The NSA shouldn't just be an attacker it should also provide defence. If one of their many contractors can leak details to the press for idealogical ends it's pretty safe to assume that much worse secrets have already been leaked to other nation states (China, Russia etc....) for financial gain.
I think it's entirely reasonable to assume that a lot of exploits the NSA has discovered and not revealed (because it thinks they are "secret") have actually been sold to other governments by it's own contractors. By not revealing these exploits to citizens they are actually leaving them open to attack by foreign governments. Large companies trying to defend against industrial espionage are probably most at risk.
> The NSA shouldn't just be an attacker it should also provide defence.
Uh, it actually does exactly that. That is the second major mission objective of NSA, is to ensure that the USA's own communications are secure. For example, the SHA-1 hash standard that underpins much of our cryptosystems was developed wholly by NSA as an alternative to MD5 (which was apparently even at the time thought to be weak at NSA).
However there's a difference between ensuring that the theoretical underpinnings of COMSEC are adequate and releasing 0-days. There will always be exploits in web browsers used by people, so NSA is not "helping the citizens" by releasing each and every one of those secretly to browser developers. They can effectively only hamstring them own mission goals by doing that.
If one of their many contractors can leak details to the press for idealogical ends it's pretty safe to assume that much worse secrets have already been leaked to other nation states (China, Russia etc....) for financial gain.
Especially as the agency in question appears to have no compartments or levels of access. I've been wondering how a comparatively junior contract worker could access so much information...
But Snowden was a sysadmin and successfully managed to digitally impersonate persons actually in the right compartments, among other things, in order to get access to the data he wanted.
I suppose it's better to say that NSA is too reliant on contracted systems administrators to handle what should be inherently governmental functions, and that they don't properly compartment sysadmin functions. But then again, is it even possible to completely protect a computer network against an insider sysadmin threat?
I think it's entirely reasonable to assume that a lot of exploits the NSA has discovered and not revealed (because it thinks they are "secret") have actually been sold to other governments by it's own contractors. By not revealing these exploits to citizens they are actually leaving them open to attack by foreign governments. Large companies trying to defend against industrial espionage are probably most at risk.