Governments must start taking cyber security as seriously as physical military security, according to Microsoft’s president, in the wake of the attack which affected the NHS on Friday.
IT professionals have worked over the weekend to reverse the damage done by the WannaCry software, which encrypted files stored on Microsoft software.
But Brad Smith, Microsoft’s president and chief legal officer, in a blog post, attacked governments for “stockpiling vulnerabilities”.
He said: “This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world.
“Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage.”
He said that the attack, which affected organisations around the world, was equivalent to Tomahawk missiles being stolen from the military.
“The governments of the world should treat this attack as a wake-up call,” Smith said.
“They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world.”
In February, Microsoft called for a new “Digital Geneva Convention” to govern these issues, including a new requirement for governments to report vulnerabilities to suppliers, rather than “stockpile, sell or exploit them”.
Calling the WannaCry incident a “wake-up call”, Smith said: “We should take from this recent attack a renewed determination for more urgent collective action. We need the tech sector, customers, and governments to work together to protect against cybersecurity attacks.”
Mark Skilton, part- time professor of practice in information systems management and innovation at Warwick Business School, said that Microsoft was right to make its call for joined-up governance.
He said: “The risk and impact of cyber weapons can do the same or more harm than physical weapons. It can indirectly kill patients, change traffic controls, alter car onboard steering systems, change election outcomes and more.
“With the rapid rise of the connected digital society with wearables, automated travel and your privacy and life in full digital view security a huge problem.
“Governing the digital world is much harder as the identity of people and things is obfuscated, partly due to the paradox of the need for privacy, but also from the nature of digital data that is re-coded, redactable and transmutable.”
Over the weekend, Microsoft took the unusual step of releasing a patch to fix the vulnerability on Windows XP systems.
The firm stopped support for XP in 2014, but the UK government paid for a year’s extension to give departments and organisations time to migrate to newer systems.
In May 2015, a statement from the Government Digital Service said: “All departments have had seven years warning of the 2014 end of normal support and this one year agreement was put together with the support of technology leaders to give everyone a chance to get off XP.”
GDS said at the time that it expected that remaining government devices using XP would “be able to mitigate any risks, using guidance from the Communications Electronic Security Group.
“Where this is not possible, they may need to review their own short term transition support.”
In an anonymous briefing to The Sun newspaper, a government minister laid the blame for the security breach firmly at the door of NHS trusts.
The minister was reported as saying: “All the trusts were told very clearly to stop using unsupported software, and several times. “From April, it was even in their contracts.
“They didn’t. So it is pretty rich when they then turn round and then try to blame us.”
Yesterday, the NHS released documentation for organisations affected by the incident.
It recommended that organisations download the new patch and apply it before reconnecting to the national network.
How the infection made its way onto NHS systems is still unknown.However, Talal Rajab, head of the cyber and national security programme at industry body TechUK, said: “The way these attacks work means that, although there has been no indication of a new wave of the ransomware spreading, there remains the possibility of existing infections from the malware spreading within networks.
“With new, sophisticated means of sending malware, the challenge for organisations is more than just about training employees to ensure that they do not click on infected emails or visit malicious websites.
“The risk of being infected by malware should be minimised by keeping software up-to-date, using the latest anti-virus software and backing up data that matters most.”
Jim Beagle, president of data management firm Bridgehead, which has a number of NHS clients, said: “I think that the speed with which most NHS facilities got back up and running is testament to the robust processes for disaster recovery that they had in place.”