Home to the nation’s codebreakers and cyber spies, the NSA is paid to intercept communications of foreign adversaries. One way is by hunting for hidden vulnerabilities in the computer code powering Microsoft Windows and and all sorts of other products and services that connect us to the digital world. It’s a rich hunting ground. The rule of thumb is that one vulnerability can be found in about every 2,500 lines of code. Given that an Android phone uses 12 million lines of code, we’re talking a lot of vulnerabilities. Some are easy to find. Others are really hard. Companies are so worried about vulnerabilities that many—including Facebook and Microsoft—pay “bug bounties” to anyone who finds one and tells the company about it before alerting the world. Bug bounties can stretch into the hundreds of thousands of dollars.
In this case, a shadowy group called the Shadow Brokers (really, you can’t make these names up) posted part of the NSA’s collection online, and now it’s O.K. Corral time in cyberspace. Tuesday’s attacks are just the beginning. Once bad code is “in the wild,” it never really goes away. Generally speaking, the best approach is patching. But most of us are terrible about clicking on those updates, which means there are always victims—lots of them—for cyber bad guys to shoot at.
WannaCry and Eternal Blue must be how folks inside the NSA are feeling these days. America’s secret-keepers are struggling to keep their secrets. For the National Security Agency, this new reality must hit especially hard. For years, the agency was so cloaked in secrecy, officials refused to acknowledge its existence. People inside the Beltway joked that NSA stood for “No Such Agency.” When I visited NSA headquarters shortly after the Snowden revelations, one public-affairs officer said the job used to entail watching the phones ring and not commenting to reporters.
Now, the NSA finds itself confronting two wicked problems—one technical, the other human. The technical problem boils down to this: Is it ever possible to design technologies to be secure against everyone who wants to breach them except the good guys? Many government officials say yes, or at least “no, but…” In this view, weakening security just a smidge to give law-enforcement and intelligence officials an edge is worth it. That’s the basic idea behind the NSA’s vulnerability collection: “If we found a vulnerability, and we alone can use it, we get the advantage.” Sounds good, except for the part about “we alone can use it,” which turns out to be, well, dead wrong.That’s essentially what the FBI argued when it tried to force Apple to design a new way to breach its own products so that special agents could access the iPhone of Syed Rizwan Farook, the terrorist who, along with his wife, killed 14 people in San Bernardino. Law-enforcement and intelligence agencies always want an edge, and there is a public interest in letting them have it.