Having offensive capabilities and actually utilizing such capabilities are two different things. You can acknowledge the need for the former alongside the dangers of the latter, just as you would with any standing military.
> Having offensive capabilities and actually utilizing such capabilities are two different things. You can acknowledge the need for the former alongside the dangers of the latter, just as you would with any standing military.
In information warfare, waiting until conflict begins is too late. The information you collect and systems you exploit prepare you for the conflict.
For example, country A wants to know about country B's new bomber years ahead of the conflict so they can design anti-aircraft defenses to stop it. Country B spends years gaining access to Country A's routers, servers, etc. so they can utilize them the moment conflict begins.
If you wait for conflict to begin to do these things, you will be much too late.
This is very true, but that still leaves a significant gap between what you're talking about (military/strategic intelligence enabled by network operations) and an actual military campaign conducted against adversary networks.
Both may well need similar capabilities but we can't tell the ability of an agency to engage in "cyberwar" just from their activities in "cyber espionage".
I don't really see how that fits into this scenario. Computer Security is more like chemical warfare. Were you can either do research or try to make everyone more secure by international treaties. Here you can either undermine encryption, infiltrate networks, keep exploits to yourself or you can make everyone secure by patches, standards and encryption that works.
> undermine encryption, infiltrate networks, keep exploits to yourself
This is really the MO of any intelligence agency; that is their job.
> you can make everyone secure by patches, standards and encryption that works
Interesting statement, because it shows some things. Firstly, there is a difference in incentives -- why publish a vulnerability when it could be used to further your mandate? For the specific case of NSA though, that also ignores their broader role in securing federal communications (eg, vetting SHA, AES, FIPS, etc). Of course, there are always exceptions (DES, Dual-EC-DRBG, etc) -- but in a way, that precisely illustrates why we have intelligence agencies in the first place: trust no one.
There is a clear need for defense. But because of lack of oversight, NSA has overstepped its bounds in both foreign and domestic spheres.
The other side of this argument, one made cogently by Snowden, is that we simply have more to lose by escalating the cyberwar.