29 July 1998
Source: Richard Lardner (703) 416-8530
Government Executive
August 1998
The National Security Agency is losing ground in the fight
to keep hard-to-find cryptography experts from being lured to greener
pastures.
By Richard Lardner
Price Waterhouse didn't become a force in the consulting world by ignoring
market trends. So it was no surprise when the firm decided to expand its
information security operation. After all, the Internet has completely changed
the way business is done: Paper is out, electrons are in. But just as electronic
commerce is skyrocketing, so too are the odds that sensitive corporate
information might be tampered with as it travels through cyberspace.
With the private sector beginning to recognize that the digital door swings
both ways, there's growing demand for the "risk management" services Price
Waterhouse and other companies are offering to help keep the hackers at bay.
To snare these potential clients, the company needed to hire hundreds of
information technology professionals. Trouble is, information protection
may be a huge growth area, but the talent pool is mighty shallow.
So officials at Price Waterhouse did what many other commercial enterprises
have done, and continue to do. They targeted a group of employees at the
Defense Department's secretive National Security Agency, where thousands
of the federal government's best and brightest spend their days eavesdropping
on other countries while at the same time ensuring that U.S. information
networks are secure. Because of the highly sensitive missions the agency
performs, companies like Price Waterhouse know they are getting employees
who are extremely good at what they do and are solid citizens too-NSA is
picky about whom it hires and conducts thorough background investigations.
Price Waterhouse has refused repeated requests for comment on its hiring
tactics. However, former NSA employees confirm the company was extremely
aggressive, making handsome offers that were not refused. While the raid
generated only a small portion of the infotech professionals the company
expects to hire over the next several years, the episode underscores a growing
trend: When the business world knocks, NSA professionals are answering.
The brain drain at NSA has various causes, but money is the single biggest
factor. The agency cannot compete with the fat salaries, attractive benefits
packages and promises of speedy upward mobility the private sector is offering.
For an agency used to being on the offensive in its mission, the mounting
losses of skilled employees have put NSA in an unfamiliar position. The agency
is trying to fend off competitors with numerous recruitment programs and
initiatives, but NSA officials freely admit that it is still difficult to
get, and then keep, the people it needs. "It's a real worry," says one senior
NSA executive. "If the issue is salary, we're in a noncompetitive position."
Located between Washington and Baltimore at Fort Meade, Md.,
NSA runs the world's largest and most far-flung intelligence-gathering apparatus.
NSA's annual budget and number of employees are classified, but the Federation
of American Scientists, a Washington-based public interest group, estimates
the agency gets roughly $4 billion a year and has close to 20,000 civilian
and military employees.
NSA listens in on America's enemies and allies alike, and then sends the
decrypted "signals intelligence" (SIGINT) to the White House, Pentagon and
other top-level government customers. The agency's technological capabilities
are legendary. In his groundbreaking book on NSA, The Puzzle Palace, author
James Bamford wrote that the agency used to intercept the conversations of
Soviet leaders such as Leonid Brezhnev as they traveled around Moscow in
their limousines.
In addition to its SIGINT mission, the agency also develops the complex
mathematical codes used to protect the data that flows through the nation's
most sensitive information systems. The "football" that accompanies the President
everywhere and controls America's nuclear arsenal, for instance, is protected
from electronic intrusion by encryption systems NSA created. It is this second
responsibility that has produced serious personnel headaches for the agency.
Cryptography, the science of keeping information secret, and encryption,
the process of concealing words with numbers, are enormously complicated
disciplines. Cryptographic algorithms, or ciphers, are the formulas used
for encryption and decryption. Crafting these numerical recipes, which are
the basis for any information security system, can take years of painstaking
work. So staying ahead in the information security game demands some of the
best minds in mathematics and computer science.
In years now long gone, crypto used to be NSA's exclusive domain, so the
agency had little competition for top-notch personnel. NSA offered access
to cutting-edge technologies as well as a front-row seat to the spy world.
