The NSA’s Brain Drain Has a Silver Lining
Agency leaders should use former employees to recruit new talent and cement public-private working relationships.
For more than 60 years, the National Security Agency was the employer of choice for the country’s top cyber and tech talent. Even the Edward Snowden scandal in 2013 did little to mar the agency’s ability to hire and keep talent. In 2015, then-Director Mike Rogers could rightly boast about his agency’s under-2 percent voluntary attrition rate, better than its government and industry peers.
But by 2016, reports of a brain drain were emerging from the halls of Fort Meade. Competition with Big Tech for talent had intensified. Internal discontent over organizational tumult, bureaucratic inertia, and lagging innovation pushed the attrition rate past 6 percent. One cybersecurity executive was reportedly “stunned by the caliber of would-be recruits” leaving government service. Two years later, attrition had risen to 8 percent—even 9 percent for technical personnel—in what was described as an attritional “epidemic.”
This year, the agency more comfortable operating in the shadows launched “one of its largest hiring surges in 30 years” to confront its talent shortage. The public campaign even includes job postings on LinkedIn (where most employees don’t have accounts). NSA also awarded defense giant CACI International $2.4 billion to augment the ranks of NSA’s analysts.
A retention problem at NSA is a prima facie cause for national-security concern. But there’s a silver lining in the trends driving this exodus: they are the down payment on a stronger, more diverse, and more resilient cybersecurity ecosystem.
First, the talent exodus from NSA to the private sector reflects a development long sought by agency leaders: companies are at last ready and willing to take more responsibility for cyber defense. Those leaders have for years called upon companies to bolster their cyberdefenses and share more cybersecurity information because as much as 85 percent of critical cyber infrastructure – just as important to national security – is privately owned and operated, and therefore outside NSA’s purview. (Amazon Web Services going down, for example, would hurt the American economy more than a temporary NSANet outage.)
Now it is happening. If cybersecurity is a “team sport” as current NSA Director Gen. Paul Nakasone likes to say, then the private sector has muscled its way off the bench and into the starting lineup. Recall that FireEye alerted the NSA, and not the reverse, about the 2020 Solar Winds hack, one of the most sophisticated cyber attacks ever.
Second, the movement of cyber talent between NSA and the private sector facilitates the necessary cross-pollination of knowledge, expertise, and perspective that improves collective defense. Cyber threats to the public and private sectors have converged, and hackers in Beijing and Moscow no longer reserve their most complex tools for government networks. NSA’s growing cadre of cyberwarriors have a deep understanding of malign cyber actors’ tradecraft, tools, and capabilities, but are less knowledgeable about U.S-based activity. Private industry monitors a larger virtual attack surface area, including domestic networks, and is quicker to share information about threats, respond to incidents, and manage crises. With a healthier appreciation for each other’s capabilities, priorities, and ways of working, both NSA and the private sector can foster organizational trust and forge a more constructive relationship.
Third, the high demand for former NSA employees increases the agency’s attractiveness as an employer. People may be more likely to apply to NSA if they believed a stint at the agency would boost their career, not sentence them to a 30-year stint in government. (Look at how students flood top consulting firms and investment banks with resumes, partly attracted by the impressive career doors that open to them when they depart.) Today, the breadth and diversity of exit opportunities for both technical and non-technical NSAers is rich. Ex-agency employees populate the threat intelligence teams at Fortune 500 companies. As startup founders, they raised over $300 million in venture capital in 2021 and more than $1 billion since 2013, according to Pitchbook data. They serve in senior White House positions.
So what should the NSA do?
First, NSA leaders must reimagine the agency’s role within the broader cybersecurity ecosystem; it’s no longer the only game in town. One inspiration could be Unit 8200, NSA’s Israeli counterpart. Most of Unit 8200’s worker-bees leave the service when their conscription ends, then go on to work at, run, and start some of the world’s leading cyber companies (think Palo Alto Networks and NSO).
Second, NSA should use former employees as unofficial ambassadors for the agency and its mission to the rest of the cybersphere. They have worked on both sides of the fenceline and can build bridges between the startup world, private sector, and the powerful government science and technology workforce. They understand the agency’s DNA, but have a cross-ecosystem perspective. To be sure, NSA senior leaders have made outreach to former employees a priority. Forums like an NSA Alumni Board could institutionalize alumni engagement.
The cybersecurity paradigm has changed. A Crowdstrike analyst’s work can inform the strategic thinking of the president of the United States. Developers at Meta disrupt Russian botnets. But neither can legally burrow into the internal networks of malign cybers actors for doctrinal insights. The talent transfer has tremendous implications, both positive and negative, for America’s cyberdefense posture. A secure future in cyberspace will emerge not from siloed and competing centers of excellence, but from the fusion of public and private sector collaboration. It’s important we get it right.
Evan Rosenfield spent almost a decade in the U.S. intelligence community, serving in various operational, analytical, and policy positions in counterterrorism and cybersecurity.