Microsoft's Chief Legal Officer Brad Smith has penned a blog post today, accusing the NSA of stockpiling exploits, failing to protect its hacking tools, and indirectly causing the WannaCry ransomware outbreak.
Smith is asking for a collective action between software vendors, cyber-security researchers, and governments across the world, "to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world."
Earlier this year, the Microsoft top lawyer urged for the creation of a Digital Geneva Convention, an international treaty to govern the proliferation and usage rules for cyber-weapons.
In his earlier proposition, Smith wanted nation-state actors to avoid hacking end-users and private organizations and only focus on each other's digital government infrastructure.
Now, the Microsoft exec wants government organizations to stop hoarding hacking tools, usually built around zero-days, and disclose software vulnerabilities as soon as government cyber-intelligence operatives find them.
[T]his attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem. This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world. Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen.
In late 2015, the NSA officially admitted it only discloses 91% of the vulnerabilities it finds, keeping the rest for the creation of cyber-weapons.
In a Reuters report, government officials admitted the hoarded zero-days are used for the creation of offensive weapons, just like ETERNALBLUE, the NSA exploit at the core of the WannaCry ransomware outbreak. That exploit was allegedly stolen, along with tens other exploits, from the NSA, by a group known only as The Shadow Brokers, and released online.
Smith's blog post is somewhat utopian, as the Microsoft exec ignores the fact that creating cyber-weapons is the NSA and CIA's job, as their primary purpose is to defend the nation's interests, just like Chinese and Russian cyber-spooks do the same for their nations.
Such a utopian plan would need the cooperation of all states, something that few countries have an incentive to enter. There is no reason for the US to disarm and incapacitate itself in terms of cyber-weapons, if China and Russia don't do the same.