11 December 2015

Inside the NSA’s hunt for hackers

http://www.politico.com/agenda/story/2015/12/federal-government-cyber-security-technology-worker-recruiting-000330

The government is losing ground in the effort to hire critical cyber talent—but our most secretive agency isn’t doing too badly.

By Darren Samuelsohn
BALTIMORE—When America’s premier federal security recruiters go fishing for new technical talent, they have plenty of lures to dangle. There’s the patriotic mission; the promise of a government salary; the thrill of working under the hood on the country’s classified cyber mechanics.
And then there’s the pile of free purple and orange pens.

At a recent job fair in this city’s cavernous convention center, the National Security Agency set up an eight-foot-long folding table and covered it with a black cloth and assorted pieces of schwag, trying to rope in coders and tech experts. “Push the limits of innovation,” read one of its posters. Brochures touted a mission producing results “that you might see on the nightly news,” like disrupting a terrorist attack, catching international drug traffickers or preventing a crippling cyberattack.
“We’re not as secret as everyone thinks,” said a woman working at the NSA table as she answered questions from the job hunters about security clearances, benefits and aptitude tests. “We do Twitter.”

She and other NSA talent scouts are working to meet one of the most vexing human resource challenges the American government currently faces: how to pull in enough coders, hackers and engineers to meet the ever growing landscape of digital threats.
The NSA is among the most aggressive agencies in government for pursuing new cyber talent, and clearly it has some pull: potential applicants stood two and sometimes three deep in Baltimore, curious about what life just might be like working for an agency central to the country’s intelligence gathering operations, and which also is still struggling to rebuild its reputation after being front and center in the Edward Snowden scandal. This is just one of the hundreds of events on college campuses and job fairs across the country where NSA recruiters compete for talent. They comb LinkedIn for résumés; there’s an “NSA Careers” app for smartphones that pumps out job postings and professionally produced videos with titles like “The Truth About The Polygraph” and “Crazy Smart,” aimed at demystifying one of the government’s most mysterious agencies. They even show up on the hacker circuit, assuring potential candidates they shouldn’t automatically assume they’re disqualified from a government job because of “indiscretions in the past.”



If that seems like a lot of legwork to fill just one kind of government job, it’s an indicator of just how urgent the need is. Beneath all the talk of cyber warfare, offensive cyber maneuvers, malware, encryption and hacking, lurks this big question: Who’s going to do the work? Fighting America’s fights on the cyber front calls for a set of skills way outside what’s normally on a government résumé, a mix of computer science, math and electrical engineering abilities to solve complex and often classified problems. In a recent report called “Cyber In-Security II,” Booz Allen and the nonprofit Partnership for Public Service warned of a “nationwide shortage of highly qualified cybersecurity experts” that hits the federal government especially hard as it tries to protect the country’s critical public and private informational technology infrastructure.

“The demand is huge,” Steven LaFountain, dean of the NSA’s College of Cyber, told me. “Industry needs them. The government needs them. Academia needs them. And right now there’s just not enough. Everyone is stealing from each other.”

The government knows it has a problem. Recent White House workforce data show that over the last two years, the U.S. actually has been losing more civilian cyber pros than it’s been able to hire. Scrambling to stem that flow, the government has started to overhaul its personnel policies in this area, jacking up salaries for potential recruits in some agencies, and creating flexibility in its famously rigid hiring bureaucracy. In the longer term, it’s actually trying to seed a new generation of potential government workers, offering NSA certifications in college curricula, and—reaching even deeper—paying for NSA/National Science Foundation summer camps for tech-minded kids as young as 12 years old.

But it’s also running into some major obstacles. One of them is obvious in the Baltimore Convention Center, where the prestigious NSA was competing with equally prestigious (and lucrative) private employers, from AT&T to Lockheed Martin, Northrop Grumman and JPMorgan Chase. Potential employees also say they’re scared off by the government’s invasive security checks, which can drag on for months with no promise of a paycheck on the other end. And those clearance reviews have only tightened after Snowden and the 2013 Washington Navy Yard shooting, two high-profile incidents that exposed the Pentagon’s weaknesses in vetting the backgrounds of its employees and contractors.


