DAVID GREENE, HOST:
It's been quite a whirlwind the last few days for Microsoft. That company's operating system, Windows, was the target of a massive cyberattack that took down hundreds of thousands of computers across 150 countries. While it's too soon to say the worst is over - I mean, there could be another wave - the president of the company does have two big takeaways which he shared with NPR's Aarti Shahani.
AARTI SHAHANI, BYLINE: One takeaway is sexy, edgy. The other is boring, plain vanilla, but no less important to Brad Smith the president of Microsoft. Let's start there.
BRAD SMITH: We need to make it as easy as we can for people to patch their systems, and then customers have to apply those patches.
SHAHANI: Patching - that's it. Instead of hitting ignore, ignore when a pop-up on your screen asks you do you want to install a critical update and reboot? You should just do it. Back in March two months ago, Microsoft released the patch that could have prevented the outbreak. But because so many companies didn't apply it, the so-called WannaCry attack spread like cholera. Some victims were using computers that run on Windows XP, a 16-year-old operating system. In digital years, that's old.
SMITH: It's worth remembering that Windows XP not only came out six years before the first iPhone, it came out two months before the very first iPod. And think about how antiquated that feels to us today.
SHAHANI: Because this attack is so contagious - it self propagates slithering from computer to computer without any human help - Microsoft decided it had to build a patch for that antique system, too. Microsoft also found itself giving tech support to one more unusual group, thieves, people who use pirated illegal copies of Windows. Now, Smith does not want to make a habit of that, but...
SMITH: It was the right thing to do for this particular incident.
SHAHANI: The Microsoft president's second takeaway is not about what businesses need to do. It's about what intelligence agencies like the CIA and the NSA need to do.
SMITH: I think a lot has changed just in the last 12 months, and we've seen a huge focus on nation-state hacking by other countries, including Russia and North Korea.
SHAHANI: According to a New York Times report, North Korea may be behind this recent attack. And according to many security researchers, the attack method was first developed inside the NSA. Criminals got a hold of it and tweaked it. Many countries are racing to create more cyber weapons. Smith says there's a real risk which we just witnessed that criminals will steal them. He'd like governments to limit the creation of cyber weapons, just like we did for nuclear weapons. Microsoft wants a digital Geneva Convention.
SMITH: Something that would commit governments to do less of hoarding of exploits and vulnerabilities, do more to work with software vendors so that we can all keep systems secure.
SHAHANI: Meaning, as he wrote in a blog post this past weekend, agencies like the NSA should have a new requirement to report vulnerabilities they find to software-makers like Microsoft instead of stockpiling or selling or exploiting them.
SMITH: This is not a conversation that has even begun at least with the general public.
STEVE GROBMAN: Microsoft has a very strong position that is an absolute whereas my position is a little bit more balanced.
SHAHANI: Steve Grobman is chief technology officer at McAfee which makes the popular anti-virus software. He says governments should stockpile cyber weapons in some instances. Say we're fighting a war and our military needs to take down a power plant, and there are only two options.
GROBMAN: To drop a bomb on it or to use a cyberattack to temporarily disable it. The cyberattack can in many cases limit the amount of loss of life.
SHAHANI: Clearly, there is a difference of opinion among leaders. Though, he agrees with his colleague over at Microsoft these last few days battling the WannaCry attack have been very long. Aarti Shahani, NPR News, San Francisco.
(SOUNDBITE OF SYNTHETIC EPIPHANY'S "THE CATALYST")
NPR transcripts are created on a rush deadline by Verb8tm, Inc., an NPR contractor, and produced using a proprietary transcription process developed with NPR. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.