The National Security Agency hires IT staff like crazy. So do associated contractors such as Booz Allen Hamilton and General Dynamics, to whom the government agency frequently outsources tech-oriented jobs. Working for the federal government or a defense contractor might be patriotic and offer techies a bit of Homeland-style buzz, but the pay scales are worse than the private sector. In addition, notoriously independent-minded geeks can be put off by the highly bureaucratic and comparatively innovation-hampering government workplace. Still, as the ongoing NSA leaks scandal is showing us, the government has a lot of IT geeks ... and they're the people you want to piss off the least.
So what does a NSA (or a related contractor) cyberspy employee do all day? Finding out doesn't require filing Freedom of Information Act (FOIA) requests or endless eavesdropping in Washington-area coffee shops. You just have to look at online classified ads.
On May 22, right around the time that NSA whistleblower Edward Snowden disappeared into hiding from Hawaii, his employer Booz Allen Hamilton posted a help wanted ad for an Information Security Engineer; The qualifications match up to the projects Snowden claims he was working on.
For the position, employees are required to “Support a client's information assurance (IA) program manager to provide effective IA development, implementation, operation, maintenance, and modification to meet Defense Department and Department of Navy IA requirements in support of major communication systems. (They) assist IAM to research, analyze, implement, accredit, manage risk, and maintain detailed IA policies, plans, and programs. (They) work with the IT system owners to coordinate with command security requirements and provide systems engineering to support the certification and accreditation (C&A) manager.“
Alongside Top Secret clearance and certifications, applicants are required to have four years of experience in network engineering or information assurance and three years of experience with DIACAP (The Pentagon's information assurance certification process).
As mentioned earlier, the NSA has problems recruiting quality cyberspies. This is one reason why agency offers paid network exploitation analyst internships designed to turn potential government hackers into top-notch digital eavesdroppers. When describing the three-year program, the NSA says that it “combines training (SIGINT Discovery/Analysis), operational assignments (in the SIGINT Directorate) and a technical report to enhance the skills of an individual.”
Applicants, who must have a BA in computer science or a related field and a background in malware, cryptography, network security, or a similar field, make Google internship-level bank. The three-year paid internship offers a salary of between $42,209 and $81,204 annually, “commensurate with education and experience.” Upon graduation, they are required to work in the NSA's Sigint Directorate for at least one year.
Guests at last year's DEFCON hacker conference in Las Vegas were used to the NSA's presence. The intelligence agency has been a regular fixture at the convention for years, with a steady frenemy relationship with the thousands of cybersecurity experts who visit. But last year, the NSA targeted attendees with a very unusual recruitment ad.
As the copy puts it, “At NSA, we don't crack codes and develop new encryption algorithms just for the fun of it (but don't tell our tech teams that). Around here, it's all about the endgame: keeping you and your family safe and secure, so we can all enjoy the simple things in life, like buying new gear and going to DEFCON 21--without the threat of harm from foreign adversaries.“
Knowing that many attendees may have issues with prior run-ins with the law, unorthodox hobbies, or chemical enthusiasms, the advertisement states that “If you have a few, shall we say, indiscretions in your past, don't be alarmed. You shouldn't automatically assume you won't be hired. If you're really interested, you owe it to yourself to give it a shot.”
The NSA might be recruiting at DEFCON, but a large percentage of their information assurance (or, well, presumed citizen eavesdropping) work is outsourced to contractors like Booz Allen Hamilton. In Informationweek, an industry publication, Mathew J. Schwartz notes that contractors often get the grunt work.
“Given Snowden's biography and job description--serving as an "infrastructure analyst" employed by Booz Allen, but working at an NSA satellite office in Hawaii--many security experts believe that he didn't just have top secret clearance, but served as an information security or IT administrator tasked with keeping confidential systems running. That might explain Snowden's remarks to the Guardian that he had "full access to the rosters of everyone working at the NSA, the entire intelligence community and undercover assets all around the world, the locations of every station we have, what their missions are and so forth,” Schwartz writes.
Ironically, all these contractors might just make the NSA a little less secure.
[Image: Flickr user RL Johnson]