In ransomware attack, where does Microsoft’s responsibility lie?

When malicious software first became a serious problem on the internet about 15 years ago, most people agreed that the biggest villain, after the authors of the damaging code, was Microsoft.

As a new cyber attack continues to sweep across the globe, the company is once again at the center of the debate over who is to blame for a vicious strain of malware demanding ransom from victims in exchange for the unlocking of their digital files.

This time, though, Microsoft believes others should share responsibility for the attack, an assault that targeted flaws in the Windows operating system.

On Sunday, Brad Smith, Microsoft’s president and chief legal officer, wrote a blog post describing the company’s efforts to stop the ransomware’s spread, including an unusual step it took to release a security update for versions of Windows that Microsoft no longer supports. Smith wrote, “As a technology company, we at Microsoft have the first responsibility to address these issues.”

He went on, though, to emphasize that the attack had demonstrated the “degree to which cybersecurity has become a shared responsibility between tech companies and customers,” the latter of whom must update their systems if they want to be protected. He also pointed his finger at intelligence services, since the latest vulnerability appeared to have been leaked from the National Security Agency.

On Monday, a Microsoft spokesman declined to comment beyond Smith’s post.

To prepare for fallout with customers, Judson Althoff, a Microsoft executive vice president, sent an email to the company’s field sales team Sunday encouraging them to be supportive of businesses targeted by the attack, or even those who were simply aware of it.

“Our key direction to you is to remember that we are in this with our customers — we are trusted advisers, counselors, and suppliers to them,” he wrote. “More than technical guidance, I want you to make sure you are spending the time needed to understand the concerns they have and that they know we are here to help.”

While Microsoft’s reputation has suffered in the past because of security problems, the company’s stock is barely down from the close of trading Thursday, just before reports of the ransomware.

“People have extremely short memories when it comes to this,” said Jan Dawson, an analyst with Jackdaw Research. “I think, realistically, people will move on pretty quickly.”

Microsoft has recognized the risk cyber security poses to it since about 2002, when Bill Gates, the former chief executive, issued a call to arms inside the company after a wave of malicious software began infecting Windows PCs connected to the internet.

“As software has become ever more complex, interdependent and interconnected, our reputation as a company has in turn become more vulnerable,” Gates wrote in an email to employees identifying trustworthy computing as Microsoft’s top priority. “Flaws in a single Microsoft product, service or policy not only affect the quality of our platform and services overall, but also our customers’ view of us as a company.”

Since then, the company has poured billions of dollars into security initiatives, employing more than 3,500 engineers dedicated to security. In March, it released a software patch that addressed the vulnerability exploited by the ransomware, known as WannaCry, protecting systems such as Windows 10, its latest operating system.

Yet security flaws in older editions of Windows persist. The company no longer provides regular software updates to Windows XP, a version first released in 2001, unless customers pay for “custom support,” a practice some observers believe has put users at risk. Late Friday, Microsoft took the unusual step of making patches that protect older systems against WannaCry, including Windows XP, free.

“Companies like Microsoft should discard the idea that they can abandon people using older software,” Zeynep Tufekci, an associate professor at the school of information and library science at the University of North Carolina, wrote in a New York Times opinion piece over the weekend. “The money they made from these customers hasn’t expired; neither has their responsibility to fix defects.”

But security experts challenged that argument, saying that Microsoft could not be expected to keep updating old software products indefinitely. Providing updates to older systems could make computers more insecure by removing an incentive for users to modernize, Mikko Hypponen, chief research officer of F-Secure, a security firm.

“I can understand why they issued an emergency patch for XP after WannaCry was found, but in general, we should just let XP die,” Hypponen said.

Despite the high profile of WannaCry, widespread malware outbreaks have become less common over the years, as Microsoft has improved the security of its systems, said Ziv Mador, vice president for security research at Trustwave, a security services firm. But the profits criminals can make through ransomware and other malicious code ensure the problem will never vanish.

“Even though it’s becoming harder and harder, the incentives have increased tremendously,” said Mador, who previously worked on security response at Microsoft.