When should spies tell companies that their systems can be hacked?

May 14: A massive ransomware attack was carried out Friday, hitting hospitals, companies and government offices in nearly 100 countries.

It spread through a vulnerability leaked last month in a trove of hacking tools believed to belong to the NSA. The ransomware outbreak has reignited the debate about when spy agencies should disclose these vulnerabilities — especially when people’s lives are at stake.

The NSA and other spy agencies look for software vulnerabilities and then build tools to target and exploit them. Under current laws, they don’t have to report the flaws to the company at risk. Instead, they can use them for intelligence gathering or law enforcement.

The leaked hacking tools publicized a Windows vulnerability. Even though Microsoft released a patch in March, computers and networks that hadn’t updated their systems were still at risk. The ransomware, called WannaCry, locked down all the files on an infected computer and asked the computer’s administrator to pay in order to regain control of them.money.cnn.com