It is hard to imagine more fitting names for code-gone-bad than WannaCry and Eternal Blue. Those are just some of the computer coding vulnerabilities pilfered from the National Security Agency’s super-secret stockpile that have been used in two separate global cyber attacks in recent weeks. An attack on Tuesday featuring Eternal Blue was the second of these to use stolen NSA cyber tools—disrupting everything from radiation monitoring at Chernobyl to shipping operations in India. Fort Meade’s trove of coding weaknesses is designed to give the NSA an edge. Instead, it’s giving the NSA heartburn. And it’s not going away any time soon.
As with most intelligence headlines, the story is complicated, filled with good intentions and unintended consequences. Home to the nation’s codebreakers and cyber spies, the NSA is paid to intercept communications of foreign adversaries. One way is by hunting for hidden vulnerabilities in the computer code powering Microsoft Windows and and all sorts of other products and services that connect us to the digital world. It’s a rich hunting ground. The rule of thumb is that one vulnerability can be found in about every 2,500 lines of code. Given that an Android phone uses 12 million lines of code, we’re talking a lot of vulnerabilities. Some are easy to find. Others are really hard. Companies are so worried about vulnerabilities that many—including Facebook and Microsoft—pay “bug bounties” to anyone who finds one and tells the company about it before alerting the world. Bug bounties can stretch into the hundreds of thousands of dollars.