Bruce Schneier’s first class site breaks the news that Chinese hackers used leaked NSA hacking tools fourteen months before they were released on the internet. He doesn’t know why this should be (did the Chinese hack the NSA? Probably not), but he does use this information to highlight the fact that the NSA’s stockpiling of zero-day vulnerabilities for their own use is actually bad for America’s security.
What does this mean? Well, whenever the NSA finds a vulnerability in software it does not advise the company concerned so that the weakness can be fixed. Instead it hoards the information against the day when the NSA may need to hack into those same systems. For instance, it uses certain of these vulnerabilities to break into otherwise secure Virtual Private Networks (VPNs). The NSA has always denied doing this, but always with the proviso “unless there is an intelligence or law enforcement need to do so.” The problem is that the NSA sees a need to store these vulnerabilities in almost every case. What is worse is that foreign hackers find exactly the same vulnerabilities and then worm their way into our systems causing great damage. These risks could be avoided if the NSA wasn’t so greedy. Bizarrely, the NSA is actually harming America’s internet security which it is pledged to protect.
If you have the time it is well worth reading Schneier’s excellent article on this problem. He even advances a convincing argument for breaking up the responsibilities of the NSA to better protect the Western internet. You should be able his article here: http://www.schneier.com/blog/archives/2016/08/the_nsa_is_hoar.html