Assuming the Times report is correct, it would absolutely be appropriate for the federal government to cover some of the costs. But the bigger question is whether the NSA has changed its behavior in the wake of the EternalBlue leak. There has yet to be any public accounting of how that occurred or what steps the agency has taken to prevent such a breach in the future. And there has certainly been no adequate resolution to the debate about what the agency should do when it discovers systemic security flaws like the one exploited by EternalBlue. A few years ago, the federal government developed a protocol for deciding when to notify companies about vulnerabilities with their software, and the NSA says it does so more than 90 percent of the time. But critics argue that the agency has become too bent on its offensive capabilities and that the 10 percent of flaws it keeps to itself are the most potentially powerful ones.