Microsoft just as much at fault for WannaCry IT attack as the NSA

By failing to support older versions of its operating system, the IT company provided the hackers that stole the NSA's IT Tomahawk Missile the opportunity they needed

James Moore
Chief Business Commentator
Monday 15 May 2017 11:04 BST
The NHS was one of the first victims of the WannaCry malware
The NHS was one of the first victims of the WannaCry malware (EPA)

“An equivalent scenario with conventional weapons would be the US military having some of its Tomahawk missiles stolen.”

So said Microsoft’s Brad Smith of the WannaCry malware that demands a ransom for freeing locked up computers and has spread chaos around the globe.

Mr Smith, the IT giant’s President and Chief Legal Counsel, was concerned about the fact that it appears that the offending code was stolen from Amerca’s National Security Agency.

His clever analogy spread around the world’s news organisations just as quickly as WannaCry spread through computers used by organisations ranging from businesses, to schools, to Russian railways, to Britain’s NHS.

If you’re currently doing a masters in corporate communications or PR, congratulations, you have a subject for your thesis.

The way Mr Smith grabbed control of the news agenda at the start of the working week was textbook.

Attacking shadowy American government agencies, while likening their stockpiling of malware to the stockpiling of ballistic missiles? Cleverly done, Mr Smith, cleverly done.

You should be congratulated. I salute you. We all should. With raised middle fingers.

Mr Smith wasn’t wrong. If you stockpile dangerous code like WannaCry and then allow it to be stolen, you’re asking for trouble.

But let’s remember the key point about all this: The criminals behind the WannaCry attack were able to wreak havoc by exploiting flaws in Microsoft products.

Those flaws will be exploited again in the expected second wave of attacks this week and then again during the future outbreaks that will doubtless follow.

Now, if you read Mr Smith’s blogpost (it's on Microsoft's website) he does actually acknowledge that his employer has some thinking to do.

Under a headline calling for “urgent collective to keep people safe online” - and how could you argue with that - he says this: “As a technology company, we at Microsoft have the first responsibility to address these issues.”

Yes, you do Mr Smith. But that hasn't been at the centre of people's minds because of the Tomahawk Missile analogy, used later on in your blog, as I suspect you knew would be the case. As I suspect Microsoft knew would be the case.

There are those will argue that if organisations hit by WannaCarry had just upgraded their software they wouldn’t have had to worry.

But the thing is, upgrading software across big organisations like the NHS isn’t as simple as you or I simply upgrading our computers and having to wait awhile to use Amazon. It’s time consuming, complicated and costly. Especially costly.

You want our new system? Pay up then. Don’t want to do that? Well, we’re not going to support the old one so tough luck if something goes wrong.

Doesn’t that look rather like a ransom demand if you think about it?

It's not as if upgrading is risk free. Just upgrading a personal computer or a Mac can create problems, as I learned to my cost at the weekend. Five hours on Sunday afternoon speaking to Apple's help staff and still my newly updated Mac refuses to access the internet.

Imagine if that were to happen at the NHS, or another big and important organisation where web access is vital. It’s not as if they could do what I did and simply use an iPad while waiting for the engineers to report back on what went wrong.

Is it any wonder, then, that sometimes organisations stick with the tried and tested and clunky, even if the makers withdraw their support?

Yes, Mr Smith, this should serve as a wake up call and you are not wrong about security agencies' cavalier hoarding of nasty computer bugs, or that it is scandalous that they so often seem to get out.

Firms and other big IT users also need to think hard about their IT strategies, and the training they provide.

We need to have a conversation, and urgently.

But right at the centre of that conversation should be the IT companies themselves, and the responsibilities they have towards those people they sell their hugely profitable products to.

Mr Smith seems to like analogies, so here’s one to think about.

Set aside the NSA for a moment. Let’s imagine a car company like, I don't know, Ford for the sake of argument, decided to behave like Microsoft and other IT companies do.

Now, imagine if the brakes started to fail on an earlier version of, say, its Ford Focus. Do you think the company would be allowed to get away with saying that that model is “unsupported” and that customers should upgrade to a newer model if they want cars with working brakes? I don’t.

Join our commenting forum

Join thought-provoking conversations, follow other Independent readers and see their replies


Thank you for registering

Please refresh the page or navigate to another page on the site to be automatically logged inPlease refresh your browser to be logged in