The Hill: Microsoft calls for end of government hacking techniques

May 14, 2017
In The News
The Hill: Microsoft calls for end of government hacking techniques

On the heels of a widespread ransomware attack that may have used leaked National Security Agency hacking methods, Microsoft is calling for governments to cease stockpiling secret means of bypassing software security.

"Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen," wrote Brad Smith, president and chief legal officer at Microsoft, on a company blog Sunday evening.

WanaDecrypt0r, alternately known by names like Wanna Cry, struck hundreds of thousands of computers in more than 100 nations since the attack began Friday morning, with victims ranging from hospitals in the U.K. to a telecom in Spain, U.S.-based FedEx to the Russian Ministry of the Interior.

WanaDecrypt0r was so virulent in part because it used a Windows hacking tool that appears to have been stolen and leaked from the NSA. Though Microsoft had patched the security hole in Windows that tool used in March before it was leaked in April, businesses often lag in installing updates for reasons including industry-specific software being incompatible with the most current version of operating systems.

"[I]n February [we called] for a new "Digital Geneva Convention" to govern these issues, including a new requirement for governments to report vulnerabilities to vendors, rather than stockpile, sell, or exploit them," wrote Smith.

By reporting bugs instead of using them to conduct hacking espionage, manufacturers would be able to increase cybersecurity for all of its users -- but that would come at the cost of intelligence and sabotage operations.

There have been rules concerning under which circumstances U.S. agencies can keep security vulnerabilities they discover secret. The Obama administration set up the Vulnerability Equities Process (VEP) to require agencies to presume they will report software flaws they discover to manufacturers. It also gave the option of arguing to third-party panel why they should keep a vulnerability secret.

The VEP is opaque. It is varying degrees of unclear how good agencies were at following it, how often vulnerabilities were kept or whether the Trump administration changed any standards.

Legislators have toyed with the idea of codifying the Obama rules in the past.

On Friday, as WanaDecrypt0r raged out of control, Rep. Ted Lieu (D-Calif.) touted legislation he was creating with "industry stakeholders" that would make the process more transparent.

"It is deeply disturbing the National Security Agency likely wrote the original malware," wrote Lieu in a statement.

Issues:National Security and Foreign Affairs
Congressman Lieu
Washington DC Office
2454 Rayburn HOB
Washington, DC  20515
Phone: (202) 225-3976
Manhattan Beach Office (By Appointment Only)
1600 Rosecrans Avenue, 4th Floor
Manhattan Beach, CA  90266

 

Our Manhattan Beach office is not regularly staffed and is by appointment only. Please contact our office to schedule an appointment there.

Los Angeles Office
1645 Corinth Ave, Suite 101
Los Angeles, CA  90025
Phone: (323) 651-1040