Other headwinds have slowed the government’s recruitment efforts, including a workplace culture that couldn’t be more different than the private tech world. In fact, if there’s an employer less like the cash-rich, flex-time, playful ethos of Silicon Valley than the federal bureaucracy, it’s hard to imagine what it is.

As the government searches for longer-term solutions, some lawmakers and other experts in the field are also starting to think beyond just simple recruiting and into reform of a variety of laws and other policies. There’s talk in some circles of using the cyber talent gap as a cudgel to push for comprehensive immigration reform, as well as for shifting the policy focus onto building better cybersecurity measures into the next generation of digital systems—so there won’t be such high demand in the future for so many skilled, hard-to-find tech workers. Calls are also growing for a 21st century overhaul to the civil service system itself, the Truman-era hierarchy that defines how federal employees are categorized and paid. Indeed, top Obama administration officials have even taken the unorthodox approach of telling potential workers that the experience they’d get as a federal employee would look great on a résumé—for a future private-sector job.

BEHIND THE SCRAMBLE for talent is an even bigger scramble for protection: The U.S. government is under cyberattack like never before. Last year it faced more than 67,000 intrusions into its systems, according to a Government Accountability Office tally, and spent a record $12.5 billion to defend itself online. The costs have been staggering and embarrassing: One of the largest data breaches in the country’s history has hit the Office of Personnel Management, which this fall started notifying the 21.5 million current and former federal employees and their family members that their sensitive information was stolen, and which also revealed the identities of some U.S. intelligence agents. Other recent high-profile government targets have included the IRS, the Joint Chiefs of Staff, the State Department, the U.S. Postal Service and even unclassified email accounts used by President Barack Obama and CIA Director John Brennan.

This is not the kind of problem you can solve with six weeks of training, or transferring employees from the accounting department. The people qualified to address these challenges are part of an ultra-specialized workforce; recent NSA openings listed on its website include positions to conduct forensic investigations on digital evidence and intelligence, to reverse-engineer electronic circuits, and an entry-level spot for a “digital network exploitation analyst” who can size up secret security holes and “support decision-makers at the highest levels of the U.S. government.”




The National Science Foundation and National Security Agency funded six camps to teach computer programming in 2014, including the one above in Madison, S.D. | AP Photo

The same skills, of course, are also in high demand in some of the fastest-growing and most lucrative companies in the U.S. and around the world. According to a recent analysis by Booz Allen and the Partnership for Public Service, a senior level software engineer can make upwards of $33,000 more doing her job in the private sector rather than the federal government. Entry-level salaries for the same kind of position can be as much as $14,000 higher in the private sector.

Asked if the federal government was outmatched on the cyber front by industry, California venture capitalist Steve Westly replied via email: “The short answer is, Yes! Silicon Valley companies pay top salaries and offer stock options and every imaginable type of benefit. It is hard for the federal government to compete.”

If you zoom back far enough, this is a kind of challenge the government has faced before—how to quickly fill its ranks with high-demand new talent in quantities large enough to matter for the government. After World War II, the U.S. suddenly needed vast numbers of physicians, dentists and registered nurses to work in its veterans’ hospitals.

Similarly, as the savings and loan crisis continued into the late 1980s, federal financial regulators needed to boost their horsepower with a wave of talented accountants, bankers and finance lawyers.

On the cyber front, the government’s concerns have been growing for years. At the end of the George W. Bush administration, a White House task force concluded that despite billions of dollars spent on new technologies to protect the U.S. in cyberspace, there still weren’t enough experts in the public and private sector working on the issue. A declassified summary of that report, released by Obama in 2010, called for a “pipeline of future employees,” adding: “It will take a national strategy, similar to the effort to upgrade science and mathematics education, in the 1950s.”

“This is a people-driven exercise,” said Sen. Rob Portman, an Ohio Republican and former Bush White House budget director. “If you don’t have really bright, capable young people who understand the latest technology, you can pump all kinds of money into it and you’re not going to be successful.”

