The White House has disclosed the circumstances in which the clandestine agencies will reveal a vulnerability to the public rather than exploit it.
The list of criteria is vague and strongly contradicts an agency that values the security of the internet.
The language largely consists of protecting American assets and infrastructure, and even then only in the event that there is a high likelihood that others will exploit it AND that it will do significant damage. What this means is that if a vulnerability is found in hardware that is mostly deployed in Europe or Asia, the vulnerability will almost certainly be hoarded away for safe keeping to be used against the enemies of the US like Amnesty International and Human Rights Watch.
Nothing about this article is comforting. The candor with which we are told that the weaponization of vulnerabilities takes precedence over the security of the internet is marvelously short-sighted. What happens for instance when a Huawei vulnerability known by the NSA is discovered by hackers and they build a 400,000 server botnet?
Disclosure needs to be the paramount idea. The internet needs to be made secure. This means strengthening security standards, not intentionally crippling them. It means disclosing day-0 attacks the moment they are known to close security holes in major infrastructure worldwide. It means doing the right thing to ensure the internet is safe for all, not just your own citizens. Global reach is the whole purpose of the internet to begin with. Any attempt to walk away from that is an attack on the fundamental purpose of the internet we all know and love.
The Obama administration has doubled down on protecting the NSA, publicly supporting the actions of the agency and adding loopholes in policy that allow withholding vulnerabilities and exploiting them if there is a "clear national security or law enforcement" goal.
The real solution would be to split the NSA into two separate agencies. One based on offense and one based on defense. This would remove the clear conflict of interest in the NSA's dual responsibilities to the American people and American allies.