No it's just that the NSA used to work to make American companies more secure. Now they instead they find zero-days to then secretly exploit for as long as possible.

It's gotten so bad, that their recommendations for crypto are regarded with a significant degree of skepticism because of past history of deliberately undermining crypto systems which is a Terrible state of things.

> their recommendations for crypto are regarded with a significant degree of skepticism

Indeed. Once you start talking about magical constants and extremely convoluted math concepts... that's zero trust in my book.

Integer factorization is a grade school concept in most developed nations. The edge cases are far more obvious than with something like ECC, which has entire classes of no-good constants that would require a PhD in math to fully grok.

Prime factorization is one of the great unsolved problems in mathematics and if you can solve it there is a million dollar prize with your name on it. There are all kinds of issues with implementing crypto safely on top of it (google “Fermat factorization”), some related to bad constants. Being well known doesn’t make the math easy.

They do both, but right now the technology makes real defense (when you have real users) pretty much impossible. And not because of the NSA.

They do both, but it has been the case for a while that the NSA prioritizes offense. You can agree with that stance or not, but it is there, criticism on this point goes back at least a decade.

I agree that the security environment is awful, but that doesn't excuse NSA making it worse.

Of course NSA prioritises offense when it provides a vastly greater RoI.

Also, outside of SCIF environments (which do get prioritized), there isn’t a whole lot that is feasible for DOD or other gov’t agencies to do while still using civilian technology or working habits, which they don’t really have an option on right now.

The whole industry and economy needs to be upleveled software wise in a lot of ways for meaningfully better security to be economically possible.

Typically that requires a serious crisis and/or war. Hopefully not the case here.

> provides a vastly greater RoI

Of course it does. Thinking about it in terms of ROI doesn't consider externalities. When the OPM gets hacked, nobody at the NSA worries about their budget.

Reason #7893 "run government like a business" is a self-describing category error.

everyone uses ROI calculations somewhere (just not necessarily using cash as the return metric) or they are flying blind.

The underlying issue is that large organizations have low trust (some worse than others!), and therefore large organizations tend to coarse numeric metrics, and game those metrics to look better, which makes even more low trust (and hence backstabbing, empire building, etc.) between divisions.

As a reaction, leadership also tends to err towards coarse, harder to game metrics (like ‘reduce breaches by xx%’ rather than relying on judgement and trust like ‘ensure we don’t have an unreasonable number of breaches, and work to reduce them in the ecosystem’.

Which of course provides strong incentives for chasing the number by throwing all the babies out with the bathwater, and often making the real problem worse.

It’s a size of the organization problem. Changing metrics/mission will shuffle up the specific babies being thrown out, and what is considered the bath water, but the underlying problem remains.

Solid, consistent leadership makes the problem better. That tends to be expensive and not want to deal with the political BS common in Gov’t, at least in the US.

The government does a ton of pure research, including in computer science and security, which is explicitly not about ROI but rather about advancing our understanding of basic science.

Which always has a grant proposal laying out hoped for results in areas being investigated, at least most of the time correct?

Someone looks at it and goes ‘yeah, that might pay off’ or round files it somewhere.

Researchers who never end up finding anything notable also don’t tend to have long careers, correct?

None of that is what I’m talking about, no. I know many researchers who are quite proud of the fact that their research is never going to make money but is super interesting from a scientific perspective.

The crazy amount of skepticism this always draws is simultaneously very funny and very saddening.

That a percentage of total funds is put into stuff like that isn't surprising, to avoid too much hyperfocus on what we know.

What percentage of the overall budget do you think it is?

Former employee, or contractor?

Thankfully No, but I know a few.

If you think tech workers have office BS to complain about, gov’t workers are at least 10x higher on the scale.

I did have some things in mind but, to save me a bit of time, are there any particular claims you're looking to source?

Sure, thanks

> No it's just that the NSA used to work to make American companies more secure

1. I'm interested in that history; e.g. how it came about and how it worked.

2. Evidence that this is no longer (or less of) a goal: policy, internal priorities, spending? Congressional testimony, legislation, or guidance? Leaks?

It seems to be that $100B spent by NSA on offensive operations will reap far greater security benefits than spending $100B “to make American companies more (cyber)secure”.

Knowing what your adversaries are up to is invaluable.

Here’s one concern highlighting the value of broad defenses. A targeted software-based attack may trigger supply chain disruptions with significant (even if only short-term) impacts. If combined / coordinated, multi-billion dollar disruption is within reach.