Since everyone is dumping their two cents about WannaCry I was feeling kind of left out. I have a few thoughts about all this. The overarching thing is this, the current system is broken.
Since the news broke of the malware late last week this has all started to take on a political war. Everyone get on your side and start blaming someone. In times like these we have to remember that nuance is hard, but nuance is needed. Is Microsoft financially liable for this? Given that they have been very clear about what gets support and what does not the answer is obviously no. When it comes to PR that is a different story. Microsoft released a patch to those paying for extended Windows XP support a few months ago. This means that Microsoft had the tools in place to stop this outbreak. Those that paid received it which seems to make sense as long as you don’t consider the fallout of having a huge malware story leading the evening newscast talking about “Microsoft Windows”. Given that Microsoft quickly released the security update to everyone following the incident they also noticed this.
Last night Microsoft posted this:
The governments of the world should treat this attack as a wake-up call. They need to take a different approach and adhere in cyberspace to the same rules applied to weapons in the physical world. We need governments to consider the damage to civilians that comes from hoarding these vulnerabilities and the use of these exploits. This is one reason we called in February for a new “Digital Geneva Convention” to govern these issues, including a new requirement for governments to report vulnerabilities to vendors, rather than stockpile, sell, or exploit them. And it’s why we’ve pledged our support for defending every customer everywhere in the face of cyberattacks, regardless of their nationality. This weekend, whether it’s in London, New York, Moscow, Delhi, Sao Paulo, or Beijing, we’re putting this principle into action and working with customers around the world.
I strongly disagree with this stance from Microsoft. First if you tell the NSA that they have to turn over everything they find, guess what happens next? They don’t have the need to do this anymore. What incentive would our intelligence agencies have to do Microsoft’s work for them? Microsoft’s job is to sell a product that makes money, the intelligence agencies job is to defend the citizens of the United States of America. Now the tools, and how they do that is another debate. If you think that the NSA is going to hand over bugs they find without wanting something back you are living on another planet. Do we really want a world where the large tech companies have a symbiotic relationship with the CIA, NSA, etc? Step one in this argument seems easy, where it goes from there is a tad harder.
We have to do something to address this in the future. One of the big memes that has come out of this mess is that what will happen when your autonomous car is requiring $300 not to drive you off a cliff. This is a bit much, but it made me think. Right now car manufacturers are required to pay the cost of repairs and fixes that hit the level of needing a “safety recall” for ten years. That means they must fix the seatbelt they sold with issues for ten years after the last one is sold. This is a good starting point for tech. Operating system and hardware vendors alike must come up with a standard across the industry that all must follow. I think ten years for security should be that standard for business or institutional related devices. If every company or government knows that every product they buy has a max of 10 years of shelf life they will be able to budget and plan in a better manner. It will also allow vendors to offer longer service as a sales point. I am talking a bare minimum.
We also need a similar setup for consumers. Google announced last week that their own Pixel phone will get three years of security patches before it is cutoff. That is three years from launch not from your purchase date. This is not good enough. Security, not feature, updates should be required for five years from the last day the OEM sells the device. Tying security to some average wireless contract is just dangerous. There are many parts of the world where secondary market phones are big business. You are pretty much telling those customers that their safety and security does not mean anything, and in many cases they live in places where security from their own government is paramount.
How do we do this? How do we even start this discussion? I am sure I am wrong about a few details above, and I may be off on how long things should be supported but I am confident in my belief that something has to be done now. I have zero faith in tech companies doing this on their own. This is why we have government, and it’s time they act. People look at the word “regulation” as some obstacle. Remember the next time you get on an airplane that it is government regulation standing between your safety and some airline actuary selling shareholders on how many crashes they can incur before it hurts the bottom line. Hey we saved a few billion on repairs and only seven planes crashed, pop the champagne as the stock price just went up!