They also historically have extremely deep access to networks, and even if a given corp doesn't allow them to put a box inside the corp's own network, they control / have access to many or all of the links between most corps' datacenters.
From this privileged network position, if both sides support weaker crypto that NSA lobbied for, they can MitM the initial connection and omit the hybrid methods from the client's TLS ClientHello, and then client/server proceed to negotiate into a cipher that NSA prefers.
Pretty sure this isn't possible?? There must be some way to use a hash of the clientHello later in the key exchange process to make sure the connection fails if the hello is tampered with...?
From this privileged network position, if both sides support weaker crypto that NSA lobbied for, they can MitM the initial connection and omit the hybrid methods from the client's TLS ClientHello, and then client/server proceed to negotiate into a cipher that NSA prefers.