IN the wake of malware WannaCry infecting hundreds of thousands of computers using a stolen NSA hacking tool, Brad Smith, the president of Microsoft has blamed the nation-states in pursuit of cyber weapons, as a major danger to the people. Brad Smith writes in his blog (https://blogs.microsoft.com), “Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage...this most recent attack represents a completely unintended but disconcerting link between the two most serious forms of cyber security threats in the world today – nation-state action and organised criminal action.” While this is quite correct, what Brad Smith forgot to mention is Microsoft's responsibility in such hacks and its walking away from older products, opening them to such risks.
How did a NSA hacking tool end up in the hands of a criminal group and as a part of world's biggest malware attack?
In April this year, a group called Shadow Brokers, dumped online NSA's cache of cyber weapons/hacking tools. After the WannaCry outbreak, Shadow Brokers have now announced that they will auction more such tools, presumably to willing criminal gangs like the one behind the WannaCry malware. Wikileaks has also reported CIA's cyber weapons getting hacked. More such threats therefore are in the offing.
INTERNATIONAL TREATY AGAINST CYBER WEAPONS
Smith and Microsoft are now advocating for a Digital Geneva Convention for protecting the world against cyber weapons. This is the path the US refuses to tread, in the belief that with its huge array of hacking tools and cyber weapons, it is far ahead of others. The US tech companies, who have worked closely with NSA and CIA, are now realising the risks to their systems from the leaking of US cyber weapons to criminal groups.
It is a welcome sign that they are joining in the calls for banning cyber weapons, calls which have been issued by Russia and China for quite some time. It is the US which has hitherto refused to move in this direction. Mary Ellen O’Connell and Louise Arimatsu observed, (https://www.chathamhouse.org/sites/files/chathamhouse/public/Research/In... Law/290512summary.pdf) “The US, however, was said to have resisted proposals for a treaty. This may relate to US plans to use the Internet for offensive purposes as it is believed to have done regarding the Stuxnet worm. US officials claim publicly that Cyber Command is primarily defensive, but the reluctance to entertain the idea of a cyberspace disarmament treaty is raising questions about the true US position.”
Stuxnet was used by the US to attack Iran's uranium enrichment centrifuges and is the first use of a cyber weapon in the world, a cyber weapon being defined as software and/or hardware that can cause physical damage to equipment or people.
While Brad Smith is asking for a voluntary international ban on developing and use of such weapons, Russia and China have been asking for a much stronger Treaty, modelled on the lines of a ban on chemical weapons.
THE OTHER THREAT: PROPRIETARY POOR QUALITY SOFTWARE WITH NO SUPPORT
While Microsoft's Brad Smith is correct in his identifying the nation states, in this case NSA, and criminal gangs as the biggest threats to cyber security, he misses the other big threat – buggy and poorly engineered products – from companies such as Microsoft. This is compounded by their abandoning older products with no support, leaving security holes as targets by criminals. For example, Microsoft stopped supporting Windows XP in 2014, putting at risk a variety of users, who still continue to use XP.
Did Microsoft stop supporting XP as it was offering a better product? No. It offered Windows Vista, which was slower, buggy and had huge compatibility issues with other software and hardware products. The users refused to move to Vista. Microsoft then released its Windows 7, again with the idea of moving people away from XP. All this was simply to get people to pay once again for their operating system. Microsoft even predicted security threats to the older XP systems to shift to their next version, in this case the next-er version of Windows. For Microsoft, the biggest competition to their current operating system is not competition from other vendors, but their own previous systems; that is why the threat of withdrawal of support to older systems.
In 2014, when the Microsoft stopped supporting XP, an estimated 95 per cent of world's ATM's were running on XP. Microsoft's cost of upgrading an ATM was a few hundred dollars to several thousand depending on the maintenance required. Even now, it is estimated that 70 per cent of ATM's in India are running on old, unsupported XP, and thus open to various security threats including WannaCry ransomware.
Why should companies, whose products are still very much in the market with significant shares, be allowed to walk away from their products? Should its monopoly over a certain product allow it to force its users to pay again and again for new software licenses that quite often add very little? Or in the worst case – eg: the Microsoft Vista case – even degrades their performance? The time has come to insist that if a company “abandons” its products, it must open source its software and allow others to provide the support.
After the WannCry attack, Microsoft released a patch for XP, even though it no longer supports XP. But the issue of risks to systems running older, unsupported systems, such as XP still remain. How many of the other security holes for which Microsoft has released patches for its supported versions of Windows, still remain in the XP?
Of course, Free and Open Source Software (FOSS) do not have such issues. They are far more resistant to hacking than the equivalent Microsoft or other proprietary software.
A part of the reason why FOSS is safer is because their codes are open, and therefore bugs and holes are fixed far more effectively. The other is that the creators of such software do not leave secret backdoors in their systems the way Microsoft does. Microsoft has a history of cooperating with US intelligence agencies for providing access; or leaving backdoor for itself, as it wants to spy on users' machines for commercial reasons.
How many offices have been visited by Microsoft with remote “audit” and claims that they are running “illegal” software? The recent raids by Microsoft of a number of companies, should convince these and similar companies to switch to free software, and not be on buggy and insecure Microsoft surveillance platforms.
SHARED RESPONSIBILITY OR SHIRKING RESPONSIBILITY
Microsoft's Brad Smith has also declared about the “shared responsibility” of the suppliers and users regarding security. Before asking the users to take responsibility for their machines, Brad Smith needs to ask why are Microsoft products far more prone to such attacks as WannaCry?
If you are using Microsoft products, it is not easy to keep your machines protected all the time. The users need to be technically savvy, and not “mind” Microsoft's frequent upgrades of their software, which promptly make some features or software unworkable. Why even tech savvy people do not upgrade their software regularly, is because Microsoft updates are poor, buggy and with security holes.
If intelligence agencies with the resources of a nation state create cyber weapons, it poses enormous risks to the computer systems that pretty much run everything in the world today. Yes, we agree with Brad Smith and Microsoft that we need a new Geneva Convention on keeping cyber space free from weaponised software and hacking by nation states. The leak of such weapons pose enormous risks to the computer systems that are a part of world's vital infrastructure; that is why the demand for a cyber weapon ban, and treating the internet as a non-weaponised space. The same way we treat outer space.
What we need to add is how we make the corporations responsible for providing better software, and not allowing them to walk away from their responsibilities: either provide continuous support, or make the source code open so that others can support such software. We need a global regulatory regime that will address such security threats to our vital infrastructure.