Brad Smith, president and chief legal officer of Microsoft, called the cyberattack that has infected nearly 200,000 computers worldwide “a wake up call for all of us, whether we’re in the tech sector, as customers or as government.”
The computers were infected with WannCryptor, ransomware software that locks down Windows-based systems and demands $300 to $600 worth of Bitcoins to restore access.
“We need to do more to address this problem,” Smith told the PBS NewsHour’s Judy Woodruff via satellite feed from Microsoft headquarters in Redmond, Washington.
Earlier this year, Microsoft called for a Digital Geneva Convention with a purpose of setting international regulations for stockpiling the kind of digital vulnerabilities exposed in this attack. Recent history — such as the Edward Snowden leaks or the Shadow Brokers hack — shows that government cybersecurity procedures and stockpiles are vulnerable to hackers.
The attack, Smith said, likely involved a sophisticated piece of software, the kind we normally see in government, combined with a less sophisticated piece of software, the ransomware component. “And in all probability, it’s some kind of organized criminal group that put it to use in a way no one intended,” he said.
Microsoft released a patch to fix the flaws in March, before the Shadow Brokers leak. This led some to wonder if the NSA had informed the tech giant of the problem in advance. When asked, Smith declined to comment on the specifics of what they knew and when.
“As you heard, he didn’t want to discuss if they were informed by the NSA,” Politico cybersecurity reporter Eric Geller told NewsHour’s William Brangham in a related interview on Tuesday’s show. “[It] seems likely they were informed. The only other possibility is they were told by this group that leaked the files.”
Geller described Microsoft’s situation as “tricky.” He said the company likely had little time to weigh the balance between informing customers and calling for stronger policy before the hackers leaked the programs. The more time you have to tell customers, the more time they have to fix it, Geller said.
Microsoft, Smith said, wants to help customers who struggle to find updates, especially in the case of complicated networks like England’s National Health Service. WannaCryptor crippled England’s national health care system on Friday, forcing hospitals to delay surgeries and turn away patients.
“Microsoft has the first responsibility to address these issues,” Smith said. “None of us should assume we’re doing everything that we can possible do.”
Read a full transcript below.
JUDY WOODRUFF: The worldwide cyber-attack appeared to slow today. Since Friday, the so-called ransomware has hit more than 200,000 victims in more than 150 countries. The worst of it today was in Asia.
William Brangham reports.
WILLIAM BRANGHAM: At a movie theater in Seoul, South Korea, screens flashed the bad news: now playing, a global cyber-attack. In Indonesia, the waiting room at a cancer hospital in Jakarta was packed with patients, their records also held hostage by this so-called ransomware.
SRI ASTUTI, Hospital Patient (through interpreter): There are always so many people. That’s why it’s taking so long. We’re tired, but we need the treatment.
WILLIAM BRANGHAM: In China, state media reported some 4,000 schools were among the hardest-hit there, including two prestigious universities.
WANG WENYI, Chinese National Computer Response Center (through interpreter): If we pay the ransom, then we are risking getting our personal information, including our account information, recorded and stolen.
WILLIAM BRANGHAM: Japanese companies Hitachi and Nissan were affected as well, but Japan’s chief cabinet secretary said the damage was minimal.
The virus first struck on Friday, primarily at hospitals in Britain and companies across Europe. This particular kind of ransomware takes advantage of a security flaw in Microsoft’s Windows operating system. It locks users out of their computers until they pay a ransom to get it back.
This strain of ransomware was apparently built in part using software created by the National Security Agency, the NSA, which was then stolen by hackers. Microsoft patched the flaw in its system in March, but many users either ignored it or refused to pay for it.
In an open letter Sunday, Microsoft President Brad Smith blamed the NSA and called it yet another example of why the stockpiling of vulnerabilities by governments is such a problem.
Russian President Vladimir Putin, who is visiting China, also criticized the U.S., amid reports that his interior ministry had been hit hard.
PRESIDENT VLADIMIR PUTIN, Russia (through interpreter): The primary source of the virus happens to be the intelligence services of the United States. Russia here is absolutely uninvolved.
WILLIAM BRANGHAM: But at the White House today, Tom Bossert, President Trump’s homeland security adviser, said the NSA had never intended its tool to be used by foreign criminals.
TOM BOSSERT, White House Homeland Security Adviser: This was a vulnerability exploit as one part of a much larger tool that was put together by the culpable parties and not by the U.S. government. So, this wasn’t a tool developed by the NSA to hold ransom data.
WILLIAM BRANGHAM: Meanwhile, there’s been political fallout. In Britain, where a general election looms, opposition leader Jeremy Corbyn and Prime Minister Theresa May traded jibes long-distance:
JEREMY CORBYN, Labour Party Leader: Over the past seven years, our National Health Service has been driven into crisis after crisis. The Tory cuts have exposed patient services to cyber-attack.
THERESA MAY, Prime Minister, United Kingdom: Cyber-security is an issue that we need to address. That’s why the government, when we came into government in 2010, put money into cyber-security.
