The National Security Agency calls itself “the world leader in cryptology,” deploying its tens of thousands of employees (the exact number is classified, as is its number of unfilled positions) and estimated 11-figure budget (again, classified) to “outmaneuver those who would do us harm in cyberspace.” But the United States’ premier electronic-spying agency hasn’t been doing much outmaneuvering lately. In 2017, the NSA was forced to admit that some of its most effective hacking tools had been stolen and dumped online for anyone to see and use—and they were used liberally by U.S. cyber adversaries. “Created at huge expense to American taxpayers,” The New York Times reported, “those cyberweapons have now been picked up by hackers from North Korea to Russia and shot back at the United States and its allies.”



Then the Times reported last month that the theft wasn’t an inside job so much as a self-inflicted wound: A cyberfirm’s postmortem report determined that before hackers published the NSA’s most valuable malicious code online, they had been captured by Chinese intelligence operatives “from an NSA attack on their own computers—like a gunslinger who grabs an enemy’s rifle and starts blasting away.” Old NSA hands used to joke about their employer’s secrecy by saying that its initials stood for “No Such Agency.” Today, the moniker sounds more like a judgment on the NSA’s ethics and effectiveness.

The NSA is not alone in inadvertently inviting data breaches. On Monday, Customs and Border Patrol conceded that photographs it collected of roughly 100,000 border travelers at an unnamed U.S. port of entry, including “license plate images and traveler images,” were stolen in a “malicious cyberattack.” Those images were then “offered for free on the dark web to download,” according to one report. Responding to the hack, a lawyer for the ACLU, which has long challenged CBP’s expanding data-collection efforts, pointed out the obvious: “The best way to avoid breaches of sensitive personal data is not to collect and retain it in the first place.”

Regular phone and internet users remain vulnerable, forced to take individual protective measures, like a poor wage-worker without health insurance who’s told to secure her nest egg by cutting out morning lattes.

The revelations that NSA hackers and Border Patrol data-trackers had played themselves came on the heels of potentially worse news for wired Americans: An Israeli coding firm also admitted last month that its spyware was being deployed by hackers to attack WhatsApp users and gain access to their phones. The Facebook-owned messaging app, along with Signal and Telegram, all offer end-to-end encryption and have gained favor with newsrooms, activists, and privacy-minded individuals. But the spyware furor was just the latest chink in those apps’ armor; their encoding doesn’t help you if you don’t set them to delete your messages, or if you back them up to a cloud. There’s always a chance that another bug or an exploit in the system will allow the NSA, or other intelligence agencies, or increasingly prolific non-state actors, to snoop on you. Everyone’s threat vector is different—individually, few of us are interesting enough to spy on—but the problem remains the same: Americans’ private information, their digital communications, and the streams of data on which their day-to-day lives depend are not secure.

President Donald Trump’s response last month was to issue an executive order declaring a cyber-state of emergency and banning American telecommunications companies from using foreign-made equipment. “This will prevent American technology from being used by foreign-owned entities in ways that potentially undermine U.S. national security or foreign policy interests,” Commerce Secretary Wilbur Ross—who is tasked with carrying out Trump’s order—said in a statement. But the executive order is a broad, simplistic reaction to a complicated problem: America—its military, its political class, and its populace—is terrible at virtually every facet of information security.