Who is to Blame in Cyber Security Breaches – Tech Companies or Governments?
Date : Aug 20, 2017 Author : Rahul Singh Category : Technology
Microsoft blames the NSA and national governments for ‘hoarding’ security vulnerabilities
The world is still reeling from the massive WannaCry ransomware attack that affected national health services, educational institutions, banks, and corporate organizations. The first response from affected parties was to try to contain the damage as much as possible. Now, as more details about the origin of the attack and its after-effects come into light, organizations have begun issuing official responses.
The first out of the gate is tech giant Microsoft, which released an emergency software patch for its Windows XP operating system even though it officially ended support for Windows XP three years ago. The company has also published a strongly worded blog post about the attacks where it has criticized national governments for ‘hoarding’ information they may have about potential vulnerabilities in the Cyber Security Market. It has even compared the WannaCry attack to the U.S. armed forces ‘having some of their Tomahawk missiles stolen’.
Microsoft believes that the WannaCry source was a vulnerability known to the NSA and it sees similarities in the WikiLeaks documents that were traced to CIA stolen records. The company feels that national governments should consider this attack as a ‘wake-up call’ and think of the damage that the hoarding of vulnerabilities can cause civilians. Microsoft strongly advises governments to adopt the "Digital Geneva Convention" that they had suggested back in February 2017.
The Convention would add a new stipulation: A mandatory requirement for governments to report any detected vulnerability to vendors as opposed to stockpiling, selling, or exploiting them in any manner whatsoever. However, the entire blame cannot be put on the government alone. Microsoft has also advised customers to keep their end of the bargain.
They have said that cyber security is slowly but surely morphing into a shared responsibility between customers and tech companies, with the latter relying on the former to ensure that the systems stay up-to-date with the latest software or security patches. By ensuring that they run the latest software, country-wide networks such as the UK NHS will be able to prevent what Microsoft calls the two most dangerous threats in the cyber security market today – organized criminal and nation-state action.
In the U.S, the Trump administration has convened an emergency meeting to discuss the ongoing ransomware threat attack. According to Europol, this has already affected more than 200,000 computers in 150 nations. In the United Kingdom, WannaCry affected the National Health Service systems, and experts have issued an ominous warning that there could be a second wave of attacks as still-undetected ransomware could be used on this occasion.
While Microsoft can only advise its clients to keep systems updated, the onus lies with governments, corporates and customers to ensure it. The NHS provides the best example of this. The service has seen numerous budget cutbacks and the UK health minister refuses to discuss the security (or lack of it) of the huge and somewhat archaic network used by the country.
It is not hard to fathom similar organizations across the world becoming ripe targets for increasingly sophisticated and organized cyber security attacks unless they truly pull up their socks and become proactive instead of reactive.