WILLIAM BRANGHAM: The cyber-attack’s effects in the United States have been limited, except for damage to the FedEx delivery service.
For the PBS NewsHour, I’m William Brangham.
JUDY WOODRUFF: And let’s turn to Microsoft now, which has been responding to this attack and criticizing the NSA for its alleged role in exploiting the vulnerability to begin with.
Brad Smith is the president and chief legal officer of the company. He joins me from Redmond, Washington.
Brad Smith, welcome back to the NewsHour.
So, first off, what is the status of this cyber-attack? There were some reports late today about a new variant surfacing in parts of the world. What do you know about that?
BRAD SMITH, President, Microsoft: Well, I think, as the report just showed, things seem to be calming down a bit, but it’s too early to declare victory or say that this episode is over.
As you just mentioned, new variants can be created. That’s not uncommon in these kinds of situations. We will have to monitor them. And then, more broadly, even as we help customers who are dealing with this particular attack, this is a wakeup call for all of us, whether we’re in the tech sector, customers or in government. We need to do more to address this problem.
JUDY WOODRUFF: And you did say in the memo that you — that Microsoft issued yesterday, you did say this is a powerful reminder everybody needs to keep their computers current and patched.
But you did go on to point that finger at governments and what you call stockpiling of vulnerabilities. What did you mean by that?
BRAD SMITH: Well, we have been pointing out in recent months that, more and more, in multiple countries, certain agencies and some governments are stockpiling vulnerabilities, meaning the flaws That they find in software, they’re creating their own exploits, so that they have them available.
And this causes us concern. We believe the world needs some new rules to govern this. We need governments to act with restraint, and we certainly need governments that are creating these kind of cyber-weapons to be effective, so that they’re not stolen or get leaked out.
JUDY WOODRUFF: Well, and I want to ask you about that, because, at the White House today, the president’s homeland security adviser, Tom Bossert — I think you just heard him say this — he said the NSA never intended for this tool that they created to be used as part of some ransomware attack.
BRAD SMITH: I think that’s got to be the case.
And the reality is, this was an unusual attack. It involved the combination of a very sophisticated piece of software of the type we sometimes see in governments, then combined with a much less sophisticated piece of software, in effect, the ransomware component.
And in all probability, it’s some type of organized criminal group that took what came out of the government and put it to use in a way that no one ever intended, but the damage is still done, and we can’t assume that this is the last time we will see this type of problem if we don’t find a way to take new steps.
JUDY WOODRUFF: Well, Brad Smith, what do you say about Microsoft’s role in this? I’m sure you know there are security analysts out there who are saying, not only because these flaws existed in something that Microsoft, that your company created, but also that the company apparently hasn’t done enough to alert people that these flaws are there, that they need to patch?
There are some nonprofit organizations, the governments that we have been discussing that just haven’t gotten around to it. And these analysts are saying, Microsoft should have done more to alert people.
BRAD SMITH: Well, the very first thing that I said in my statement yesterday was that Microsoft, in fact, has the first responsibility to address these issues.
I think that’s unquestionable. We look at everything that we’re doing today. We have 3,500 security engineers. We worked over the weekend to provide help to customers around the world. We acted in March to patch software. We acted in March to talk about the importance of this, as we do all the time.
But this is a wakeup call for us, for customers. None of us should assume that we’re doing everything that we can possibly do. Let’s all learn from this together. And I would be the first to say that, just as government needs to do more, we need to ask ourselves what more we could do as well.
JUDY WOODRUFF: Can you say at this point what more Microsoft can do?
BRAD SMITH: Well, one of the issues that I think we need to think through around the world is how to help customers, especially in sophisticated, diversified, complicated information technology environments to deploy patches more easily.
The National Health Service in the U.K. is a good example. It’s a very large institution. Now, in some cases, the computers are a good deal older. I think there is certainly an opportunity for us to ask ourselves, what new technologies can we deploy, what new processes can we develop to make it easier for customers?
And then, of course, we do need customers to act. We cannot actually patch their systems unless they deploy our technology. And that, too, is a lesson for us all.
JUDY WOODRUFF: I want to go back to what you were saying about the role of governments and the role specifically in this country of the National Security Agency, the NSA.
Your point is that they have developed devices to fix these flaws that exist, but they haven’t shared them quickly enough. Were you notified, was Microsoft notified by NSA that this was coming?
BRAD SMITH: Well, I don’t want to go into the specifics of how we learned about this particular problem or by whom or when.
It is of public record that we provided a patch in March. There wasn’t a public statement about this until April. But what I think is also important is that we need the global community to come together.
We called earlier this year for the creation, in effect, of a digital Geneva Convention, new rules of the road that apply to everybody, because this is an issue, in this instance, that may have arisen in the United States, but no one should think that this is an issue unique to the United States. This is an issue for many governments around the world.
JUDY WOODRUFF: Brad Smith, the president of Microsoft, we thank you very much for joining us.
BRAD SMITH: Thank you.