As that comment suggests, it’s not just a matter of diverting an existing workforce into government service. Cybersecurity, after all, is a relatively new enough career path, one that remains so poorly defined that the government is still scrambling just to get an accurate count of how many people are already working in it.

And it’s one that likely won't yield easily to the traditional appeal of government jobs, like stability. The mobile, young cyber workforce might not care so much about a pension or a health insurance deductible, and they have their own ethos. The government is taking some ginger steps to acknowledge this. At the Energy Department, potential applicants are reassured they won’t be working in such secure environments that they can’t even have their cellphones at their desk. At the NSA, recruits are reminded they don’t have to work a traditional 9-to-5 day, that there are several gyms on site and that wearing a suit isn’t a requirement when coming into the office. Still, it’s not the easiest thing to hire the Instagram generation for an employer that’s still shedding its floppy disks and fax machines.

TONY SCOTT, THE U.S. chief information officer, estimates there are about 10,000 openings right now across an alphabet soup of federal agencies, bureaus and departments. So what’s the government actually trying to do to fill those slots?

To size up the U.S. efforts, I spoke with more than three dozen people trying in varying ways to tackle the tech talent gap, including senior aides in the White House, the Pentagon and other Cabinet agencies, as well as key congressional lawmakers, industry experts and the job candidates themselves. What I found was far from a consistent strategy.



At the Pentagon, the mission is by 2018 to train 6,200 cyber workers culled from active military troops, civilians and contractors, as well as another 2,000 staffers from the National Guard and reserve units. Earlier this year, military officials said they were nearly halfway to their goal.

It helps that the Defense Department has by far one of the most aggressive recruiting operations in government. It’s also won the most concessions to private-sector-like flexibility. The Army can offer retention signing bonuses of as much as $50,000 to keep enlisted, specially-trained troops working on the cyber front. It also has gotten special attention from the White House. Earlier this year, OPM gave the U.S. Cyber Command authority through 2015 to hire 3,000 civilians with some of the most specialized tech skills, like handling malware and conducting quick vulnerability analysis, at annual salaries at the top level for federal employees who are not in senior management slots (about $133,000). The annual defense law that Congress passed and President Barack Obama signed last month also gives the Pentagon more power to speed up the hiring process and pay more competitive salaries to the civilians working inside its cyber division, and it allows the military to noncompetitively turn some of its science and technology-focused student interns into full-time employees.

Defense Secretary Ash Carter earlier this year set up a satellite office in Silicon Valley and maintains ties with other big tech hubs across the country, including in Boston and around San Antonio. He said in a recent speech that he’s visited Facebook, Boeing and LinkedIn to learn “about what they’re doing to compete for talent in the 21st century.”

But the Pentagon still faces a big cultural challenge. While the military may be astute at hitting numbers and throwing personnel at a problem, those aren’t necessarily helpful techniques for the relatively small set of cyber experts who have both the skills and interest to really drill into the challenges of the field. “It’s hard to find people truly gifted and can do things with code,” said Sgt. Maj. Rodney Harris, the senior enlisted adviser for the Army’s cyber force. He added that many of the most qualified cyber experts are “not conformists” so they often fall outside the norms of what’s accepted in the military. “We drive them away,” he said.

If anyone in government sits in a unique position on the tech talent front, it appears to be the military’s main cyber intelligence outpost at NSA. The agency tarnished two years ago by Snowden’s stolen documents still lives in its own elite recruiting bubble, carrying enough of a mystique among techies that it has weathered some of the same challenges the rest of the government faces. According to the NSA, more than 100,000 résumés flood in every year, and only a small number get hired.

“I have yet to run in—knock on wood, and with my luck, this will happen tomorrow—but I have not yet run into a scenario where we didn't have the level of knowledge,” Adm. Mike Rogers, the NSA director, told the House Armed Services Committee in September.

But Rogers quickly included an important caveat in that testimony. His bench, he admitted, wasn’t very deep. “I've got to build that capacity out more so we've got more of it,” he said.

