The Pentagon can vie with industry for cybersecurity researchers by letting the scientists return to the private sector after a few years in government, the Defense Advanced Research Projects Agency chief said in a novel suggestion for retaining talent from a narrow pool.
Contractors and agencies are seemingly desperate for reformed hackers, academics and other computer security whizzes to defend government networks from constantly morphing threats. Typically, the private sector lures computer scientists by paying a premium and letting them tinker with new gadgets and gizmos. The National Security Agency, the military's cyberespionage force, wants more liberty to offer salary increases and promotions for retention. DARPA, meanwhile, says its own workforce is rebooted every three to five years to keep up with technological advances.
"The shelf life of cyber capabilities is short. We might even posit that the shelf life of cyber skills is relativity short," DARPA acting Director Kaigham J. Gabriel told lawmakers late Tuesday afternoon. The Defense Department may want to preserve a core of professionals, "but in fact perhaps we should just plan on building a model where there will be a significant refresh of folks."
He also offered the somewhat paradoxical advice of dropping education requirements for researcher job eligibility. "This is a community where the traditional metrics of master's degree or a Ph.D. may not be as important," Gabriel said at a Senate Armed Services Emerging Threats and Capabilities Subcommittee hearing. Many of DARPA's cybersecurity program managers do not have doctorates, he said.
"Their skills, their capabilities, their insights are coming from the practice in the community, and frankly, it will have a shelf life," Gabriel said. "They'll go through the three to five years, and they'll move on, and others will come in with a newer, different perspective."
Gabriel noted that DARPA program managers, office directors and even department directors stay for the same time period. "That is the pace at which we believe you need to bring in the talent, to bring in the perspective and the sense of urgency."
Former DARPA Director Regina Dugan departed for a position at Google earlier this month.
NSA Research and Development Director Michael A. Wertheimer told lawmakers he needs greater latitude to promote and pay computer scientists to keep them at his agency.
"The average time and grade is 12 years to your first promotion, 12 years to your second promotion," he said. "You can't walk in and tell them, 'You're going to wait six years if you're good, 12 years if you're average.' "
NSA hires computer scientists with doctorates for $90,000 a year, while equivalent professionals in the private sector net between $75,000 and $124,000, Wertheimer said. In industry, the average salary increase is 4 percent annually, but NSA experts currently are under pay freeze, he said.
The high resignation rate among cybersecurity researchers demonstrates their frustration, Wertheimer said: "If you look at attrition across the National Security Agency, 44 percent who attrit are resigning, as opposed to retiring. In computer science, it's 70 percent" who are leaving before retirement age.
Wertheimer added, "Every one of them says to me on an exit interview, 'It's less about the money. It's the sense that I simply cannot advance in my organization.' "
Government cybersecurity contractors interviewed Tuesday night said the bureaucracy of government turns off skilled experts accustomed to academic freedom and higher productivity.
"If there's no innovation, they don't want to stay around in that place," said one member of the Information Systems Security Association National Capital Chapter who wished to remain anonymous for professional reasons. The chapter primarily consists of federal personnel and contractors. "I would like to go to the government, but with what I'm seeing as a contractor, why would I want to do that?"
Some of the entrenched leaders in government lack technical skills and, due to most procurement schedules, projects can drag on for years, the contractors said. "If they start working for the government they get demoralized," another member said.
One Pentagon contractor said, "the federal service rewards people who are risk avoidant," but observed that returning troops joining federal agencies are shaking up that culture with a "can-do" attitude.