[danielvf]

The DES standard's S-Boxes were changed by the NSA in the 1970s. It was long thought that this was to weaken them. However in the 1990's differential cryptanalysis was publicly discovered, and the NSA's changes to the S-boxes were found to have hardend DES agaist differential cryptanalysis.

[PeCaN]

Now here's something fascinating. According to https://en.wikipedia.org/wiki/Differential_cryptanalysis#His..., IBM discovered differential cryptanalysis in the 1970s when designing DES. They opted to keep it a secret, given its general applicability against ciphers. It is unclear whether IBM shared it with the NSA or the NSA discovered it independently, but there's strong evidence that both IBM and the NSA were aware of differential cryptanalysis well before the public discovery in the 90s.

¹ This has what looks like a good citation but requires a subscription to access the relevant paper (sigh).