A Contractor Solution for Cyber Warriors

Thursday, July 22, 2010

Jon Stout


In the cyber world everything happens quickly.

New technology, new threats, new regulations and new players are constantly emerging and in order for the United States to compete and remain secure, qualified people are required – and we don’t have them.

In a recent article entitled Cyberwarrior Shortage Threatens U.S. Security (by Tom Gjeltin,  ) the author makes the following points:

  • The United States is the most vulnerable country for cyber attacks.
  • United States cyber defenses are not up to the challenge.
  • The protection of U.S. cyber assets requires an “army” of cyber warriors but recruitment of that force is suffering. Conservative estimates are that at least 1,000 “cyberwarriors”

Not only are new candidates hard to find but existing agency personnel are leaving. This problem is beginning to be recognized by the community at large. This is a serious problem and the solution needs to include the private contractor community as well as direct hiring by government agencies.  

As a recent study concluded:

The ability of government agencies to fulfill their missions is in peril, requiring immediate and thoughtful attention to the recruitment, hiring and retention of talented IT professionals. Without the right people in the right jobs, our government’s ability to accomplish its mission will be hindered by failing projects and high attrition rates. By investing in IT talent, government will ensure mission success and maintain a safe and prosperous nation. (Source  ISSUE BRIEF | BUILDING AN INFORMATION TECHNOLOGY WORKFORCE ; Partnership for Public Service)

The United States Federal Government is remarkable successful in certain limited areas (e.g. defense and transportation) but recruiting cyberwarriors is clearly not in their core capabilities for a number of very good reasons:

  • Cyber warriors are in high demand and the search process requires agile, innovative approaches. Government agencies are burdened with a great number of rules that inhibit the process.
  • Government Employee hiring is notoriously slow. Turn around averages about 200 days and if high level clearances are required add about six months or 180 days to the process. Total time to recruit and hire a technically qualified person with required high level clearances (required by most of Cyber Command) – over 1 year.
  • It is hard to change government employee status if requirements change or the employee fails to perform.
  • Generally speaking government agencies don’t expend effort on research and development required to keep up with technology and cyber attack strategy and tactics.

The above reasons are a part of the reasons that Government Cyber Security agencies (DHS and Cyber Command) look to contractors to supply cyberwarriors. Contractors add the innovation and facileness required to  reduce the shortage for cyberwarriors. In addition, contractors add specific value in the following ways:

  • Many contractors include aggressive recruiting in their business model and effectively use social networking for maximum job requisition exposure.
  • Often, contractors recruit from existing staff, prior employees or through the use of social networking sites. These techniques are especially valuable when searching for candidates with high level security clearances. The turnaround on job requisitions averages 30-60 days.
  • Each contract issued by a government agency has termination for convenience/cause clauses. The net effect is that if the government decides that it no longer needs or wants the cyberwarrior(s) provided – the agency can terminate the contract and fire the contractor. This gives the respective agency tremendous flexibility.
  • Contractors generally engage in internally funded research and development (IR&D) and pass this on to government agencies in the form of better skilled experts and cyberwarriors.

Are Contract Employees More Expensive?

The answer is no.

Recently , contractor compensation has come under administration and media criticism as a waste of taxpayer dollars. Contractors have been portrayed as having an incestuous relationship with key agencies like those in the Intelligence community (IC). This criticism is unfair and not based on facts:

When contracts respond to agency Request for Proposal they must supply forward pricing and identify three levels of cost in detail: direct labor, fringe benefits (health insurance, paid time off, matching social security, workers compensation, unemployment insurance etc.), General and Administrative (Rent, office staff, executive salaries etc.) To the total of all the costs is added a “fee” which represents profit for the contractor (6-8%). A “fully burdened” hourly rate is calculated.

During the RFP process a Basis of Estimate (BOE) is prepared showing the number of hours required  for a particular task (defined by the agency). To this estimate is multiplied the fully burdened hourly rate to determine the cost.

