Their history has shown a trend toward less and less disclosure over time. Each successive "war" takes longer and longer for things to be declassified.
I've got extremely detailed material in my library published within years of the end of WW1 the sorts of detail I honestly never expect to see again.
The long cold war "taught" them to not trust the public, and the global media environment and the Internet only multiply their concerns.
Even if they have reasons to release... Those are increasingly washed away by their fear. We the public grow to accept "infinite secrecy" inch by inch, it's the Overton Window and sadly it works.
Since you mention decades of experience and information releases...
A book I just read about the history of the KGB and GRU listed techniques they used to unmask CIA spies. Choice stuff. If the cultural atttache has three assistants, and two of them has offices next to the cultural attache but the third has an office in the maximum-security area, which one is the spy? If that third assistant was hired at the age of 33 to an employer that never hires anyone over 31? And did not go through the regular training? And is listed in the State Department's employee list as "Reserve", ie. not a regular officer? And so on. A long and embarrassing list, and it worked for decades. The CIA knew about it in 1964 (probably not in detail) but the Soviets still used thee techniques to unmask three CIA spies per week in 1980.
Maybe the real stupidity was to locate the spies' offices where they were. But the office lists were published, for decades. The employee list was published, including the "Reserve" marking, for decades.
Decades of experience do not automatically confer competence.
> The CIA knew about it in 1964 (probably not in detail) but the Soviets still used thee techniques to unmask three CIA spies per week in 1980.
If you're the CIA and you know the Soviets are using this technique, you don't fix the problem, you use it to your advantage by letting the Soviets unmask the identities of lesser spies while not putting your most important spies on the employee list.
Sacrifice three less-important spies per week? From 1964 to 1989? That must have been some amazingly amazing things they guarded if they were worth that sacrifice.
Whats good for one agency may be bad for another, for example the State Department might like Tor because it facilitates anonymous informants while the NSA might not like it because they can't read your email.
I am not even sure if the NSA's mission extends to defending civilians.
Decades of experience doesn't mean it's the globally-optimal experience. From what has been made public, for example, it really seems like after 9/11 happened everyone got the message very clearly: “never again, no matter the cost”.
There hasn't been any significant counterbalance for protecting the public. This is also something of a new threat analysis model for them: software usually fails completely and globally, whereas there's never been an equivalent where someone in Russia figured out something like how to shutdown every GE industrial generator in the world without physical access. If you are used to thinking of the world in the era before pervasive internet connectivity you're going to underestimate the cost of not fixing something.
Nobody has been fired for keeping information secret or using national security as an excuse to mislead the public and even the Congress, and there's been no penalty for using those laws to conceal mistakes or abuse. That speaks of a culture which values secrecy over almost any other concern.
So, yes, they have decades of experience – but I would argue those are decades of experience with the wrong understanding and incentives.
Of course they don't. Security services don't have experience. People have experience. People are often incompetent. Security services have long, glorious histories of incompetence. Every day, someone with very little experience is having to make decisions.
Here's a similar example. The British armed forces have decades and decades of experience of COIN. Yet they were bloody awful at it for most of the recent Iraq and Afghanistan debacles. The fact that someone who had a job fifty years ago and was good at is it meaningless. It only matters if the person who has the job now is good at it.
Yes. Pretty much everyone I know in such an industry has tunnel-vision on their area and overestimates its importance. They'd end up plastic-wrapping(/suffocating) us to prevent [malware, terrorism, power-grid collapse, etc] if they could - that's their only metric because they spend all day thinking about it.
If you step back and look at terrorism and hacking and traffic fatalities on the same level you can make rational plans to actually help the most people - then assign tasks to the agencies. They certainly can't set their own goals.
So no, I really don't think the NSA has a rational (ie, cost/benefit) balance of attack/defense from our (citizens who want to live long wealthy lives) PoV. It's our job to regulate that.
