[thematt]

I'm not sure how splitting up the NSA fixes anything. Wouldn't the new offensive organization still be compelled to seek out zero-day exploits as well for their mission? What happens when they find one that the defensive organization hasn't found yet?

[electic]

Better than the current setup. The defensive side sole responsibility is to find critical flaws and report them. This would also include investigating breaches in US infra and making sure things get patched. Right now, you don't even have the defensive side.

[tptacek]

Splitting IAD off from SIGINT wouldn't reduce the number of zero-days the government collected, but it would:

* Ensure that the advice IAD was generating was untainted by SIGINT influence

* Enable IAD to independently collect vulnerability intelligence and disseminate it (most importantly, to vendors) without having to endure a bogus equities process to ensure they weren't blowing a SIGINT operation.

Of course, this only works if IAD is stripped completely out of the NSA, and perhaps out of the DoD entirely. IAD probably belongs under DHS.