The National Security Agency (NSA) headquarters building in Fort Meade, Maryland. Handout / Reuters
"If American espionage cannot protect the special tools that it possesses, it doesn't matter that they are good people working for good purposes under good oversight," Hayden told NBC News. "If they cannot protect the tools, I just can't mount the argument to defend that they should have them. This is the one that, unless resolved, I think actually could constitute a legitimate argument to do less."
Officials at the NSA, the digital spying agency that is known for its unwillingness to deal with news media inquiries, did not respond to requests for comment. At the CIA, which has never been shy about engaging reporters, spokesman Ryan Trapani obliquely defended the agency's cyber espionage operations, without speaking directly to the leak or its implications.
"CIA's mission is to aggressively collect foreign intelligence overseas to protect America from terrorists, hostile nation states and other adversaries," he said. "It is CIA's job to be innovative, cutting-edge, and the first line of defense in protecting this country from enemies abroad."
Related:
WannaCry Threat Remains, Say ExpertsHe added, "We have no comment on the authenticity of purported intelligence documents released by WikiLeaks or on the status of any investigation into the source of the documents," but that "the American public should be deeply troubled by any WikiLeaks disclosure designed to damage the intelligence community's ability to protect America against terrorists and other adversaries."
Former senior NSA officials offered a defense of the agency on condition of anonymity, because they are not authorized to discuss their prior work.
One former official told NBC News in May that the NSA releases 90 to 95 percent of the software vulnerabilities it discovers, but it sits on the rest for use in hacking and spying activities. In other words, the agency doesn't tell Americans about software holes that make them vulnerable — so it can exploit those weaknesses to spy on foreigners.
Some people would like the NSA to alert industry to every software hole it finds. But then, the former official said, the NSA would lose avenues for spying and attack. And hackers would still find holes to exploit, because such holes are inevitable.
"We do have software vulnerabilities out there, and why shouldn't the NSA be in the business of helping to protect us by exploiting those things when necessary?" a second former official asked.
But one thing neither former official could answer is why the NSA has continued to experience major breaches of classified material. First former NSA contractor Edward Snowden leaked some of the most sensitive secrets ever made public. Then another contractor, Harold Martin, was accused of taking home reams of classified documents. Then the Shadow Brokers obtained the software flaws.
Through it all, the same person, Kemp Ensor, has been head of security at the agency, according to his LinkedIn profile. The NSA did not respond to a request to make him available, and he did not respond to a message sent through LinkedIn.
The success of the cyber attacks can't be blamed entirely on the U.S. government. After it learned of the Shadow Brokers leak, the NSA warned Microsoft and other companies, the former officials said. Microsoft released a patch in March designed to fix the flaw.
But many companies and individuals failed to patch their systems. Those running outdated software may not even have been be able to.
After the WannaCry attack in May, Microsoft general counsel Brad Smith took direct aim at U.S. intelligence agencies.
"This attack provides yet another example of why the stockpiling of vulnerabilities by governments is such a problem," he wrote in a blog post. "This is an emerging pattern in 2017. We have seen vulnerabilities stored by the CIA show up on WikiLeaks, and now this vulnerability stolen from the NSA has affected customers around the world."
He continued, "Repeatedly,
exploits in the hands of governments have leaked into the public domain and caused widespread damage. An equivalent scenario with conventional weapons would be the U.S. military having some of its Tomahawk missiles stolen."