone companies and assembly lines around the world, and according to experts, is still on a war path.
Brad Smith, Microsoft's president and chief legal officer, came out swinging against the National Security Agency on Sunday, alleging the attack used exploits that were stolen from the agency earlier this year.
That echoes the reporting of cyber security researchers, who have said the WannaCry was one exploit stockpiled by the NSA and that it became public when it leaked as part of the Shadow Brokers disclosures.
"This attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem. This is an emerging pattern in 2017," Smith said in a statement. "We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage."
He likened the situation to what would happen - hypothetically - if the U.S. military had some of its Tomahawk missiles stolen.
"The governments of the world should treat this attack as a wake-up call. They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world. We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits," he said.
Microsoft called for a "Digital Geneva Convention" in February, asking for governments to report vulnerabilities to vendors, rather than stockpiling, selling or even using them.
Jeremiah Grossman, chief of security strategy at SentinelOne, told NBC News this instance may serve as a huge lesson in driving the conversation.
"Effectively, what Microsoft is saying is they don't want any government hoarding zero days because of situations like this," Grossman told NBC News. "We have to protect the nation and have to protect people first, but they had a leak."
While it looked to Grossman like Smith, of Microsoft, "came out swinging" at the National Security Agency, he said we shouldn't expect to hear anything concrete from the highly secretive group.
"We are not going to get a response unless it is in their best interest, and in this case, I can't imagine a narrative where it is," Grossman said.
Josh Feinblum, vice president of information security at cyber security firm Rapid7, told NBC News the WannaCry debacle speaks to a "broader industry challenge."
"I think that this exploit would have existed whether the NSA had discovered it or not," Feinblum said. "It's easy to want to pass blame, but I think it is a cost of operating in such a highly technological society and we just have to do a better job in figuring out how to get our environment secure."