Not sure why that seems so bizarre; that's consistent with US posture since WWII, particularly strategic posture. Defense through force projection and construction of retaliatory capability. "The best defense is a good offense" is almost an underlying assumption of US doctrine. You don't defend yourself by building walls, you defend yourself by removing your adversaries' capabilities or willingness to use those capabilities.
It doesn't seem as though this has been especially effective with regards to information security, however. There are just too many adversaries, it's too hard to project force against them, and there's not much of an effective deterrent effect by sitting on a 'stockpile' of vulnerabilities yourself.
But IMO the disconnect is almost a fundamental one, because it's an area where what has worked fairly well for the US for 60+ years is suddenly falling flat.
If only the media was quick to blame them for cyberattacks that happen under their watch, too. Then they might finally start to care. But because corporate media has such a tight relationship with all the Washington insiders, that never really happens.
One good example from recent times of how well this type of "incentive" works is Google and Stagefright. The media went nuts over Stagefright affecting virtually all Android devices - and for good reason, too.
Since then Google seems to be taking Android security way more seriously, and there have been a lot of serious security improvements in Android (7.0) over the past year.
But these sort of actions seem to happen in slow motion, if at all, when there isn't a hacking/malware catastrophe for which the companies can get blamed in the press.
The NSA pushed hard for new surveillance laws such as CISA with the promise that it's what they need to keep us safe against cyberattacks. So why isn't every single media entity blaming the NSA over every major new data breach that happened since then?
Might be a false statement, but it's effectively true. Defense is part of their charter, but American government and corporations are clearly very vulnerable and are compromised routinely.
At this point I'd argue Google's security bounties have done more to secure the industry.
The problem with NIST (and I believe they admitted this is a problem) is that NIST is required by law to use the relevant experts from government agencies[0], which normally is fine, and exactly what you want. However, the agency when it comes to security is NSA, and their in the business of undermining it. Thus the whole ECC backdoor debacle.[1]
NIST seems like a good agency trying to do the right things. It's just that they're forced to work with bad actors.
Well, what do you expect them to do for you? Nationalize and manage your IT infrastructure? They and the DoD publish security guidelines for servers, desktops, etc that any business or government agency can follow. Also do you use SELinux? That's NSA as well.
If you want regulation, that's Congress and POTUS, not the NSA.
