Microsoft’s President and Chief Legal Officer, Brad Smith, says this week’s WannaCry attack “provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem”. And while Smith says Microsoft and other tech companies need to take the lead on combatting these widespread attacks, he highlights the shared responsibility required to protect, detect and respond to threats.
Smith notes in his blog piece that there’s a degree of frustration when something like WannaCry runs wild when a fix for the issue has been around for a couple of months, and the problem with governments stockpiling vulnerabilities that are, inevitably, leaked and made available to threat actors.
One of the suggestions Smith makes is to treat vulnerabilities in the same way other weapons are handled. There’s a set of guidelines most countries abide by, The Geneva Convention, that governs the use of certain types weapons.
One of the problems with such a system is that when The Geneva Convention was created, weapons were quite tightly controlled by national governments. That’s definitely not the case with cyber or conventional weapons. But some sort of agreement by governments to not stockpile vulnerabilities that can be exploited by bad guys is needed.