For dozens of other agencies and departments with their own explicit cybersecurity needs, hiring a solid team of first-string experts is still the challenge. Worrying about backups would be a luxury.

Some help is coming, at least for some of them. At the Department of Homeland Security, Secretary Jeh Johnson this fall got the White House’s green light to hire up to 1,000 cyber workers using a less rigorous review process normally reserved for intelligence and national security agencies.

But other agencies haven’t been so lucky when it comes to negotiating competitive salaries and retaining their best staffers. According to government data compiled by the Partnership for Public Service and shared with POLITICO, some departments are actually losing people at the very same time that the threats are mounting. Last year, for example, there were net personnel losses on the civilian cybersecurity front at the departments of Veterans Affairs (down 153 people), Interior (96), Agriculture (93), Justice (65), Transportation (43) and Energy (20). “We’re not competing,” said Bruce Andrews, the deputy secretary of Commerce, one of the few federal agencies that actually saw an uptick in 2014, with 23 more civilian cyber workers.

“There’s no way smaller agencies and departments will be able to recruit and retain the top-notch talent needed to protect themselves,” added Jim Miller, a former top Pentagon policy official who helped build the military’s cyber operations.

This is especially tough news to swallow for agencies like the IRS, which is trying to protect sensitive data on America’s taxpayers, and the State Department, where the crown jewels include personal information submitted in passport applications and diplomatic cables that were already compromised by Wikileaks.

For government cyber recruiters working outside the defense, homeland security and intelligence fields, part of the pitch is to sell each department by its own unique assignment. “People get interested in the mission of their agency no matter what it is. One of the secrets is finding…people’s passion about education or the great outdoors or better medicine or food safety,” said Scott, a long-time private-sector technology leader who did stints at Microsoft and Walt Disney Corp. before Obama tapped him in February to be the U.S. government’s chief information officer.

While the NSA has found success by advertising how its workers take part in a critical super secret mission, other agencies are going for a lower-tech approach. Michael Johnson, the Energy Department’s chief information officer, told me that he tries to sell new cyber workers on the fact they won’t face the same kinds of intense on-site security restrictions that surround people staffing the national security departments.

For much of government, the first big challenge is just figuring out what it is they’re doing now. How many cybersecurity employees do the departments even have? The White House has actually ordered up a count due later this month based off criteria established by the National Institute of Standards and Technology and the Homeland Security Department, though critics say those figures are still expected to be incomplete. Some even warn that agency leaders will fudge their numbers to take advantage of the current cyber craze, staking out new turf that can lead to bigger budgets and greater hiring authorities. “It’s like a virus,” said Doris Hausser, a former senior policy adviser in the White House Office of Personnel Management. “People will say ‘I’m that, too, and I should be covered.’”

THE STRUCTURAL FIXES to address the cyber talent gap are mostly small-ball approaches, though there are some larger and more ambitious ideas, too.

One bill from Portman and Sen. Michael Bennet (D-Colo.) would make it a law for the White House to use a common code for counting up how many cyber workers it has—that way there would be a stronger basis for the government to figure out where its needs are and also for Congress to conduct more thorough oversight of progress. Another piece of legislation aims to create a cyber-hiring capacity across the whole government that would help out some of the lesser-known agencies adrift on their own. Both bills have passed the Senate and are still waiting for action in the House.

Others are thinking bigger and advocating for a total overhaul to the government’s hiring and personnel system, which they warn is poorly suited to the kinds of careers that are most important in the 21st century workplace.

“We need a broader reform,” said Max Stier, the president and CEO of the Partnership for Public Service. He said cyber talent issues are just symptoms of broader problems with the entire government system for classifying workers, a process that has seen only few significant updates since 1949 and doesn’t come close to reflecting the hyper-fragmented workforce that’s grown up in the decades since then.

