Microsoft President Urges Nuclear-Like Limits On Cyberweapons

Enlarge this image toggle caption Elaine Thompson/AP Elaine Thompson/AP

Microsoft has had a whirlwind last few days. The company's Windows operating system was the target of a massive cyberattack that took down hundreds of thousands of computers across 150 countries. While it's too soon to say the worst is over — there could be another wave — the president of the company does have two big takeaways.

One takeaway is sexy and edgy. The other is boring, plain vanilla — but no less important to Brad Smith, president of Microsoft.

Let's start there.

Simple maintenance would solve a lot of problems



"We need to make it as easy as we can for people to patch their systems, and then customers have to apply those patches," Smith says.

Patching! That's it. Instead of hitting "ignore, ignore" when a pop-up on your screen asks, "Do you want to install a critical update and reboot?" You should just do it. Two months ago, Microsoft released the patch that could have prevented the outbreak. But because so many companies didn't apply it, the so-called WannaCry attack spread like cholera.

Some victims were using computers that run on Windows XP, a 16-year-old operating system. In digital years, that's old.

"It's worth remembering that Windows XP not only came out six years before first iPhone. It came out two months before the very first iPod. Think about how antiquated that feels to us today," Smith says.

Because this attack is so contagious — it self-propagates, slithering from computer to computer without any human help — Microsoft decided it had to build a patch for that antique system too. Microsoft also found itself giving tech support to one more unusual group: thieves, people who used pirated, illegal copies of Windows.

Smith does not want to make a habit of that, but he says, "It was the right thing to do for this particular incident."

Microsoft calls for a "Digital Geneva Convention"



The Microsoft president's second takeaway is not about what businesses of every size need to do. It's about what intelligence agencies, like the CIA and the NSA, need to do.

"A lot has changed in the world just in the last 12 months," Smith says. "We've seen a huge focus on nation-state hacking by other countries including Russia and North Korea."

According to a New York Times report, North Korea may be behind this recent attack. And according to many security researchers, the attack method was first developed inside the National Security Agency. Criminals got a hold of it and tweaked it.

Many countries are racing to create more cyberweapons. Smith says there's a real risk that criminals will steal them. He'd like governments to limit the creation of cyberweapons, just like they did for nuclear weapons. Microsoft wants a "Digital Geneva Convention" he explains, "something that would commit governments to do less hoarding of exploits and vulnerabilities [and] do more to work with software vendors so that we can all keep systems secure."

Meaning, as he wrote in a blog post this past weekend, agencies like that NSA should have a "new requirement" to report vulnerabilities they find to software makers like Microsoft, instead of stockpiling or selling or exploiting them.

"This is not yet a conversation that has even begun, at least with the general public," Smith says.

McAfee exec sees some need for stockpiling cyberweapons



Steve Grobman, chief technology officer at McAfee, which makes the popular antivirus software, disagrees with Smith. "Microsoft has a very strong position that is an absolute, whereas my position is a little bit more balanced," Grobman says.

He says governments should stockpile cyberweapons in some instances. For example, the U.S. is fighting a war and the military needs to take down a power plant, and there are only two options: "to drop a bomb on it, or to use a cyberattack to temporarily disable it. The cyberattack can, in many cases, limit the amount of loss of life," he says.

Clearly, there is a difference of opinion among tech leaders. Though Grobman agrees with his colleague at Microsoft: These last few days, battling the WannaCry attack, have been very long.