WannaCry, Nation States and What the President of Microsoft Forgot to Mention

In the wake of malware WannaCry infecting hundreds of thousands of computers using a stolen NSA hacking tool, Brad Smith, the President of Microsoft has blamed the nation-states in pursuit of cyber weapons, as a major danger to the people. Brad Smith writes in his blog, “Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage...this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today – nation-state action and organized criminal action.” While this is quite correct, what Brad Smith forgot to mention is Microsoft's responsibility in such hacks and its walking away from older products, opening them to such risks.

NSA's Hacking Tools and WannaCry

First, the critical issue of the US and the leak of its hacking tools. How did a NSA hacking tool end up in the hands of a criminal group and as a part of world's biggest malware attack?

In April this year, a group called Shadow Brokers, dumped online NSA's cache of cyber weapons/hacking tools. These were one of the most sophisticated set of cyber weapons that security experts had ever seen. After the WannaCry outbreak, Shadow Brokers have now announced that they will auction more such tools, presumably to willing criminal gangs like the one behind the WannaCry malware.

Wannacry uses a security hole in the MS Windows operating system. Using a particular NSA hacking tool called EternalBlue, the group behind the Wannacry ransomware, created a worm that could use this security hole, and spread from machine to machine. Once infected, the ransomware encrypts the original files of the machines, and deletes the original files. Only on paying the ransom in $300 in Bitcoin, the encryption key will be provided for restoring the files.

Wannacry is only the first such attack using one such tool. The number of such NSA tools that have been released are large, therefore we are at risk of many such attacks. Wikileaks has also reported CIA's cyber weapons getting hacked, so more such threats are in the offing.

An International Treaty against Cyber Weapons

Smith and Microsoft are now advocating for a Digital Geneva Convention for protecting the world against cyber weapons. This is the path the US refuses to tread, in the belief that with its huge array of hacking tools and cyber weapons, it is far ahead of others. The US tech companies, who have worked closely till now with NSA and CIA, are also realising the risks to their systems from the leaking of US cyber weapons to criminal groups.

It is a welcome sign that they are joining in the calls for banning cyber weapons, calls which have been issued by Russia and China for quite some time. It is the US which has hitherto refused to move in this direction. Mary Ellen O’Connell and Louise Arimatsu observed, “The US, however, was said to have resisted proposals for a treaty. This may relate to US plans to use the Internet for offensive purposes as it is believed to have done regarding the Stuxnet worm. US officials claim publicly that Cyber Command is primarily defensive, but the reluctance to entertain the idea of a cyberspace disarmament treaty is raising questions about the true US position.”

While Brad Smith is asking for a voluntary ban on developing and use of such weapons, Russia and China have been asking for a Treaty modelled on the lines of a ban on chemical weapons.

If intelligence agencies with the resources of a nation state create cyber weapons, what kind of risk does it pose for all of us? NSA's cyber weapons are far superior to what any criminal group can create. That is why its leak poses enormous risks to the computer systems that pretty much run everything in the world today; that is why the demand for a cyber weapon ban, and treating the internet as a non-weaponised space. The same way we treat outer space.

The other threat: proprietary poor quality software with no support

While Microsoft's Brad Smith is correct in his identifying the nation states, in this case NSA, and criminal gangs as the biggest threats to cyber security, he misses the other big threat – buggy and poorly engineered products – from companies such as Microsoft. This is compounded by their abandoning older products with no support, leaving security holes as targets by criminals. For example, Microsoft stopped supporting Windows XP in 2014, putting at risk a variety of users, who still continue to use XP.

Why did Microsoft stop supporting XP? Was it offering a better product to its consumers? No. It offered Windows Vista, which was slower, buggy and had huge compatibility issues with other software and hardware products. The users refused to move to Vista. Microsoft then released its Windows 7, again with the idea of moving people away from XP. All this was simply to get people to pay once again for their operating system, this time with the threat of withdrawing all future support. Microsoft even predicted security threats to the older XP systems – they foresaw a WannaCry scenario -- and used it to scare people into buying their next version, in this case the next-er version of Windows. For Microsoft, the biggest competition to their current operating system is not competition from other vendors, but their own previous systems; that is why the threat of withdrawal of support to older systems.

In 2014, when the Microsoft stopped supporting XP, an estimated 95% of world's ATM's were running on XP. Microsoft's cost of upgrading an ATM was a few hundred dollars to several thousand depending on the maintenance required. In India, it is estimated that even now, 70% of ATM's are running on old, unsupported XP, and thus open to various security threats including WannaCry ransomware.

Why should companies, whose products are still very much in the market with significant shares, be allowed to walk away from their products? Should its monopoly over a certain product allow it to force its users to pay again and again for new software licenses, which quite often add very little to the users? Or in the worst case, as in the Microsoft Vista case, even degrades their performance? The time has come to insist that if a company “abandons” its products, it must open source its software and allow others to provide the support.

In this particular instance, Microsoft did not disclose that their security patches against the zero-day security hole (a hole not yet made public) released in March 2017, did not cover the XP systems. Or that the XP systems were vulnerable to the same zero-day error that it was patching against for other systems.

To their credit, Microsoft did release a patch for XP after it became clear that these systems were also at risk from WannaCry ransomware. But the issue of risks to systems running older unsupported systems still remain. How many of the other three zero-day patches released in March 2017, when they patched their other operating systems, also exist in the XP?

Of course, Free and Open Source Software do not have such issues. They have been far more resistant to hacking than the equivalent Microsoft or other proprietary software. A part of the reason is their code are open, and therefore bugs and holes are fixed far more effectively. The other is that the creators of such software, do not leave secret backdoors in their systems the way Microsoft does. Microsoft has a history of cooperating with US intelligence agencies for providing access; or leaving backdoor for itself, as it wants to spy on users machines for commercial reasons.

How many offices have been visited by Microsoft with remote “audit” and claims that they are running “illegal” software? Without such backdoors, this commercial surveillance is not possible. The recent raids by Microsoft of a number of companies, should convince these and similar companies to switch to free software, and not be on buggy and insecure Microsoft platforms.

Some of the panchayats in Kerala using Microsoft Windows have also been hit by WannaCry; others that used GnuLinux, promoted by the Free Software Movement, are unaffected. For Indian users, who have been reluctant to switch to GnuLinux from their Windows platform, this is another indication of the risk of proprietary software.

Shared responsibility or shirking responsibility

Microsoft's Brad Smith has also talked about the “shared responsibility” of the suppliers and users regarding security. The problem that Brad Smith does not mention is that if you are using Microsoft products, it is not easy to keep your machines protected all the time. The users need to be technically savvy, and not “mind” Microsoft's frequent upgrades of their software, which promptly make something unworkable. Why even tech savvy people do not upgrade their software regularly, is because Microsoft updates are poor, buggy and with security holes. Before asking the users to take responsibility for their machines, Brad Smith needs to ask why are Microsoft products far more prone to such attacks as WannaCry?

Yes, we agree with Brad Smith and Microsoft that we need a new Geneva Convention on keeping cyber space free from weaponised software and hacking by nation states. The leak of such weapons pose enormous risks to the computer systems that are a part of world's vital infrastructure; that is why the demand for a cyber weapon ban, and treating the internet as a non-weaponised space. The same way we treat outer space.

What needs to be added is the responsibility of corporations to provide better software, and not allowing them to walk away from their responsibilities to their customers; either provide continuous support, or make the source code open so that others can support such software. We also need a global regulatory regime that will address such security threats to our vital infrastructure.

Disclaimer: The views expressed here are the author's personal views, and do not necessarily represent the views of Newsclick.