The NSA, which employs more mathematicians than any organization on Earth, has been collecting these vulnerabilities. The agency often shares the weaknesses they find with American manufacturers so they can be patched. But not always. As NSA Director Mike Rogers told a Stanford audience in 2014,“the default setting is if we become aware of a vulnerability, we share it,” but then added, “There are some instances where we are not going to do that.” Critics contend that’s tantamount to saying, “In most cases we administer our special snake bite anti-venom that saves the patient. But not always.”

In this case, a shadowy group called the Shadow Brokers (really, you can’t make these names up) posted part of the NSA’s collection online, and now it’s O.K. Corral time in cyberspace. Tuesday’s attacks are just the beginning. Once bad code is “in the wild,” it never really goes away. Generally speaking, the best approach is patching. But most of us are terrible about clicking on those updates, which means there are always victims—lots of them—for cyber bad guys to shoot at.

WannaCry and Eternal Blue must be how folks inside the NSA are feeling these days. America’s secret-keepers are struggling to keep their secrets. For the National Security Agency, this new reality must hit especially hard. For years, the agency was so cloaked in secrecy, officials refused to acknowledge its existence. People inside the Beltway joked that NSA stood for “No Such Agency.” When I visited NSA headquarters shortly after the Snowden revelations, one public-affairs officer said the job used to entail watching the phones ring and not commenting to reporters.

Now, the NSA finds itself confronting two wicked problems—one technical, the other human. The technical problem boils down to this: Is it ever possible to design technologies to be secure against everyone who wants to breach them except the good guys? Many government officials say yes, or at least “no, but…” In this view, weakening security just a smidge to give law-enforcement and intelligence officials an edge is worth it. That’s the basic idea behind the NSA’s vulnerability collection: “If we found a vulnerability, and we alone can use it, we get the advantage.” Sounds good, except for the part about “we alone can use it,” which turns out to be, well, dead wrong.

That’s essentially what the FBI argued when it tried to force Apple to design a new way to breach its own products so that special agents could access the iPhone of Syed Rizwan Farook, the terrorist who, along with his wife, killed 14 people in San Bernardino. Law-enforcement and intelligence agencies always want an edge, and there is a public interest in letting them have it.

As former FBI Director James Comey put it, “There will come a day—and it comes every day in this business—where it will matter a great deal to innocent people that we in law enforcement can’t access certain types of data or information, even with legal authorization.”