Microsoft has attacked the US government for developing the computer vulnerability that was used in a cyber attack on thousands of computers on Friday.
The global ransomware attack, which hit computers in more than 150 countries, was engineered using tools developed by America’s spy agency, the National Security Agency.
As well as throwing the NHS into chaos, it hit Spanish telecoms giant Telefonica, Nissan, and the German railway system.
It was only in March that Microsoft had been able to issue a security update that fixed the flaw after it was stolen from the NSA, meaning that many computers had not installed the patch by the time the NSA’s “Eternal Blue” exploit was dumped on the open internet in April.
“The governments of the world should treat this attack as a wake up call,” Microsoft’s president and chief legal officer, Brad Smith, wrote in a blog post. “This attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem.”
Smith’s message, posted on Twitter, was retweeted by Microsoft’s chief executive Satya Nadella.
Smith pointed to a recent theft of CIA hacking tools, published by Wikileaks, as evidence that the NSA losing the Eternal Blue tool was not a one off and compared the US losing hacking tools to having cruise missiles stolen.
“Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen,” he said.
Smith argued that in cyberspace, governments should apply rules like those regarding weapons in the physical world.
He noted that Microsoft is calling for a “Digital Geneva Convention” that would require governments to report computer vulnerabilities to vendors rather than store, sell or exploit them.
“We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits,” Smith wrote.