In the discourse around the American intelligence apparatus, agencies like the CIA and NSA are commonly described as protecting U.S. "national security." This phrase evokes a sort of collective interest of the American people, as if those agencies are manning the barricades between the citizenry and a scary world.
But events last week brought out the hidden contradictions behind this slogan. A group calling themselves the "Shadow Brokers" — possibly Russian hackers — leaked a large suite of NSA hacking tools, causing enormous embarrassment and fury at the agency. It's a serious breach — but also a stark demonstration of how the NSA's desire for unlimited access to computer networks exposes American companies and citizens to hacking by spies and criminals.
The leaked materials probably came from the "Equation Group," the mysterious NSA-linked hacking team that has previously been found behind cutting-edge computer malware. The trove contains various hacks, exploits, and even a few "zero-day" vulnerabilities in widely-used firewall software. The Intercept's Sam Biddle found confirmation in the Snowden documents that these are definitely NSA programs. Edward Snowden himself chimed in with informed speculation about how it might have happened as part of the cat-and-mouse game between competing spy agencies.
Cisco Systems, whose firewall was a direct target of some of the leaked tools, told Ars Technica they are scrambling to patch the vulnerability. As Marcy Wheeler writes, the "NSA has been exploiting vulnerabilities in America’s top firewall companies for years."
And that brings me to the basic problem with the NSA and national security. Cisco is a U.S. company whose security products are used by millions of U.S. businesses and individuals. The largest manufacturer of networking equipment in the world, it probably built your router or cable modem. So when it comes to security holes in their products, a pretty literal interpretation of "protecting national security" might be to tell the company about them immediately so that they can patch the holes. After all, if the NSA can find them, then chances are decent that some other hacker can too — or find it out from the NSA itself, as was the case in this instance. What's more, it's a safe bet that the Shadow Brokers leveraged their knowledge of the exploits before leaking them — or only released a portion of what they have.
An NSA partisan might respond that espionage can also defend American interests, and leaving U.S. citizens open to attack from online criminals is merely the price that has to be paid.
The problem with this line of reasoning is there is little evidence NSA surveillance and hacking is all that useful for ordinary Americans. So far as anyone can tell, their dragnet programs have never stopped a major terrorist attack. The Stuxnet worm — a hugely sophisticated piece of malware probably developed in part by the Equation Group — was a success of sorts in slightly delaying the Iranian nuclear program, but it's small beer compared to the guarantees contained in the Iranian nuclear deal. Other malware might have disrupted some computers in the Middle East, but as with the drone program, it's highly unclear whether this is paying off overall.
But more to the point, the whole security apparatus gives no sign whatsoever of having carefully weighed the pros and cons of espionage versus stronger firewalls and encryption. Instead they just loudly insist that there is no tradeoff while demanding security-crippling access to every American system — as when the FBI tried to force Apple to write a program they could use to crack any iPhone, thereby drastically weakening the phone's encryption.
This isn't the only way the defenders of "national security" can harm Americans, of course. I've written previously about how NSA hacking poses a threat to Silicon Valley tech companies, because the perception that American technology products are a periscope for U.S. government surveillance is a powerful argument in favor of banning those imports.
But when it comes to NSA-engineered malware, the distinction is even clearer. Here "national security" really refers to the ability of government spooks to root around in as many computer networks as possible, whenever they feel like it. Keeping ordinary citizens secure from corporate espionage, data or identity theft, fraud, hacking, and the like doesn't enter into the equation.