With at least a couple hundred thousand computers worldwide affected so far by the cyberattack that began Friday, there’s plenty of blame to go around.
Microsoft is blaming the U.S. government.
“This attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem,” Brad Smith, Microsoft president and chief legal officer, wrote in a blog post Sunday. “This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world.”
WannaCry, the software that crippled hospital systems, factories, banks, government agencies and transportation systems in 150 countries, is ransomware. It locks up Windows users’ computers, and asks for a $300 ransom to unlock them, paid in bitcoin.
Microsoft had released a patch for the vulnerability earlier this year, but many systems that had not installed the updates were hit.
Tom Bossert, a homeland security adviser to President Trump, said Monday on television that things are “right now, under control” in the United States. He said the government has not ruled out that “we haven’t ruled out that this is a state attack.”
He agreed with Smith’s statement that the attack should serve as a wake-up call to all about cybersecurity. But he disagreed about where the blame lies.
“Who’s culpable are the criminals that distributed it and the criminals that weaponized it,” Bossert said.
A group of hackers known as the Shadow Brokers said earlier this year that the NSA had tools for breaching the global system that allows for the transfer of money between banks. Microsoft said last month that the vulnerabilities that were exploited had been patched.
“We need the tech sector, customers, and governments to work together to protect against cybersecurity attacks,” Microsoft’s Smith wrote. Tech companies such as Microsoft, Apple, Google and others have been adamant that governments should not have backdoors into their software because the vulnerabilities could fall into the wrong hands. Smith urged the government “to report vulnerabilities to vendors, rather than stockpile, sell, or exploit them,” as the company called for in February when it proposed a new Digital Geneva Convention.
Other experts also blamed the government.
“Whether or not you think the U.S. government should be spending a fortune developing such cyber-weapons, surely it is obvious that the weapons they develop should be properly secured,” said Phillip Hallam-Baker, principal scientist for New Jersey-based cybersecurity firm Comodo, in an emailed statement.
Meanwhile, there is at least one thing the government and security experts agree on: People who have seen the dreaded WannaCry screen should not pay the ransom.
“Our research so far puts into question the ability of WannaCry’s creators to decrypt your files at all,” Check Point Software said in a blog post Sunday. In other words, paying may not guarantee you can again access your files.
