Microsoft Faulted Over Ransomware While Shifting Blame to NSA

Microsoft Faulted Over Ransomware While Shifting Blame to NSA

(Bloomberg) -- There's a blame game brewing over who's responsible for the massive cyberattack that infected hundreds of thousands of computers. Microsoft Corp. is pointing its finger at the U.S. government, while some experts say the software giant is accountable too.The attack started Friday and has affected computers in more than 150 countries, including severe disruptions at Britain's National Health Service. The hack used a technique purportedly stolen from the U.S. National Security Agency to target Microsoft's market-leading Windows operating system. It effectively takes the computer hostage and demands a $300 ransom, to be paid in 72 hours with bitcoin.

Microsoft President and Chief Legal Officer Brad Smith blamed the NSA's practice of developing hacking methods to use against the U.S. government's own enemies. The problem is that once those vulnerabilities become public, they can be used by others. In March, thousands of leaked Central Intelligence Agency documents exposed vulnerabilities in smartphones, televisions and software built by Apple Inc., Google and Samsung Electronics Co. 

The argument that it's the NSA's fault has merit, according to Alex Abdo, staff attorney at the Knight First Amendment Institute at Columbia University. Still, he said Microsoft should accept some responsibility. 

"Technology companies owe their customers a reliable process for patching security vulnerabilities,'' he said. ``When a design flaw is discovered in a car, manufacturers issue a recall. Yet, when a serious vulnerability is discovered in software, many companies respond slowly or say it’s not their problem.''

Microsoft released a patch for the flaw in March after hackers stole the exploit from the NSA. But some organizations didn't apply it, and others were running older versions of Windows that Microsoft no longer supports. In what it said was a  “highly unusual“ step, Microsoft also agreed to provide the patch for older versions of Windows, including Windows XP and Windows Server 2003. 

In 2014, Microsoft ended support for the highly popular Windows XP, released in 2001 and engineered beginning in the late 1990s, arguing that the software was out of date and wasn't built with modern security safeguards.  The company had already been supporting it longer than it normally would have because so many customers still used it and the effort was proving costly. Security patches would be available for clients with older machines, but only if they paid for custom support agreements.

But with Microsoft making an exception this time and providing the patch free to XP users, it may come under pressure to do the same next time it issues a critical security update. (These are the most important patches that the company recommends users install immediately). That could saddle the company with the XP albatross for many years past when it hoped to be free from having to maintain the software. The precedent may impact other software sellers too.

"They're going to end up going above and beyond and some vendors are going to start extending support for out-of-support things that they haven't done before," said Greg Young, an analyst at market research firm Gartner Inc. ``That's going to become a more common practice.''

Some intelligence agency experts also questioned Microsoft's NSA argument, saying it's unreasonable for the company to ask governments to stop using its products as a way to attack and monitor enemies. 

"For Microsoft to say that governments should stop developing exploits to Microsoft products is naive," said Brian Lord, a managing director at PGI Cyber and former deputy director at the Government Communications Headquarters,  one of the U.K.'s intelligence agencies. "To keep the world safe these things have to be done."

He said that intelligence agencies tended to be good and responsible stewards of the hacks and exploits they develop. "Occasionally mistakes happen," he added.

--With assistance from Gerrit De Vynck and Jeremy Kahn

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish