Interesting story in @nytimes on foreign countries hiring former U.S. govt hackers to run operations ... which then in turn sometimes then target people in the U.S.. https://twitter.com/nytimes/status/1358083061406138371

Lots of lessons the U.S. can and should be learning from this, although imo perhaps not ones usually posited.

For example, this here is foremost an incentives problem. Morale and pay issues at NSA pushing people outwards; lack of training on what these types of recruitments *are*; and lack of disincentives (incl. criminal or contractual obstacles) to taking those skills to adversaries.

Also this is very common received wisdom: the problem with N.S.A. is they spend too much on "offensive" capability and if only they would spend it on defensive capability then adversaries wouldn't be able to break in.

But it doesn't follow. Defense and offense are not symmetric.

Simple example: NSA's *total* budget is ~$3.6bn or so. Even if the *entirety* of that were spent on "offensive" hacking (which it isn't), that's still around a third of *just* Microsoft's revenue *just* in their cybersecurity business.

Another example. Let's suppose a Microsoft product has a bug in it somewhere. To break into the product, NSA needs to find one bug in it and exploit it. But for Microsoft to defend the program from *any* adversary, they need to find (or mitigate) *all* of the bugs in it.

Those two things are not symmetric in terms of cost. Taking the dollars you spent on world-class CNE and ploughing them into defense doesn't mean you're now defending against foreign CNE actors acting at the same level you gave up. It just doesn't. It's not symmetric.

It's not even clear to me that if you took *all* of NSA's offensive CNE budget and ploughed it *all* into cybersecurity defense that you'd even improve cybersecurity defense *at all*. It's entirely possible you'd end up with the resulting overall defense being *worse*.

That's because folks who worked in CNE have two views of defense that help the defensive sector if/when they move there. Because they see two things "pure" defenders don't:
1) What works for *you* to break in
2) What *adversaries* are doing to break in, by breaking into *them*.

In "pure" defense, you only see the attacks you catch, which is a nasty feedback loop. You end up building tools to look for hackers based on what you think they might are doing, but your knowledge of what they might be doing is itself tuned towards what you've previously caught.

By contrast, look at how many exploit mitigations in modern OSes and phones are built by people who used to be "offensive" hackers. Or how many threat intel companies have former NSA staff. Or how many foreign hackers ultimately brought down by CNE against them.

The bulk of funding those skills comes from NSA or DoD (or derivatives, like defense contractors), and they filter into tech companies as those employees leave. If NSA/DoD stopped spending on "offense", not clear to me you don't actually harm cybersecurity defense in the long run

The argument would be better taken if the majority of actual breaches took place with techniques completely unknown to the private sector. But that's also not the case. Most hacks happen via well-known techniques the private sector could, but doesn't, fix with their own dollars.