There’s a blame game brewing over who’s responsible for the massive cyberattack that infected hundreds of thousands of computers. Microsoft Corp. is pointing its finger at the US government, while some experts say the software giant is accountable too. The attack has affected computers in more than 150 countries, including severe disruptions at Britain’s National Health Service.
The hack used a technique purportedly stolen from the US National Security Agency to target Microsoft’s market-leading Windows operating system. It effectively takes the computer hostage and demands a $300 ransom, to be paid in 72 hours with bitcoin.
Microsoft President and Chief Legal Officer Brad Smith blamed the NSA’s practice of developing hacking methods to use against the US government’s own enemies. The problem is that once those vulnerabilities become public, they can be used by others. In March, thousands of leaked Central Intelligence Agency documents exposed vulnerabilities in smartphones, televisions and software built by Apple Inc., Google and Samsung Electronics Co.
The argument that it’s the NSA’s fault has merit, according to Alex Abdo, staff attorney at the Knight First Amendment Institute at Columbia University. Still, he said Microsoft should accept some responsibility.
“Technology companies owe their customers a reliable process for patching security vulnerabilities,” he said. “When a design flaw is discovered in a car, manufacturers issue a recall. Yet, when a serious vulnerability is discovered in software, many companies respond slowly or say it’s not their problem.’“
Microsoft released a patch for the flaw in March after hackers stole the exploit from the NSA. But some organizations didn’t apply it, and others were running older versions of Windows that Microsoft no longer supports. In what it said was a “highly unusual” step, Microsoft also agreed to provide the patch for older versions of Windows, including Windows XP and Windows Server 2003.
In 2014, Microsoft ended support for the highly popular Windows XP, released in 2001 and engineered beginning in the late 1990s, arguing that the software was out of date and wasn’t built with modern security safeguards. The company had already been supporting it longer than it normally would have because so many customers still used it and the effort was proving costly.