Microsoft is not letting the WannaCry crisis go to waste
Lesson is everyone needs to do more to protect society starting with updating software
A ransomware cyberattack on a laptop in Taipei, Taiwan.
The WannaCry cyber attack has dented the reputations of organisations including the UK National Health Service, Telefónica of Spain and the US National Security Agency, which may have invented part of the software. For one company, though, it is working out better.
Microsoft, which owns the targeted operating system, would have had to pay millions for comparably useful publicity. True, 200,000 computers running Windows were affected, with hard drives encrypted and demands for bitcoin ransoms on computer screens. But the world’s biggest software maker has seized on the advantages.
Not only did Brad Smith, Microsoft’s president and chief legal officer, take the opportunity to tell customers to update software, but he took a shot at the NSA and governments with which technology companies have tussled over privacy and security. It was a masterclass in pursuing Microsoft’s interests while invoking a noble mission.
It included a helping of humbug – Windows still sits at the heart of 90 per cent of personal computers, and has proved vulnerable to many kinds of exploits over the years. But there was some truth: the incident shows that governments are keener on attacking enemies than defending their citizens, who are bad at it themselves.
Microsoft’s clear advantage is that it was prepared: it had made a patch for the WannaCry vulnerability in March and rolled it out to millions of computers. Many of those caught unaware were still running Windows XP, an ageing version dating back to 2001.
It endured a dark period at that time, when it kept launching editions of Windows, including 98 and XP, which were filled with new features but lacked basic reliability and security. Bill Gates, its founder, had to write his “trustworthy computing” memo in 2002, promising to perform better.
To a large degree, it worked. Any user of a recent version of the operating system, such as Windows 7 or 8, can shield themselves by keeping updated. The internet makes it simpler for hackers to burrow into computers, but also makes them easier to defend – companies can at least patch their machines against any known loopholes.
The remaining challenge is that Windows has a long tail – old versions stay on computers because it would either be too costly or too difficult to upgrade them. It is often the latter: companies run customised software that is not easy to make work with a newer Windows. There is always the temptation to let things remain as they are.
Microsoft needs incentives for the 7 per cent of users still running XP to upgrade to a new version, and for everyone to remain current. That is what the WannaCry attack, and the likelihood that it will only be the first in a string of similar incursions, offers.
It may be arduous to stick with old versions of software, but it is much more painful when machines stop working. “Information technology basics like keeping computers current and patched are a high responsibility for everyone,” Mr Smith warned. It is everyone’s public duty to carry on refreshing Windows software, in other words.
The second advantage for Microsoft and other technology companies is that it offers a good reason to resist the pressure from governments to loosen security just for officials. The UK government is among those to argue against the unbreakable encryption of data, which keeps messages sent from mobile and desktop devices secret.
Governments often demand that “back doors” should be inserted in software to allow them to read, for example, terrorist communications. But unless they could keep such technology secure and not let it leak, this would also allow others to run amok.
In practice, the NSA is poor at keeping secrets. WannaCry spread fast because it was combined with a worm called EternalBlue that is thought to have been developed by the NSA for its own purposes. This and other tools leaked after an NSA contractor was arrested last year for stealing data.
EternalBlue and other tools apparently developed by an NSA group were sold on the black market by another group called the Shadow Brokers. Gangs can now buy software from government agencies to deploy criminally.
It is a one-sided contest. Fluid groups of determined hackers with accidental support from intelligence agencies take on the technology departments of bureaucratic enterprises, and underfunded public sector bodies.
When hospital operations are cancelled and medical scanners break down, every government has to ask itself questions. Many have assumed that their own agencies can strike others without risk, but citizens are starting to suffer collateral damage.
The chances of the US, Russia, China and others agreeing a deal to limit their own cyber attacks – what Microsoft calls a Digital Geneva Convention – are slim. As James Andrew Lewis of the Center for Strategic and International Studies says drily, that would be “very difficult to negotiate”.
But everyone – governments, companies and individuals - needs to do more to protect society. It suits Microsoft, but it also happens to be true.
Copyright The Financial Times Limited 2017