A Microsoft executive sharply criticized a U.S. spy agency Sunday for its role in weaponizing a weakness in Windows and allowing it to be stolen by hackers and used to launch history’s largest ransomware attack.
"This attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem," Brad Smith, president and chief legal officer at Microsoft, wrote in the wake of the “WannaCry” computer virus attack, which crippled computers worldwide.
He compared it to the U.S. military having some of its Tomahawk missiles stolen. “And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today — nation-state action and organized criminal action,” he added.
Smith’s criticism comes as the virus continues to spread around the globe, despite the efforts of companies, governments and security experts. Europe’s leading police agency said Sunday that the computer virus had reached an "unprecedented level," claiming 200,000 victims and spreading to at least 150 countries.
With employees returning to work Monday, there were fears that more infections will be discovered. And there were also reports that new variations of the virus were appearing.
In an interview with Britain's ITV, Europol Director Rob Wainwright said a cross-border investigation would be necessary to track down the culprits.
"It is unlikely to be just be one person, I think," he told ITV.
The fast-moving virus, which first hit Friday, exploits a vulnerability in the Windows operating system that had been discovered by the U.S. National Security Agency. That information was stolen by hackers and published online.
In his response, Smith highlighted the work Microsoft has done to improve the security of its products, long a target of criticism in the security community. He said the company now has 3,500 security engineers, many of whom now act as “first responders” in such cases.
The company had released a security update this year to address the vulnerability that the NSA found. But that leads to the next culprit on Smith’s list.
He noted that customers, particularly large organizations and companies, are groaning under the burden of hugely complex systems that have evolved over decades and can be difficult to maintain and upgrade.
“The fact that so many computers remained vulnerable two months after the release of a patch illustrates this aspect,” he wrote. “As cybercriminals become more sophisticated, there is simply no way for customers to protect themselves against threats unless they update their systems. Otherwise they’re literally fighting the problems of the present with tools from the past.”
Indeed, Britain’s National Health Service suffered one of the worst attacks because, in part, many of its systems were running Windows XP, an older version of the operating system that Microsoft had stopped supporting long ago. Over the weekend, the company took the extraordinary step of releasing security updates for XP and other versions it no longer supported.
But Smith saved his harshest words for the NSA and called on international governments and policymakers to rethink their approaches to cybersecurity and cyberspying. In doing so, he joined a chorus of critics who had been pointing fingers all weekend at the NSA.
“The governments of the world should treat this attack as a wake-up call,” Smith said. “They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world. We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits.”
In February, Microsoft had called for a “Digital Geneva Convention,” to reach a new international agreement that would push spy agencies to report vulnerabilities to vendors, rather than trying to exploit them for surveillance purposes.
Even with the recent patches, security experts say the makers of the WannaCry virus are still able to target millions of PCs that have not been updated. And while two waves of the attack have been blocked, researchers say it may be impossible to stop new waves.
When the virus finds its way into a PC, data are encrypted and users are told they must pay $300 in electronic money known as bitcoin to receive a key to decrypt it.
On its website, Europol said it is “working closely with affected countries’ cybercrime units and key industry partners to mitigate the threat and assist victims.”
It also said: “The recent attack is at an unprecedented level and will require a complex international investigation to identify the culprits.”
James R. Clapper, who was President Obama’s director of national intelligence, noted on ABC’s “This Week with George Stephanopoulos” that more victims of the attack could surface Monday, when people return to work.
“Well, that's the concern,” he said. He added that it was “a very serious, serious problem” and that more such attacks can be expected.
The 200,000 victims included more than 100,000 organizations, Europol spokesman Jan Op Gen Oorth told the Associated Press. He said it was too early to say who was behind the onslaught and what the motivation was, aside from the obvious demand for money. So far, he said, not many people have paid the ransom demanded by the malware.
The effects were felt across the globe, with Britain's National Health Service, Russia's Interior Ministry and companies including Spain's Telefonica, FedEx Corp. in the U.S. and French carmaker Renault all reporting disruptions.
Chinese media reported Sunday that students at several universities were hit, blocking access to their thesis papers and dissertation presentations. The People’s Daily reported that one student, identified only by the surname Tang, said his computer was hit Friday night and that the ransom note was in several languages, including Chinese, Korean, Japanese and English.
Special correspondent O’Brien reported from Toulouse, France. The Associated Press contributed to this report.
2:55 p.m.: This article has been updated with the letter from Microsoft’s president.
This article was originally posted at 12:10 p.m.