State Insecurity: Why Are Top NSA Personnel Leaving in Droves?

US intelligence bodies haven’t particularly enjoyed their time in the spotlight these last few years. The National Security Agency, or NSA, occupies a particularly complicated and frustrating place in the collective unconscious: It’s an institution we must trust with our wellbeing on a daily basis, but it is also fundamentally unaccountable and untrustworthy. When was the last time you voted for an NSA director?

Beginning with the Edward Snowden leaks in summer 2013, we’ve watched this formerly hidden bureaucratic appendage grow more and more visible to the public — and what we’ve seen isn’t encouraging. We now know that the NSA regularly colludes with domestic internet service providers and spies indiscriminately on the heads of foreign governments, usually without justification. We also know that low morale within the agency has resulted in the leak of sensitive state secrets. Some of those secrets involve the way the NSA holds basic freedoms like privacy in contempt.

So it might feel like schadenfreude to watch this feared and reviled agency fall into disarray over the past half decade. But the truth is that the NSA still serves a vital purpose, now more than ever, yet it is barely any longer able to do its job (ie. monitoring malign foreign actors, anticipating the future moves of national governments, and keeping America’s intel safe from prying eyes). The latest crisis: the NSA’s hemorrhaging of talent.

Hey, Where’s Everyone Going?

Of the country’s 17 intelligence-gathering apparatuses, the NSA is the most prolific. The agency’s headquarters, located in Fort Meade, Md., staffs some 21,000 individuals. But their heavy workload is now imperiled by a chronic flight of talent from the agency, described from within as an “epidemic”. It’s hard to know exactly how bad of a situation we’re talking about because, of course, the NSA won’t tell us details. But we do have some rough numbers:

• The NSA’s current attrition rate for science, math and technology specialists is 5.6 percent.

• The attrition rate for hackers and cyberattack specialists is as high as 9 percent.

• And some teams within the NSA have lost as much as half their staff.

Interestingly, between 2016 and 2017, the agency made the conspicuous decision to remove all references to “openness,” “honor” and “trust” from its core values and mission statements. Which begs the question: Is it any wonder nobody wants to work there?

The fact is, it’s not the quantity of lost talent that may be most worrisome, but the quality of that talent. The folks now leaving the NSA are extremely knowledgeable veterans. And while the agency can successfully fill those positions, new hires won’t have the same quality of background and experience.

A factor in the NSA’s deterioration appears to be its general mismanagement, including unpopular philosophies concerning how best to “reorganize” the agency. In 2016, NSA director Michael S. Rogers set about rethinking some of the “walls of granite” between the independent offices within the NSA. Rogers called it among the NSA’s most “comprehensive” restructuring moves since the 1990s.

It sounded great on paper, but even during the Obama administration, Rogers’ recommendations were met with hostility by Pentagon and other intelligence officials. They said the restructuring wasn’t so much a reduction of redundancy but, in fact, the creation of separate chains of command. This may represent a worsening of, rather than a solution for, the NSA’s ongoing identity crisis as physical threats continue to mesh with digital ones.

The NSA’s Talent Shortage Isn’t the Only One

In a broader sense, we’re in the middle of a very real cybersecurity gap across both the private and public spheres. The NSA may have had a run of bad luck lately — a great deal of which, most people might agree, it deserves — but the truth is that our country, across the board, appears woefully unprepared for the emerging reality of cyber threats.

Michael Brengs, CRO of the identity and security management company Optimal IdM, spoke at length with on the subject. “A recent survey shows that nearly 70 percent of cybersecurity professionals claimed their organization was impacted by the cybersecurity skills shortage,” Brengs said. “The ISACA, a non-profit information security advocacy group, predicts there will be a global shortage of 2 million cybersecurity professionals by 2019. And for every 10 cybersecurity job ads that appear on the career site, only seven people even click on one of the ads, let alone apply.”

“One of the areas where the cybersecurity skills gap is the greatest is in the field of identity and access management (IAM),” he continued. “This is the ability of your system to make sure every person who accesses the network at any time is an authorized and identifiable user and restricting each person’s level of access to exactly the amount the company allows them to have. Overcoming the IAM skills gap is a huge challenge for organizations, especially when the identity infrastructure is architected, maintained and supported by a few internal employees. Any one of these individuals leaving the organization can put that infrastructure at great risk.”

It has always been tempting to believe that there is a clear firewall between government and private enterprise. But situations like this help reveal just how entwined all of our fates really are. Identity and access management are complex topics that the average voter might be tempted to ignore. But security within privately owned companies is hardly the only thing at stake.

Experts have warned for years that the slow death of traceable paper ballots, combined with ever-more-vulnerable electronic voting machines, means the democratic process itself is on the line. Other estimates are less dire, but it’s clear we don’t yet fully understand this new threat landscape.

Depending whom you ask, American elections are either unhackable or extremely hackable. Perhaps nobody actually knows. But given the degree to which technology has pervaded our social lives, commerce and politics, it’s clear we don’t need fewer cybersecurity thought-leaders in government — we need far more.