The National Security Agency has a wide-ranging menu of software exploits at its disposal to tailor the right attack to the targets it wants to monitor, according to a blog post published Wednesday by security expert Bruce Schneier. While the program allows analysts to operate in almost absolute secrecy, the NSA's pursuit of an expansive surveillance program has largely defeated those efforts, his essay concludes.

As last week's publication of secret NSA documents showed, the agency operates servers codenamed FoxAcid that exploit software vulnerabilities on targets' computers. By the time those attacks are unleashed, analysts already know a huge amount about the person on the receiving end. Based on that information, the spies will use a complicated trade-off system to automatically choose an attack from a multitiered menu of options.

"If the target is a high-value one, FoxAcid might run a rare zero-day exploit that it developed or purchased," Schneier wrote. "If the target is technically sophisticated, FoxAcid might decide that there's too much chance for discovery, and keeping the zero-day exploit a secret is more important. If the target is a low-value one, FoxAcid might run an exploit that's less valuable. If the target is low-value and technically sophisticated, FoxAcid might even run an already-known vulnerability."

The cost-benefit analysis also includes a detailed flowchart showing when to stop a successful attack. Those scenarios include when something stops working as expected, when a personal security product is detected, or "anything goes weird." The goal is to ensure the exploits always go undetected. Schneier goes on to contrast the operational secrecy with the policy of brazen surveillance that has been portrayed for more than three months on the front pages of newspapers and websites throughout the world.

"While the NSA excels at performing this cost-benefit analysis at the tactical level, it's far less competent at doing the same thing at the policy level," wrote Schneier, who analyzed technical documents that former NSA contractor Edward Snowden provided to The Guardian. "The organization seems to be good enough at assessing the risk of discovery—for example, if the target of an intelligence-gathering effort discovers that effort—but to have completely ignored the risks of those efforts becoming front-page news."