Govts must report vulnerabilities to vendors: Microsoft

Microsoft is calling for governments to be forced to report technology vulnerabilities to vendors to prevent the type of widespread damage that has resulted from the global WannaCrypt ransomware worm attack.

Brad Smith, Microsoft chief legal officer.

WannaCrypt has ripped through networks and infected hundreds of thousands of unpatched and unsupported Windows computers around the world.

The worm uses two exploits developed by the United States National Security Agency.

A group of hackers calling themselves the Shadow Brokers broke into systems at The Equation Group, which is linked to the NSA, and copied and released the vulnerabilities on the internet.

Microsoft says governments of the world should treat the WannaCrypt attacks as a wake-up call and stop hoarding vulnerabilites to be used offensively.

"... this attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem," Microsoft chief legal officer Brad Smith wrote.

"This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world.

"Repeatedly, exploits in the hands of governments have leaked into the public domain and caused widespread damage."

Microsoft said it wants the same rules that apply to weapons in the real world to cover vulnerabilities and exploits.

In February this year Microsoft raised the prospect of a Digital Geneva Convention, inspired by the existing treaties that deal with weapons usage by nation states during conflicts and wars.

As part of such an agreement, governments would be required to report vulnerabilities to vendors rather than stockpile or exploit them, Smith said. 

In March, unnamed US intelligence officials told Reuters that some 90 percent of all American government spending on cyber programs went to offensive efforts.

This includes penetrating defensive systems, interception and surveillance of communications, and developing ways to degrade and interrupt civil infrastructure, the officials reportedly said.