Code names like Gamma Gupy, Moonpenny and Venona concealed covert projects
so sensitive that few outside the agency knew of their existence. One civilian
who spent 12 years at NSA before leaving to work for a major information
security company recalls the rush of being "shot off the end of an aircraft
carrier," to perform a particular mission. "It is the greatest play box in
the world; they've got one of everything," marveled another agency veteran
now working in the IT industry.
But in the last decade particularly, the information technology revolution
has changed the way NSA operates. Software companies big and small now offer
all sorts of information security products. Demand is high, and competition
is fierce. Walk down the aisles of your favorite software store and you'll
see boxes with names like Secret Agent, Your Eyes Only, Guard Dog and Pretty
Good Privacy. The encryption genie is out of the bottle, and NSA has long
since given up trying to get it back in.
As the demand for information security products increases, so
does the need for people who are good at developing them. But recent studies
by the Commerce Department and the Information Technology Association of
America say there is a severe shortage of skilled information technology
workers. Constrained in how much it can offer in salary and benefits, NSA
is losing out more and more to the private sector.
The Commerce study, "America's New Deficit: The Shortage of Information
Technology Workers," noted that government organizations are being squeezed
out of the competition for IT talent. "While average starting salaries [in
the private sector] for graduates with bachelor's degrees in computer engineering
grew to more than $34,000 in 1995, the federal government's entry-level salary
for computer professionals with bachelor's degrees ranged from about $18,700
to $23,000 that year," the study reported.
A compensation study cited in the Commerce report said the average hourly
compensation for a private-sector software development architect in 1996
was $77.70, or $161,000 per year. An operating systems software architect
could make $85.60 an hour, or $178,000 per year. Finally, on the very upper
end, a software programming analyst manager could command $92.20 an hour,
or $192,000 annually.
According to NSA, these positions are equivalent to the agency's Computer
Scientist jobs, which pay $34,309 to $70,870.
A similar gap exists in the managerial ranks. Senior-level positions in NSA's
Information Systems Security Organization pay between $99,200 and $118,400
a year. Comparable private-sector jobs can pay roughly double that amount,
according to a 1998 compensation study by Positive Support Review, a California
consulting firm. For example, the study found that the average salary for
a chief information officer at a large company (roughly comparable to NSA's
deputy director of information systems security position) was $239,163; the
average salary for a vice president for information services at a large company
(roughly comparable to the technical director of NSA's Information Systems
Security Organization) was $184,291.
Retention is a challenge as well. NSA is cautiously optimistic
it will meet its fiscal 1998 agencywide hiring goal of 500 people; as of
mid-March, 342 people had been hired against those targets. However, maintaining
a stable workforce at the executive level is perhaps the agency's biggest
challenge. The situation is most serious within the agency's middle-management
ranks. Employees at GS-9 through GS-12, the grades from which people are
groomed for more senior positions at NSA, are frequently taking more financially
attractive positions in the private sector.
NSA, which hires only U.S. citizens, says the average age of a full-time
civilian employee is 42 years and has been with the agency 14 to 18 years.
To agency insiders, these numbers suggest a workforce that lacks the civilian
corporate memory the agency needs to handle its code-making and code-breaking
duties. "The days when you were hired, trained and moved up through the ranks
are probably over," says a retired NSA official who spent 30 years at the
agency. "[NSA leaders] are faced with a challenge they've never been faced
with before: There's a high risk of not getting good people in the senior
ranks."
Michael Jacobs, NSA's deputy director of information systems security, attributes
the personnel turnover in part to a change in attitudes about work in both
the public and private sectors. "When I came here, I could pretty much assure
that the people I came in with would probably be there 25 years later," says
Jacobs, who's been at NSA for 34 years. "That's just the nature of the group
that came in in the '60s. [Today, people] are far more mobile . . . and seem
to think it's all part of the nature of how they have to evolve in their
career.
