The agency has gathered a significant amount of intelligence on the ways sophisticated cyber-actors -- usually nation-states and, more often than not, China -- have written their code. Sometimes the NSA is able, through its collection of signals intelligence, to get advance notice of a major attack on a major company. It has very recently begun sharing this information with the FBI, which in turn shares it (or a sanitized form of it) with the companies that might be affected.
But it has been NSA policy to keep its information private. They're an intelligence agency, after all. They gather information in secret and use it to outfox the enemy. If the NSA were to share with the public what it knows about China's cyber capabilities, for example, then China would know what the NSA knows and would adjust its tactics accordingly, thus potentially rendering the Defense Department's Internet space more vulnerable. But the penetrations have become so frequent and so potentially economically devastating that the government has decided to take that risk.
The next step may be letting the NSA conduct deep-packet monitoring of private networks. It's undeniable that Congress and the public probably wouldn't be comfortable knowing that the NSA has its hardware at the gateways to the Internet. And yet there may be no other workable way to detect and defeat major attacks. Thanks to powerful technology lobbies, Congress is debating a bill that would give the private sector the tools to defend itself, and it has been slowly peeling back the degree of necessary government intervention. As it stands, DHS lacks the resources to secure the dot-com top-level domain even if it wanted to. It competes for engineering minds with the NSA and with private industry; the former has more cachet and the latter has better pay.
Some private-sector companies are good corporate citizens and spend money and time to secure their networks. But many don't. It's costly, both in terms of buying the protection systems necessary to make sure critical systems don't fail and also in terms of the interaction between the average employee and the software. Security and efficiency diverge, at least in the short run.
If the NSA were simply to share with the private sector en masse the signatures its intelligence collection obtains about potential cyber-attacks, cybersecurity could measurably improve in the near term. But outside the companies who regularly do business with the intelligence community and the military, few firms have people with the clearances required by the NSA to distribute threat information. (Under the new initiative, the NSA's intelligence will be filtered through the FBI and DHS.)
Also, because the NSA's reputation has been tarnished by its participation in warrantless surveillance, and because telecoms are wary of cooperating with the NSA beyond the scope of the law, companies are afraid to even admit that they've asked the agency for technical advice. As a senior executive at Google -- which asked the NSA to help contain an outbreak of Chinese network exploitation in 2008 -- admitted to me, "People don't really trust the NSA, and it will raise suspicions that we're letting them look at their search data, and other things. It's not in our interest."
But it was in their interest to work with the agency -- and in the months ahead the NSA is betting that will be true of many others.