On one hand it's nice to see more defensive posture from the NSA, some focus defending our nation's systems. But it's basically a humblebrag - the advice is "You must be perfect 100% of the time. Even a transient slip-up will be taken advantage of."
At that point, I'm less interested in how to keep the NSA out, and more interested in whether anyone, anywhere on the globe, has ever managed to keep the NSA out after become a high-priority target. My guess is the NSA has never been stymied for long, even by air-gapped networks like Natanz.
At a product level, yes. The Common Criteria SKPP certification process explicitly required the operating system under evaluation to be impervious to the NSA penetration testers evaluating the system with full access to the source code and formal specification [1]. You can see the specific requirement I am mentioning on page 117.
This certification process was successfully completed for the INTEGRITY-178B operating system before the NSA allowed its use in the critical flight and weapon systems of the networked F-22 and F-35 fighter jets.
This is the same operating system in use on modern F-16, B1-B and B2 intercontinental nuclear bombers, Boeing 787 and Airbus A380.
As to the question of commercial IT systems. Haha, not a chance in hell. Every Fortune 500 company, yes the tech companys included, is on the order of 1 M$ for complete compromise. You need to add another two or three zeroes to actually present a credible roadblock.
I agree with your guess. High value targets presumably have real effort put into penetration at which point for most of us (single people, rather than megacorps or large countries) it's game over.
It is literally impossible for me to not trust thousands of others as components of my basic security foundation. My only hope is that it's good enough to keep my data safe from common crooks and gossipy neighbors.
I honestly don't understand what do you mean. NSA does everything it does legally, because it's a governmental organisation created to do specifically the thing it does. Yes, you can't do the things NSA do, just like soldiers can carry heavy weapons and you can't. You can argue what they do is immoral, but it almost certainly is legal.
Follow our detailed guides where generate best practice documents & detail what to do & what not to. (They really are good & helpful, yay peer reviewed documents.)
At that point, I'm less interested in how to keep the NSA out, and more interested in whether anyone, anywhere on the globe, has ever managed to keep the NSA out after become a high-priority target. My guess is the NSA has never been stymied for long, even by air-gapped networks like Natanz.