If the contractor produces rates that are too high, it may lose the contract or, if it wins and costs are less that estimated, it must return to the government the excess. An agency called DCAA (Defense Contract Audit Agency is charged with rate auditing and they are aggressive and empowered.

As regards the elements of the fully burdened hourly rate the following should be noted:

  • Direct labor rates (the amount of salary actually paid to the employee) of federal employees have increased dramatically as compared to contractor employee salaries. Some estimates are the government employee salaries are 25% higher.
  • Generally speaking contractor employees are more flexible for overtime if required.
  • Federal employee benefits are more lucrative than contractor benefits including separate health care (richer than the recent public health care bill passed), pension (richer than social security), greater paid time off and other benefits.
  • The cost per hour per employee for Federal workers does not include any burden for General and Administrative costs – these heavy burdens for office space, utilities, office equipment and other support expenses are paid by the tax payer.
  • The only area that use of  Federal employees avoids is the contractor profit fee but when one considers the higher pay, benefits and the tax payer subsidized G&A costs, this is a relatively small item at 6-8%.

The bottom line is that the Federal Government needs highly qualified cyberwarriors and it needs them now in order to protect the welfare of the nation. When one compares this specialized need, and the need  to protect the success of its cyber missions, the best choice is contractor provided employees.

Cross-posted from Aspiration Software

Possibly Related Articles:
Government Security Management
Post Rating I Like this!
Tom Coats Oh I so hate to disagree, but the thing you are missing here is the concept of "core competance". This really is the most stupid idea I have heard in long time, Imagine, you buy a shop in Bangalore and the North Korean Shop is accross the street. Mercenaries (I am sorry contractors) are only as loyal as the next paycheck and it will be a very short time until you see that the reason your employees are leaving the agency is the same reason you will have high turnover in your bodyshop. Worse yet you will have no chance to appeal love country and your vital secrets will be on the street for sale to the highest bidder, and North Korea pays quite well and does not care if their farmers are starving.

A good movie to watch is War Inc. It has definite similarities to this suggestion.
Jon Stout This is why the Intelligence Community requires security clearances and background investigations.
Anthony M. Freed Picked up this good resource link from a contact at LinkedIn for those looking: http://www.dhs.gov/xabout/careers/cyberjobfair/
Tom Coats Putting your core competency out to bid is a dangereous path especially when you are taling about national security, ie. national survival. Contractors have expertice which can be used but Blackwater should be the best example of how not to do it. In this critical area, you want to count on loyalty and an ideological bent. That can only be achieved with a long term relationship and contracting won't provide that.
Mister Reiner The reason why both government employees and contractors leave government cybersecurity jobs is simple: Leadership has it all figured out and what the little guy has to say doesn't matter. When leadership stops listening to those on the front line, it's time to move on.

Contractors with a Top Secret clearance are no different than government employees with a Top Secret clearance. No matter what, everyone is a U.S. citizen - and that still counts for something... well, until leadership stops listening.

Money used to be king in IT, but with this economy, working directly for the government is still a safer bet. When the government runs out of money, it just prints more! Contractors usually get screwed on the rebid.

And finally, these are my thoughts on the Cyberwarrior 1000:


Jon Stout There are good contractors and there are bad contractors just like there are good government employees and bad government employees. The difference is that bad contractors can be fired but under performing government employees are hard to change.

For contractors, you must supply skills that the government doesn't have and this ensures success even on rebids.

This is particularly true in the field of cyber security where requirements are rapidly changing.

Yes leadership and management are important.
Lee Mangold I have a thought...If someone is an expert in their field, 20 years of experience, and in "high" demand, why is the government trying to hire GS 11s? What is going to entice the "experts" to take a job making 40k?! Yeah, there are a COUPLE 13s out there, but that's about 107k, THEN you need to find a promotion elsewhere or wait for your current org to get a 14 slot.

Obviously the demand isn't high enough.
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.