The now infamous leaks of Edward Snowden on the extent of NSA surveillance shed light on the role the organization plays in the gathering of information to further US capabilities to combat its enemies. It has been theorized that the NSA is a defensive mechanism, as it uses its extensive resources to monitor threats and to document groups/individuals in order to prevent occurrences before they happen. However, it is likely that fighting terrorism is merely a fraction of what the NSA does, as the organization is involved in an international surveillance and intelligence race. The NSA is not a purely defensive organization in this sense, and is part of a debate on whether the US government should hoard vulnerabilities in the Internet or disclose and fix them.
One of the recent examples is the Heartbleed bug in the OpenSSL software library. Essentially it is a mistake made in programming that allows outsiders to enter and exploit that vulnerability, thus emphasizing its potential for offense and defense. Unpublished vulnerabilities are valuable as people can be compromised unknowingly and the discoverer can use it at his will. When someone discovers an unpublished vulnerability, he can choose to use it defensively or offensively. Defense entails alerting the vendor so they can patch it, in fact many vulnerabilities are discovered by the vendors themselves. Offensively however, the vulnerabilities can be used to attack anyone and even the vendor would not know about it until hackers are using it extensively. This is a security issue that has the potential to bring significant amounts of money as people who discover these vulnerabilities can sell them for attack purposes.
In regards to the NSA, they have two options. They can go defensively and alert the vendor, who will then fix it and thus increasing the net security across the board against attackers. However they can go offensively and use it to access foreign computer systems, which is also an important policy goal of the US. There is no middle ground as everyone uses the same software: fixing it for the US fixes it for everyone else, and leaving it exposed leaves the US exposed as they run the risk of someone else discovering and using it.(1) Indeed the latter point is made more crucial when considering the cyber “cold war” which involves foreign countries such as China. Thus the issue for the NSA concerns its actions on whether to fix and disclose vulnerabilities or to keep it a secret for its own usage.
One concept used by the NSA is “NOBUS” standing for “nobody but us”, their process regarding vulnerabilities is one where most of them are disclosed, while holding back some that only they could have discovered and used. An unpatched vulnerability puts everyone at risk but not on the same degree. Western states like the US are more susceptible due to more expansive electronic framework and intellectual property, whereas countries like China and Russia are less vulnerable giving them less incentive to see these issues fixed. Thus, fixing these vulnerabilities from a US perspective makes more sense as they improve security on a much wider bases especially considering that todays world sees more countries spending more money looking for these vulnerabilities rather than fixing them
(1)