Microsoft says government hoarding of hacking tools is partly to blame for the cyberattacks that crippled computer systems around the world on Friday.
The company also reiterated a call it made earlier this year for an international agreement among states to shield civilians and corporate noncombatants from hacking.
In what one of the most significant cyberattacks ever recorded, computer systems from the U.K. to Russia, Brazil and the U.S. were hit beginning Friday by malicious software that exploited a vulnerability in Microsoft’s Windows operating system. The hacking tool at work was originally developed by the U.S. National Security Agency, before it leaked online earlier this year.
“This attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem,” Microsoft President and Chief Legal Officer Brad Smith said in a blog post on Sunday, comparing the recent leaks of NSA and CIA hacking tools to, in the real world, the theft of cruise missiles.
Instead of developing hacking tools in secret and holding them for use against adversaries, governments and intelligence agencies should share weaknesses they find with Microsoft and other software makers so that vulnerabilities can be repaired, he said.
Smith repeated a call he made in February, calling for an international convention on the use of cyberwarfare akin to the Geneva Conventions’ protections for noncombatants and other guidelines in conventional warfare.
Microsoft had released in March a patch to fix the flaw exploited this week, but many computers, particularly older systems or devices that hadn’t been updated, remained vulnerable.
The company on Friday said it had added additional protection against the specific malware, and was working with affected customers. Microsoft also took the unusual step of releasing security fixes for systems it no longer is keeping up to date, including Windows XP, first released in 2001 and still widely used in some corners.
The attack was a reminder that people and businesses should keep their software up to date, or else remain vulnerable, Smith said.
“The governments of the world should treat this attack as a wake-up call,” Smith said. “They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world.”