The attrition problem is compounded by the fact that government downsizing
prevents the agency from replacing some departing workers, Jacobs notes.
"So you don't have the same degree of flexibility in recruiting that you
used to have," he says. "We are suffering from characteristics that are
absolutely 180 [degrees] out from the characteristics of this growth industry."
While new information technology companies are able to do as much hiring
as needed to get the job done, "we're up against this ceiling."
William Crowell, who spent more than 30 years at the agency before retiring
last September as NSA's deputy director, says the attraction of working at
the agency used to compensate for the lower wages. Jobs at NSA are still
quite compelling, he believes, but the pull of the private sector is now
greater than ever. "The entire [NSA] benefits package, with salary, isn't
bad, but it's at the median of what the really high-tech candidates would
come to expect," says Crowell, who is now vice president for product management
and strategy at Cylink, a Sunnyvale, Calif.-based infotech firm.
Changes in NSA's mission and culture are contributing to the problem as well.
NSA no longer develops all the government's crypto systems. For sensitive
but unclassified data, for example, the agency buys some encryption products
from the private sector. Mathematicians and engineers who went to the agency
to build crypto systems are now spending more time analyzing and evaluating
commercial wares. This shift has certainly led to some of the attrition.
The stronger ties to the commercial world have also increased the opportunities
for NSA employees to become aware of, and be offered, positions in the private
sector. "I think it is a big, long-term problem for the agency," says Stewart
Baker, former general counsel at NSA. "As its information security mission
becomes more closely integrated with commercial infosec efforts, its people
will be developing skills and contacts that almost guarantee some brain drain."
This overlap is less acute for the signals-intelligence side of the house,
so there's less opportunity for departure there, adds Baker, now a partner
in the Washington law firm of Steptoe and Johnson.
The federal government has taken steps to make itself more
competitive with the private sector when it comes to hiring and keeping a
quality workforce. Ironically, one of those changes has made the decision
to leave government service an easier one.
In January 1987, the Federal Employee Retirement System went into effect.
FERS-a three-tier plan consisting of Social Security, a basic annuity and
the Thrift Savings Plan-provides better benefits than its predecessor, the
Civil Service Retirement System. FERS also has another key feature: portability.
The old system encouraged a long career with a single employer. Leaving before
your scheduled retirement date meant a deferred benefit, making for a tough
choice. The portability feature of FERS, however, has made the choice far
less difficult. Now, many NSA employees can have their cake and eat it too.
In addition to the retirement plan changes, cuts in the U.S. intelligence
budget have eliminated the financial headroom the agency used to enjoy. Retired
Vice Adm. John McConnell, who served as NSA director from May 1992 through
February 1996, says he was concerned about early-out packages offered to
more senior people during his tenure at Fort Meade. The idea was to get them
to leave the agency, which presumably would save increasingly scarce dollars,
says McConnell, now a vice president with Booz-Allen & Hamilton.
The problem with that strategy is it also eliminates big chunks of NSA's
institutional knowledge. The agency's military workers cycle in and out every
few years. That makes retaining NSA's civilian employees all the more critical.
Yet once an employee reaches the agency's middle-management ranks, moving
up the ladder is dependent upon a slot becoming available, and mid-career
doldrums set in for some. At the same time, "we're seeing industry go crazy,
doing all sorts of exciting things," one agency employee says. And, while
NSA can't promise a promotion, offers from the private sector often come
with such guarantees.
In a written response to a series of questions, NSA's public affairs office
says the agency is "constantly trying to improve its recruitment process,
especially in this time of extremely fierce competition for information
technology talent." In 1996, the agency's pay for mathematics, computer science
and engineering jobs was increased "to help keep us in range of private-sector
salaries," the public affairs office says, and an "extremely generous" education
package, the Skills Enhancement Recruitment Incentive Program, provides funding
and time off for graduate-level study in mathematics and computer
science.
