WASHINGTON — The National Security Agency has taken a significant step toward protecting the world’s computer systems, alerting Microsoft to a vulnerability in its Windows operating system rather than keeping quiet and exploiting the flaw to develop cyberweapons as the agency typically would, people familiar with the matter said Tuesday.
The warning allowed Microsoft to develop a patch for the problem, and it appears to be a shift in strategy for the intelligence agency. In years past, the N.S.A. has collected and hoarded all manner of computer vulnerabilities, using them to gain access to computer networks to collect intelligence and develop cyberweapons to use against American adversaries.
But that policy came under criticism when the N.S.A. lost control of some of those tools, which fell into the hands of cybercriminals and other malicious actors in recent years, including North Korean and Russian hackers.
The N.S.A. was set to discuss the decision to alert Microsoft later in the day. The Washington Post earlier reported its warning to Microsoft, which was slated to release a patch for the vulnerability on Tuesday.
The N.S.A.’s decision to reveal the flaw to Microsoft — and then to publicly announce its move — is in sharp contrast to how it handled another flaw that it discovered but told Microsoft about too late to prevent global damage.
In early 2017, N.S.A. officials told Microsoft’s president, Brad Smith, that it had found a flaw in its operating systems but lost it to a group called the Shadow Brokers, who somehow obtained hacking tools that the United States had used to spy on other countries. The N.S.A. had known about the flaw for some time but held onto it, thinking that one day it might be useful for surveillance or the development of a cyberweapon.
But when the agency’s arsenal of flaws leaked out — presumably through insiders, though the N.S.A. has never said — among it was code nicknamed “Eternal Blue.” While Microsoft had raced to get people to patch the erroneous code, many systems remained unprotected.
Soon North Korean hackers used the code to develop “WannaCry,” software that crippled the British health care system, which used an outdated version of Microsoft Windows. And Russian hackers used it in the NotPetya attacks, among the most damaging cyberattacks in history, costing hundreds of million of dollars to companies including FedEx and Maersk, the shipping giant.
The agency dismissed the idea that it was responsible for the malicious use of the code — arguing that the responsibility lay with North Korea and Russia, which mounted the attacks. But privately, many agency officials acknowledged that the tendency to hoard such flaws in hopes of developing weapons had come at a huge price and that the United States bore some responsibility for the damage caused by Eternal Blue and other tools.
Some experts believe Eternal Blue is continuing to cause problems, allowing hackers to disrupt computer systems.
This is a developing story. Check back for updates.