Microsoft has come out in defence of its role in Friday’s on-going global cyber-attack, criticising the role of the US National Security Agency in creating tools that were subsequently leaked and then used in Friday’s attacks..
In a blog post, published by Brad Smith, president and chief legal officer at the company, on Sunday he said that the attack was enabled through National Security Agency (NSA) stockpiling exploits, rather than openly sharing discovered exploits so they could be fixed.
The cyber-attack has disrupted NHS services in parts of England and Scotland since Friday afternoon.
Smith said the malicious WannaCrypt software “were drawn from the exploits stolen from the National Security Agency”.
He added: “This attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem.”
“Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage.”
The technology behemoth said that on 14 March it had released a security update to patch vulnerability, however many computers globally remained unpatched.
Questions are now being asked about the vulnerabilities caused by reliance of many parts of the NHS on ageing infrastructure and software.
Support for Windows XP was withdraw in April 2014 but according to Digital Health Intelligence 2015 data on NHS infrastructure as many as 20% of NHS organisations could still be making use of it, and around 90% are thought to run something on it somewhere in their organisation, often in clinical systems or imaging equipment.
Dame Fiona Caldicott, speaking on Monday at the Caldicott Guardians National Annual Conference in London, referred to a letter and review sent last July on the nation’s cyber security.
It said “computer hardware and software that can no longer be supported should be replaced as a matter of urgency”.
Alongside Dame Fiona’s review, the Care Quality Commission’s July 2016 Care Quality Commission review into cyber security ‘Safe Data, Safe Care’ also highlighted the risk posed by outdated IT systems.
In response, then life sciences minister George Freeman said: “We are working with suppliers, including Microsoft, to help health and care organisations update their systems and make sure they are safe to use and store data.”
Smith said that Friday’s attack demonstrated how cyber security was becoming a shared responsibility between customer and supplier.
“As cybercriminals become more sophisticated, there is simply no way for customers to protect themselves against threats unless they update their systems. Otherwise they’re literally fighting the problems of the present with tools from the past.”
Smith compared an equivalent scenario as the US military having some of its Tomahawk missiles stolen.
“The governments of the world should treat this attack as a wake-up call.”