Despite all these initiatives and programs, NSA acknowledges
"we are finding it increasingly difficult to attract IT talent to the agency."
Crowell says the agency has been very successful in hiring mathematicians;
indeed, NSA is probably the largest employer of mathematicians in the United
States. The trouble is finding enough quality people with computer science
backgrounds. "You don't do cryptology as a single individual anymore; it's
a team effort," he says. "It requires mathematics, computer science and a
little bit of business."
Certainly money is the major factor in NSA's recruitment and retention
difficulties. But current and former NSA employees say the cloak-and-dagger
image that once attracted people to the agency is no longer as strong. A
smaller Defense budget and a greater reliance on commercial products have
created some confusion over the agency's strategic future. Certainly there
is a need for NSA, but exactly how big should it be, what systems should
it be responsible for developing and what needs can the agency rely on the
private sector to meet?
In its report on the fiscal 1999 intelligence authorization bill, the House
Permanent Select Committee on Intelligence tore into NSA, demanding "very
large changes" in NSA's culture and method of operations. At the same time
the report was published, Deputy Defense Secretary John Hamre reined in the
agency, which has traditionally enjoyed a direct line to the Defense Secretary
and chairman of the Joint Chiefs of Staff. According to a plan approved by
Hamre in late April, NSA's leadership must now go through the office of the
assistant Defense secretary for command, control, communications and intelligence
before gaining access to DoD's most senior levels.
For all these reasons, lengthy careers at NSA are no longer the rule, but
the exception. Thomas McDermott spent more than 30 years at NSA, eventually
becoming the agency's senior information security official. He retired last
year and headed to the private sector "to start a second career," he says.
He is now senior vice president for information assurance at CACI, a high-tech
company in suburban Washington.
For McDermott and many others like him, working at NSA had an attraction
that transcended money. It was about the opportunity to get deeply involved
in electronic espionage, a tremendously complex and controversial discipline.
A career there gave young engineers and mathematicians like McDermott a chance
to be exposed to cutting-edge technologies, and to learn from some of the
nation's premier encryption experts.
"You didn't go to NSA for the compensation," says McDermott. "It was about
the opportunities it would present to you."
McDermott believes that if NSA works hard and is creative enough, it can
hang on to its top people. He says the agency must continue offering a demanding
work environment and at the same time increase its level of cooperation with
the private sector.
But high-level departures aren't always completely negative, he adds. If
these people remain in the information assurance business, NSA can still
take advantage of their expertise. "They're still a resource. It may cost
the agency slightly more, but they're there," McDermott says.
There's also a school of thought that believes it is not such a good idea
to have people stay at the agency for 30 years or more. Moore's Law holds
that computing power doubles every 18 months, which means information technology
purchased just two years ago is nearly obsolete. Perhaps the same principles
apply to the IT workforce. "In fact, [NSA's leadership] may be entering an
era when it is desirable for them to have turnover . . . when people become
journeymen," a retired agency official says. "It brings new blood in, and
gets the juices flowing."
For companies looking to hire NSA personnel, however, it's buyer beware.
NSA doesn't take kindly to corporate raiders. According to a former NSA GS-14,
the agency has agreements with some information security firms that prohibit
them from overtly recruiting NSA employees. "NSA makes clear they won't do
business with you if you steal their people," he says. Price Waterhouse's
clients are overwhelmingly in the private sector, which might reduce that
company's disincentive to hire away NSA personnel.
Threats notwithstanding, as long as there is a demand for superior information
technology professionals, NSA will be viewed as a breeding ground of sorts
by the private sector. Don Latham, former assistant Defense secretary for
command, control, communications and intelligence, says NSA's situation reminds
him of the story about famed stickup artist Willie Sutton. Asked why he robbed
banks, Sutton said "Because that's where the money is." The same could be
said of NSA, although it's not the agency's money the IT companies are after.
Richard Lardner covers national security for Inside Washington
Publishers.