The NSA and its defenders keep going back to the same argument
over and over again in an attempt to justify its actions: that they're being done for the sake of "national security." Basically, they're claiming that if the NSA didn't stomp all over the 4th Amendment, undermine the internet and try to spy on everything possible, we'd all be less safe. As we've pointed out, however, the NSA never seems to do a simple cost-benefit analysis
to see if the costs outweigh the benefits. It seems fairly clear they do not: the costs are huge, and the benefits of preventing exceptionally low probability events seem fairly low as well.
But, really, the issue is that the NSA's actions aren't actually helping national security, but they're doing the exact opposite. They're making us significantly less safe. Bruce Schneier made this point succinctly
in a recent interview:
The NSA’s actions are making us all less safe. They’re not just spying on the bad guys, they’re deliberately weakening Internet security for everyone—including the good guys. It’s sheer folly to believe that only the NSA can exploit the vulnerabilities they create. Additionally, by eavesdropping on all Americans, they’re building the technical infrastructure for a police state.
The folks over at EFF have dug into this point in much greater detail
as well. Undermining internet security is a really
bad idea. While it may make it slightly easier for the NSA to spy on people -- it also makes it much easier for others to attack us. For all this talk of national security, it's making us a lot less secure.
In trying to defend this situation, former NSA boss Michael Hayden recently argued that the NSA, when it comes across security vulnerabilities, makes a judgment call
on whether or not it's worth fixing or exploiting itself. He discussed how the NSA thinks about whether or not it's a "NOBUS" (nobody but us) situation, where only the US could exploit the hole:
You look at a vulnerability through a different lens if even with the vulnerability it requires substantial computational power or substantial other attributes and you have to make the judgment who else can do this? If there's a vulnerability here that weakens encryption but you still need four acres of Cray computers in the basement in order to work it you kind of think "NOBUS" and that's a vulnerability we are not ethically or legally compelled to try to patch -- it's one that ethically and legally we could try to exploit in order to keep Americans safe from others.
Of course, that ignores just how sophisticated and powerful certain other groups and governments are these days. As that article notes, the NSA is known as a major buyer of exploits sold on the market -- but that also means that every single one of those exploits is known by non-NSA employees, and the idea that only the NSA is exploiting those is laughable. If the NSA were truly interested in "national security" it would be helping to close those vulnerabilities, not using them to their own advantage.
This leads to two more troubling issues -- the fact that the "US Cyber Command" is under the control of the NSA is inherently problematic. Basically, the NSA has too much overlap between its offensive and defensive mandates in terms of computer security. Given what we've seen now, it's pretty damn clear that the NSA highly prioritizes offensive efforts to break into computers, rather than defensive efforts to protect Americans' computers.
The second issue is CISPA. The NSA and its defenders pushed CISPA heavily, claiming that it was necessary for "national security" in protecting against attacks. But a key part of CISPA was that it was designed to grant immunity to tech companies from sharing information with... the NSA, which was effectively put in control over "cybersecurity" under CISPA. It seems clear, at this point, that the worst fears about CISPA are almost certainly true. It was never about improving defensive cybersecurity, but a cover story to enable greater offensive efforts by the NSA which, in turn, makes us all a lot less