Microsoft slams spy agencies for 'stockpiling' vulnerabilities

The tech giant's chief counsel calls the WannaCry attack a "wake-up call" for greater communication on vulnerabilities.

Steven Musil Night Editor / News
Steven Musil is the night news editor at CNET News. He's been hooked on tech since learning BASIC in the late '70s. When not cleaning up after his daughter and son, Steven can be found pedaling around the San Francisco Bay Area. Before joining CNET in 2000, Steven spent 10 years at various Bay Area newspapers.
Expertise I have more than 30 years' experience in journalism in the heart of the Silicon Valley.
Steven Musil
2 min read
Watch this: Why the WannaCry cyberattack is so bad, and so avoidable

Microsoft legal chief Brad Smith says governments should share software vulnerabilities with vendors instead of keeping them secret.

Jean-Christophe Verhaegen/AFP/Getty Images

Microsoft is criticizing government agencies for hoarding software flaws and keeping them secret, calling a massive, new ransomware attack a "wake-up call" to this problem.

Brad Smith, Microsoft's chief counsel, said Sunday in a company blog post that by keeping software vulnerabilities secret from vendors, governments open up users to attacks like Friday's WannaCry -- or WannaCrypt/WanaCrypt -- hack in which malware locked down computers worldwide while demanding hefty sums for freedom.

He also compared both WikiLeaks' release of CIA hacking tools in March and the stealing of a Microsoft Windows vulnerability from the National Security Agency last month to the theft of weapons from the US military. The Windows vulnerability theft from the NSA is directly tied to WannaCry.

"An equivalent scenario with conventional weapons would be the US military having some of its Tomahawk missiles stolen. And this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cybersecurity threats in the world today -- nation-state action and organized criminal action," Smith said.

"The governments of the world should treat this attack as a wake-up call. We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits."

This isn't the first time US spy agencies have been accused of knowing about vulnerabilities and keeping them secret. The NSA reportedly knew of the Heartbleed bug for at least two years in order to exploit it for intelligence gathering before the security vulnerability was revealed in 2014.

The WannaCry attack has hit thousands of computers across around the world, but hospitals in the UK have attracted the most attention because lives are at risk when hospital systems get locked down. As of Sunday morning, more than 100,000 organizations in at least 150 countries had been affected, according to Europol, the European Union's police agency.

Ransomware is malware that encrypts important files, essentially locking people out of their computers unless they pay up to prevent their entire system from being deleted. Attacks of this kind have spiked in the last year, jumping from 340,665 in 2015 to 463,841 in 2016, according to online security company Symantec. The health care industry has become a major target, with ransomware making up more than 70 percent of malware attacks against hospitals, pharmacies and insurance agencies.

Virtual reality 101: CNET tells you everything you need to know about VR.

Tech Enabled: CNET chronicles tech's role in providing new kinds of accessibility.