SCOTT MALCOMSON wrote for the Carnegie Corporation of New York about cyber-security.
In August 2016, the director of the National Security Agency’s Information Assurance Directorate (IAD) told reporters that his division—responsible for cybersecurity in government and, to a degree, the private sector—would soon merge with the NSA’s other, much larger division, Signals Intelligence (SIGINT).
Since IAD was responsible, in general terms, for defense, and SIGINT for offense, their two missions had been kept distinct since the agency’s founding under President Truman in 1952. The distinction was always delicate, because vulnerabilities discovered by IAD could, if kept secret, be used by SIGINT to penetrate target networks. But this delicacy was a sign of its importance. If an American company, for example, had a vulnerability that IAD discovered, the company would want to know about it—so that it could be fixed, and not left open for SIGINT to exploit. (Remember, foreign governments that the U.S. spied on, as well as foreign companies, were purchasers of the same software that American companies used and sold.) The NSA had a responsibility to help American companies defend themselves.