That’s how the government has solved some of its gaps in the past. In building the post-World War II VA, for example, the government created an entirely different set of personnel laws and rules that allowed their doctors, dentists and registered nurses to be paid salaries competitive with what they could make outside government. During the savings-and-loan crisis cleanup, the Federal Reserve, Federal Deposit Insurance Corporation, National Credit Union Administration and several other offices got special hiring authority through the Financial Institutions Reform, Recovery and Enforcement Act that helped them pay competitive salaries for in-demand finance experts.

Stier’s group, along with Booz Allen, is calling for OPM to grant the entire federal government the same authority that it just gave to the Department of Homeland Security for hiring new cyber workers under a less restrictive review process. Citing unique and special circumstances, they also call on the president to invoke an obscure employment law that would let the government pay salaries beyond the current civil service structure.

On the education front, the groups call for a new cyber workforce academy “to install a common ethos” across employees already in federal agencies and, for college students who want to go into the field, the creation of a civilian Cyber Reserve Training Corps that could be modeled after the military’s ROTC program. The groups also want the government to make better use of existing internship and scholarship programs to bring award winners into full-time jobs with needy agencies.

Some of the other big-picture proposed fixes to the cybersecurity talent gap face their own monumental political challenges, including changes to the country’s immigration laws. But that’s not stopping advocates, including one lawmaker who represents many NSA workers from suburban Washington, D.C., from making the argument that comprehensive reform could ease the current shortfall of tech workers.

“We don’t have exclusivity on the smartest people in the world,” Maryland Rep. Dutch Ruppersberger, the former top Democrat on the House Intelligence Committee, told me in an interview. “We educate them at MIT and Harvard and then we have to send them back because of immigration laws. These people want to stay here. They want to use the resources to learn more, study and go into engineering. Right now we send them out. That’s got to be dealt with big time once and for all.”

NOT EVERYONE IS sold on the need for sweeping changes in how the government addresses the cyber labor market. A RAND Corp. report—“Hackers Wanted”—released last year endorsed some low-cost solutions like waiving civil service rules and refining tests to identify quality candidates, including women. But it questioned the benefits that would come with an overhaul to immigration policy and urged a more patient approach that would let the labor market forces work their will.

“Pushing too many people into the profession now could leave an overabundance of highly trained and narrowly skilled individuals who could better be serving national needs in other vocations,” the RAND report said.

Despite the abundance of academic research and internal government efforts to address the cyber talent gap, it’s still not widely discussed on Capitol Hill as one of the country’s biggest problems. During the Senate’s recent floor effort on a major cybersecurity bill, the only significant amendment addressing the issue came from Portman and Bennet.

“I never heard that that was a problem for anybody,” Sen. Dianne Feinstein said when I asked about the federal cyber workforce being lured by better private-sector salaries.

After a staffer walking alongside us affirmed that I was correct in the premise of my question, the California Democrat who serves as vice chair of the Intelligence Committee recalibrated her response.

“It’s a whole big new world,” she told me. “And it’s much bigger than I think I can even grasp at this stage.”

SO, WHO IS the government managing to pull in? For all the energy it’s sinking into the hunt, the Baltimore cyber job fair gives a sense of the challenges. About 300 people came eager to learn more about their employment prospects. There was a Navy seaman whose interest in computer security started after his identity got stolen; there was a Maryland natural resources police officer fretting his past financial troubles would hurt his chances of getting a security clearance. One high school senior enrolled in college classes said he spends his free time online “trying different things and seeing what my limits are.”

Many of the potential applicants told me they were eager to break into the cybersecurity industry and weren’t worried about the pay inequity that came with joining the government —at least not now.

Joshua Romme, a 32-year old former sous chef who had switched career paths and is now a cybersecurity student at the University of Maryland University College, said he wasn’t being pulled toward a government job for patriotic reasons. “I’m still doing it for my own reasons and my own career growth,” he said. “Ten years down the road I’ll probably be a lot more choosy about where I want to work and what I can get as a salary.”

Last month, Romme emailed to tell me he got two nibbles from the job fair. Both were from the government. One was from an Army intelligence and cybersecurity outpost. The other was from the NSA.

No comments: