29 July 1998
Source: Richard Lardner (703) 416-8530
The National Security Agency is losing ground in the fight
to keep hard-to-find cryptography experts from being lured to greener
By Richard Lardner
Price Waterhouse didn't become a force in the consulting world by ignoring market trends. So it was no surprise when the firm decided to expand its information security operation. After all, the Internet has completely changed the way business is done: Paper is out, electrons are in. But just as electronic commerce is skyrocketing, so too are the odds that sensitive corporate information might be tampered with as it travels through cyberspace.
With the private sector beginning to recognize that the digital door swings both ways, there's growing demand for the "risk management" services Price Waterhouse and other companies are offering to help keep the hackers at bay. To snare these potential clients, the company needed to hire hundreds of information technology professionals. Trouble is, information protection may be a huge growth area, but the talent pool is mighty shallow.
So officials at Price Waterhouse did what many other commercial enterprises have done, and continue to do. They targeted a group of employees at the Defense Department's secretive National Security Agency, where thousands of the federal government's best and brightest spend their days eavesdropping on other countries while at the same time ensuring that U.S. information networks are secure. Because of the highly sensitive missions the agency performs, companies like Price Waterhouse know they are getting employees who are extremely good at what they do and are solid citizens too-NSA is picky about whom it hires and conducts thorough background investigations.
Price Waterhouse has refused repeated requests for comment on its hiring tactics. However, former NSA employees confirm the company was extremely aggressive, making handsome offers that were not refused. While the raid generated only a small portion of the infotech professionals the company expects to hire over the next several years, the episode underscores a growing trend: When the business world knocks, NSA professionals are answering.
The brain drain at NSA has various causes, but money is the single biggest factor. The agency cannot compete with the fat salaries, attractive benefits packages and promises of speedy upward mobility the private sector is offering.
For an agency used to being on the offensive in its mission, the mounting losses of skilled employees have put NSA in an unfamiliar position. The agency is trying to fend off competitors with numerous recruitment programs and initiatives, but NSA officials freely admit that it is still difficult to get, and then keep, the people it needs. "It's a real worry," says one senior NSA executive. "If the issue is salary, we're in a noncompetitive position."
Located between Washington and Baltimore at Fort Meade, Md.,
NSA runs the world's largest and most far-flung intelligence-gathering apparatus.
NSA's annual budget and number of employees are classified, but the Federation
of American Scientists, a Washington-based public interest group, estimates
the agency gets roughly $4 billion a year and has close to 20,000 civilian
and military employees.
NSA listens in on America's enemies and allies alike, and then sends the decrypted "signals intelligence" (SIGINT) to the White House, Pentagon and other top-level government customers. The agency's technological capabilities are legendary. In his groundbreaking book on NSA, The Puzzle Palace, author James Bamford wrote that the agency used to intercept the conversations of Soviet leaders such as Leonid Brezhnev as they traveled around Moscow in their limousines.
In addition to its SIGINT mission, the agency also develops the complex mathematical codes used to protect the data that flows through the nation's most sensitive information systems. The "football" that accompanies the President everywhere and controls America's nuclear arsenal, for instance, is protected from electronic intrusion by encryption systems NSA created. It is this second responsibility that has produced serious personnel headaches for the agency.
Cryptography, the science of keeping information secret, and encryption, the process of concealing words with numbers, are enormously complicated disciplines. Cryptographic algorithms, or ciphers, are the formulas used for encryption and decryption. Crafting these numerical recipes, which are the basis for any information security system, can take years of painstaking work. So staying ahead in the information security game demands some of the best minds in mathematics and computer science.
In years now long gone, crypto used to be NSA's exclusive domain, so the agency had little competition for top-notch personnel. NSA offered access to cutting-edge technologies as well as a front-row seat to the spy world. Code names like Gamma Gupy, Moonpenny and Venona concealed covert projects so sensitive that few outside the agency knew of their existence. One civilian who spent 12 years at NSA before leaving to work for a major information security company recalls the rush of being "shot off the end of an aircraft carrier," to perform a particular mission. "It is the greatest play box in the world; they've got one of everything," marveled another agency veteran now working in the IT industry.
But in the last decade particularly, the information technology revolution has changed the way NSA operates. Software companies big and small now offer all sorts of information security products. Demand is high, and competition is fierce. Walk down the aisles of your favorite software store and you'll see boxes with names like Secret Agent, Your Eyes Only, Guard Dog and Pretty Good Privacy. The encryption genie is out of the bottle, and NSA has long since given up trying to get it back in.
As the demand for information security products increases, so
does the need for people who are good at developing them. But recent studies
by the Commerce Department and the Information Technology Association of
America say there is a severe shortage of skilled information technology
workers. Constrained in how much it can offer in salary and benefits, NSA
is losing out more and more to the private sector.
The Commerce study, "America's New Deficit: The Shortage of Information Technology Workers," noted that government organizations are being squeezed out of the competition for IT talent. "While average starting salaries [in the private sector] for graduates with bachelor's degrees in computer engineering grew to more than $34,000 in 1995, the federal government's entry-level salary for computer professionals with bachelor's degrees ranged from about $18,700 to $23,000 that year," the study reported.
A compensation study cited in the Commerce report said the average hourly compensation for a private-sector software development architect in 1996 was $77.70, or $161,000 per year. An operating systems software architect could make $85.60 an hour, or $178,000 per year. Finally, on the very upper end, a software programming analyst manager could command $92.20 an hour, or $192,000 annually.
According to NSA, these positions are equivalent to the agency's Computer Scientist jobs, which pay $34,309 to $70,870.
A similar gap exists in the managerial ranks. Senior-level positions in NSA's Information Systems Security Organization pay between $99,200 and $118,400 a year. Comparable private-sector jobs can pay roughly double that amount, according to a 1998 compensation study by Positive Support Review, a California consulting firm. For example, the study found that the average salary for a chief information officer at a large company (roughly comparable to NSA's deputy director of information systems security position) was $239,163; the average salary for a vice president for information services at a large company (roughly comparable to the technical director of NSA's Information Systems Security Organization) was $184,291.
Retention is a challenge as well. NSA is cautiously optimistic
it will meet its fiscal 1998 agencywide hiring goal of 500 people; as of
mid-March, 342 people had been hired against those targets. However, maintaining
a stable workforce at the executive level is perhaps the agency's biggest
challenge. The situation is most serious within the agency's middle-management
ranks. Employees at GS-9 through GS-12, the grades from which people are
groomed for more senior positions at NSA, are frequently taking more financially
attractive positions in the private sector.
NSA, which hires only U.S. citizens, says the average age of a full-time civilian employee is 42 years and has been with the agency 14 to 18 years. To agency insiders, these numbers suggest a workforce that lacks the civilian corporate memory the agency needs to handle its code-making and code-breaking duties. "The days when you were hired, trained and moved up through the ranks are probably over," says a retired NSA official who spent 30 years at the agency. "[NSA leaders] are faced with a challenge they've never been faced with before: There's a high risk of not getting good people in the senior ranks."
Michael Jacobs, NSA's deputy director of information systems security, attributes the personnel turnover in part to a change in attitudes about work in both the public and private sectors. "When I came here, I could pretty much assure that the people I came in with would probably be there 25 years later," says Jacobs, who's been at NSA for 34 years. "That's just the nature of the group that came in in the '60s. [Today, people] are far more mobile . . . and seem to think it's all part of the nature of how they have to evolve in their career.
The attrition problem is compounded by the fact that government downsizing prevents the agency from replacing some departing workers, Jacobs notes. "So you don't have the same degree of flexibility in recruiting that you used to have," he says. "We are suffering from characteristics that are absolutely 180 [degrees] out from the characteristics of this growth industry." While new information technology companies are able to do as much hiring as needed to get the job done, "we're up against this ceiling."
William Crowell, who spent more than 30 years at the agency before retiring last September as NSA's deputy director, says the attraction of working at the agency used to compensate for the lower wages. Jobs at NSA are still quite compelling, he believes, but the pull of the private sector is now greater than ever. "The entire [NSA] benefits package, with salary, isn't bad, but it's at the median of what the really high-tech candidates would come to expect," says Crowell, who is now vice president for product management and strategy at Cylink, a Sunnyvale, Calif.-based infotech firm.
Changes in NSA's mission and culture are contributing to the problem as well. NSA no longer develops all the government's crypto systems. For sensitive but unclassified data, for example, the agency buys some encryption products from the private sector. Mathematicians and engineers who went to the agency to build crypto systems are now spending more time analyzing and evaluating commercial wares. This shift has certainly led to some of the attrition.
The stronger ties to the commercial world have also increased the opportunities for NSA employees to become aware of, and be offered, positions in the private sector. "I think it is a big, long-term problem for the agency," says Stewart Baker, former general counsel at NSA. "As its information security mission becomes more closely integrated with commercial infosec efforts, its people will be developing skills and contacts that almost guarantee some brain drain." This overlap is less acute for the signals-intelligence side of the house, so there's less opportunity for departure there, adds Baker, now a partner in the Washington law firm of Steptoe and Johnson.
The federal government has taken steps to make itself more
competitive with the private sector when it comes to hiring and keeping a
quality workforce. Ironically, one of those changes has made the decision
to leave government service an easier one.
In January 1987, the Federal Employee Retirement System went into effect. FERS-a three-tier plan consisting of Social Security, a basic annuity and the Thrift Savings Plan-provides better benefits than its predecessor, the Civil Service Retirement System. FERS also has another key feature: portability. The old system encouraged a long career with a single employer. Leaving before your scheduled retirement date meant a deferred benefit, making for a tough choice. The portability feature of FERS, however, has made the choice far less difficult. Now, many NSA employees can have their cake and eat it too.
In addition to the retirement plan changes, cuts in the U.S. intelligence budget have eliminated the financial headroom the agency used to enjoy. Retired Vice Adm. John McConnell, who served as NSA director from May 1992 through February 1996, says he was concerned about early-out packages offered to more senior people during his tenure at Fort Meade. The idea was to get them to leave the agency, which presumably would save increasingly scarce dollars, says McConnell, now a vice president with Booz-Allen & Hamilton.
The problem with that strategy is it also eliminates big chunks of NSA's institutional knowledge. The agency's military workers cycle in and out every few years. That makes retaining NSA's civilian employees all the more critical.
Yet once an employee reaches the agency's middle-management ranks, moving up the ladder is dependent upon a slot becoming available, and mid-career doldrums set in for some. At the same time, "we're seeing industry go crazy, doing all sorts of exciting things," one agency employee says. And, while NSA can't promise a promotion, offers from the private sector often come with such guarantees.
In a written response to a series of questions, NSA's public affairs office says the agency is "constantly trying to improve its recruitment process, especially in this time of extremely fierce competition for information technology talent." In 1996, the agency's pay for mathematics, computer science and engineering jobs was increased "to help keep us in range of private-sector salaries," the public affairs office says, and an "extremely generous" education package, the Skills Enhancement Recruitment Incentive Program, provides funding and time off for graduate-level study in mathematics and computer science.
Despite all these initiatives and programs, NSA acknowledges
"we are finding it increasingly difficult to attract IT talent to the agency."
Crowell says the agency has been very successful in hiring mathematicians;
indeed, NSA is probably the largest employer of mathematicians in the United
States. The trouble is finding enough quality people with computer science
backgrounds. "You don't do cryptology as a single individual anymore; it's
a team effort," he says. "It requires mathematics, computer science and a
little bit of business."
Certainly money is the major factor in NSA's recruitment and retention difficulties. But current and former NSA employees say the cloak-and-dagger image that once attracted people to the agency is no longer as strong. A smaller Defense budget and a greater reliance on commercial products have created some confusion over the agency's strategic future. Certainly there is a need for NSA, but exactly how big should it be, what systems should it be responsible for developing and what needs can the agency rely on the private sector to meet?
In its report on the fiscal 1999 intelligence authorization bill, the House Permanent Select Committee on Intelligence tore into NSA, demanding "very large changes" in NSA's culture and method of operations. At the same time the report was published, Deputy Defense Secretary John Hamre reined in the agency, which has traditionally enjoyed a direct line to the Defense Secretary and chairman of the Joint Chiefs of Staff. According to a plan approved by Hamre in late April, NSA's leadership must now go through the office of the assistant Defense secretary for command, control, communications and intelligence before gaining access to DoD's most senior levels.
For all these reasons, lengthy careers at NSA are no longer the rule, but the exception. Thomas McDermott spent more than 30 years at NSA, eventually becoming the agency's senior information security official. He retired last year and headed to the private sector "to start a second career," he says. He is now senior vice president for information assurance at CACI, a high-tech company in suburban Washington.
For McDermott and many others like him, working at NSA had an attraction that transcended money. It was about the opportunity to get deeply involved in electronic espionage, a tremendously complex and controversial discipline. A career there gave young engineers and mathematicians like McDermott a chance to be exposed to cutting-edge technologies, and to learn from some of the nation's premier encryption experts.
"You didn't go to NSA for the compensation," says McDermott. "It was about the opportunities it would present to you."
McDermott believes that if NSA works hard and is creative enough, it can hang on to its top people. He says the agency must continue offering a demanding work environment and at the same time increase its level of cooperation with the private sector.
But high-level departures aren't always completely negative, he adds. If these people remain in the information assurance business, NSA can still take advantage of their expertise. "They're still a resource. It may cost the agency slightly more, but they're there," McDermott says.
There's also a school of thought that believes it is not such a good idea to have people stay at the agency for 30 years or more. Moore's Law holds that computing power doubles every 18 months, which means information technology purchased just two years ago is nearly obsolete. Perhaps the same principles apply to the IT workforce. "In fact, [NSA's leadership] may be entering an era when it is desirable for them to have turnover . . . when people become journeymen," a retired agency official says. "It brings new blood in, and gets the juices flowing."
For companies looking to hire NSA personnel, however, it's buyer beware. NSA doesn't take kindly to corporate raiders. According to a former NSA GS-14, the agency has agreements with some information security firms that prohibit them from overtly recruiting NSA employees. "NSA makes clear they won't do business with you if you steal their people," he says. Price Waterhouse's clients are overwhelmingly in the private sector, which might reduce that company's disincentive to hire away NSA personnel.
Threats notwithstanding, as long as there is a demand for superior information technology professionals, NSA will be viewed as a breeding ground of sorts by the private sector. Don Latham, former assistant Defense secretary for command, control, communications and intelligence, says NSA's situation reminds him of the story about famed stickup artist Willie Sutton. Asked why he robbed banks, Sutton said "Because that's where the money is." The same could be said of NSA, although it's not the agency's money the IT companies are after.
Richard Lardner covers national security for Inside Washington Publishers.