Microsoft President Urges Nuclear-Like Limits On Cyberweapons | KUOW News and Information

Microsoft President Urges Nuclear-Like Limits On Cyberweapons

May 16, 2017
Originally published on May 16, 2017 7:18 am

Microsoft has had a whirlwind last few days. The company's Windows operating system was the target of a massive cyberattack that took down hundreds of thousands of computers across 150 countries. While it's too soon to say the worst is over — there could be another wave — the president of the company does have two big takeaways.

One takeaway is sexy and edgy. The other is boring, plain vanilla — but no less important to Brad Smith, president of Microsoft.

Let's start there.

Simple maintenance would solve a lot of problems

"We need to make it as easy as we can for people to patch their systems, and then customers have to apply those patches," Smith says.

Patching! That's it. Instead of hitting "ignore, ignore" when a pop-up on your screen asks, "Do you want to install a critical update and reboot?" You should just do it. Two months ago, Microsoft released the patch that could have prevented the outbreak. But because so many companies didn't apply it, the so-called WannaCry attack spread like cholera.

Some victims were using computers that run on Windows XP, a 16-year-old operating system. In digital years, that's old.

"It's worth remembering that Windows XP not only came out six years before first iPhone. It came out two months before the very first iPod. Think about how antiquated that feels to us today," Smith says.

Because this attack is so contagious — it self-propagates, slithering from computer to computer without any human help — Microsoft decided it had to build a patch for that antique system too. Microsoft also found itself giving tech support to one more unusual group: thieves, people who used pirated, illegal copies of Windows.

Smith does not want to make a habit of that, but he says, "It was the right thing to do for this particular incident."

Microsoft calls for a "Digital Geneva Convention"

The Microsoft president's second takeaway is not about what businesses of every size need to do. It's about what intelligence agencies, like the CIA and the NSA, need to do.

"A lot has changed in the world just in the last 12 months," Smith says. "We've seen a huge focus on nation-state hacking by other countries including Russia and North Korea."

According to a New York Times report, North Korea may be behind this recent attack. And according to many security researchers, the attack method was first developed inside the National Security Agency. Criminals got a hold of it and tweaked it.

Many countries are racing to create more cyberweapons. Smith says there's a real risk that criminals will steal them. He'd like governments to limit the creation of cyberweapons, just like they did for nuclear weapons. Microsoft wants a "Digital Geneva Convention" he explains, "something that would commit governments to do less hoarding of exploits and vulnerabilities [and] do more to work with software vendors so that we can all keep systems secure."

Meaning, as he wrote in a blog post this past weekend, agencies like that NSA should have a "new requirement" to report vulnerabilities they find to software makers like Microsoft, instead of stockpiling or selling or exploiting them.

"This is not yet a conversation that has even begun, at least with the general public," Smith says.

McAfee exec sees some need for stockpiling cyberweapons

Steve Grobman, chief technology officer at McAfee, which makes the popular antivirus software, disagrees with Smith. "Microsoft has a very strong position that is an absolute, whereas my position is a little bit more balanced," Grobman says.

He says governments should stockpile cyberweapons in some instances. For example, the U.S. is fighting a war and the military needs to take down a power plant, and there are only two options: "to drop a bomb on it, or to use a cyberattack to temporarily disable it. The cyberattack can, in many cases, limit the amount of loss of life," he says.

Clearly, there is a difference of opinion among tech leaders. Though Grobman agrees with his colleague at Microsoft: These last few days, battling the WannaCry attack, have been very long.

Copyright 2017 NPR. To see more, visit http://www.npr.org/.

DAVID GREENE, HOST:

It's been quite a whirlwind the last few days for Microsoft. That company's operating system, Windows, was the target of a massive cyberattack that took down hundreds of thousands of computers across 150 countries. While it's too soon to say the worst is over - I mean, there could be another wave - the president of the company does have two big takeaways which he shared with NPR's Aarti Shahani.

AARTI SHAHANI, BYLINE: One takeaway is sexy, edgy. The other is boring, plain vanilla, but no less important to Brad Smith the president of Microsoft. Let's start there.

BRAD SMITH: We need to make it as easy as we can for people to patch their systems, and then customers have to apply those patches.

SHAHANI: Patching - that's it. Instead of hitting ignore, ignore when a pop-up on your screen asks you do you want to install a critical update and reboot? You should just do it. Back in March two months ago, Microsoft released the patch that could have prevented the outbreak. But because so many companies didn't apply it, the so-called WannaCry attack spread like cholera. Some victims were using computers that run on Windows XP, a 16-year-old operating system. In digital years, that's old.

SMITH: It's worth remembering that Windows XP not only came out six years before the first iPhone, it came out two months before the very first iPod. And think about how antiquated that feels to us today.

SHAHANI: Because this attack is so contagious - it self propagates slithering from computer to computer without any human help - Microsoft decided it had to build a patch for that antique system, too. Microsoft also found itself giving tech support to one more unusual group, thieves, people who use pirated illegal copies of Windows. Now, Smith does not want to make a habit of that, but...

SMITH: It was the right thing to do for this particular incident.

SHAHANI: The Microsoft president's second takeaway is not about what businesses need to do. It's about what intelligence agencies like the CIA and the NSA need to do.

SMITH: I think a lot has changed just in the last 12 months, and we've seen a huge focus on nation-state hacking by other countries, including Russia and North Korea.

SHAHANI: According to a New York Times report, North Korea may be behind this recent attack. And according to many security researchers, the attack method was first developed inside the NSA. Criminals got a hold of it and tweaked it. Many countries are racing to create more cyber weapons. Smith says there's a real risk which we just witnessed that criminals will steal them. He'd like governments to limit the creation of cyber weapons, just like we did for nuclear weapons. Microsoft wants a digital Geneva Convention.

SMITH: Something that would commit governments to do less of hoarding of exploits and vulnerabilities, do more to work with software vendors so that we can all keep systems secure.

SHAHANI: Meaning, as he wrote in a blog post this past weekend, agencies like the NSA should have a new requirement to report vulnerabilities they find to software-makers like Microsoft instead of stockpiling or selling or exploiting them.

SMITH: This is not a conversation that has even begun at least with the general public.

STEVE GROBMAN: Microsoft has a very strong position that is an absolute whereas my position is a little bit more balanced.

SHAHANI: Steve Grobman is chief technology officer at McAfee which makes the popular anti-virus software. He says governments should stockpile cyber weapons in some instances. Say we're fighting a war and our military needs to take down a power plant, and there are only two options.

GROBMAN: To drop a bomb on it or to use a cyberattack to temporarily disable it. The cyberattack can in many cases limit the amount of loss of life.

SHAHANI: Clearly, there is a difference of opinion among leaders. Though, he agrees with his colleague over at Microsoft these last few days battling the WannaCry attack have been very long. Aarti Shahani, NPR News, San Francisco.

(SOUNDBITE OF SYNTHETIC EPIPHANY'S "THE CATALYST") Transcript provided by NPR, Copyright NPR.