Why the NSA's attacks on the Internet must be made public

[Commentary] The National Security Agency's actions are making us all less safe, because its eavesdropping mission is degrading its ability to protect the US. Among IT security professionals, it has been long understood that the public disclosure of vulnerabilities is the only consistent way to improve security. That's why researchers publish information about vulnerabilities in computer software and operating systems, cryptographic algorithms, and consumer products like implantable medical devices, cars, and CCTV cameras.

Without public disclosure, you'd be much less secure against cybercriminals, hacktivists, and state-sponsored cyberattackers. The NSA has two conflicting missions. Its eavesdropping mission has been getting all the headlines, but it also has a mission to protect US military and critical infrastructure communications from foreign attack. But with the rise of mass-market computing and the Internet, the two missions have become interwoven. It becomes increasingly difficult to attack their systems and defend our systems, because everything is using the same systems: Microsoft Windows, Cisco routers, HTML, TCP/IP, iPhones, Intel chips, and so on. Finding a vulnerability – or creating one – and keeping it secret to attack the bad guys necessarily leaves the good guys more vulnerable.