The answer to every problem cited is simply pay. When there’s unlimited DoD budget for Palantir or Anduril contracts compared to barely livable wage for enlisted personnel, it’s a no-brainer why people go work for defense contractors instead.
Enlisted or Officer, you’ll not break $200k annual earnings until at least 20 years of experience and Lieutenant General or higher rank.
NSA after a decade of experience you may approach 200k.
But in my experience, there comes a point where people start saying "OK, now I'm earning $x00,000 I'm rich enough to afford some luxuries, what luxuries would most improve my life?" and it turns out things like "not being on call" are kinda popular.
I'm not sure there's any reasonable amount of money that would make me want to go to a boot camp and get hazed by a bunch of jocks.
And that's before considering things like the probably higher-than-usual rate of neurodiverse workers in software, for whom military cultural issues would often go from merely unpleasant all the way up to fundamentally incompatible.
The military's difficulties with the hacker mindset and common neurodiverse mindsets goes deeper than "culture". The military wants/needs to be able to give orders and expect them to be followed. An _active rejection_ of orders, conformity, standardisation, and externally-driven imposed change are all very common within those communities at a level that is closer to biology than culture; it's not something that could straightforwardly be coached out of either side.
To be a comfortable place for a lot of us to work, the military would need to understand that "because I felt like it" is both a complete explanation and a valid justification for either a 100,000 line software project or a two day nap.
I agree, but one oft neglected part of these things is the assumption that military and private companies are the same when we know they aren't.
The pay is one issue, but the social aspects are the much bigger issue.
In bureaucracy where jobs are almost impossible to be fired from for lack of adequate performance there is always an entrenched notion that anyone performing better is making everyone else look bad, and this results in sideband bullying, silencing, and various other forms of coercion which meet a definition of torture.
This is why Academia, and Government have such a hard time finding and keeping qualified people. Structurally, those in charge are the ones promoting negative production value, they may say otherwise but people lie all the time and its only rational to take people by their actions over what words they speak.
There is no amount of money that someone will justify selling/losing their sanity in exchange for money. Money isn't worth anything if you can't spend it.
If you sieve the entry with arbitrary requirements, while also making the job intolerable... of course you aren't going to attract talent.
Its not mainly a matter of money, or for that a matter of culture. Its a matter of structure, and structural failures that incentivize these deficits, they are the same deficits found in central planning.
If you can't relieve people for doing a bad job, you only ever attract parasites which crowd out your productive members, and eventually the reputation gets around and no one even bothers to apply or go down that path if they can avoid it. Couple that with systems which are designed to propagate evils without the individuals alerting to the fact, and who would risk their soul for a job?
The wisest understand that the job you choose can warp and defines you.
If you segment and compartmentalize information you'll never know when you commit attrocities, and you'll be equally responsible regardless of that knowing.
Overall, Government job? Academic Job? nope moving on.
Sanity, and religious beliefs are valued well above anything so base as money; but there are those types too.
Agreed! I left the Air Force with 12 years of service, 4 SANS certs, certification as a federal law enforcement officer, and experience working against APTs. At the time I left, I was getting less than $80k in compensation (excluding healthcare, cause I don’t know how to account for that), and accepted the first job offered ($103k). Left that less than a year later for a job paying $140k plus bonuses, and now I’m in an even better spot 2 years later. The military can’t compete unless they change how they pay their service members.
Part of the “problem” is that much military pay is “hidden”. An e-6 at 12 years makes $55.6k. That is very low compared to the private sector.
However, basic allowance for housing (BAH) for an E6 with dependents is another $20-40k, so let’s call it $30k.
Finally there is retirement. Retirement is harder to calculate, but traditionally if you reach 20 years then you get half your pay for the rest of your life as soon as you leave the military. An E6 @20 would get almost $30k/year, which will automatically increase with inflation. If you retire at 39 (enlisted at 19) and live to 80 you get $1.2M in inflation adjusted payments. The net present value of that is not something I know how to rigorously calculate, but $1M seems in the ball park. That’s an additional $50k/year over a 20 year career if you make it.
That means if you are a 12 year E6 and plan to stay in to 20 your real total comp is closer to $130k/year, and that’s not including BAS, retention bonuses, and other compensation. And it excludes tricare and other VA benefits post retirement.
The total potential compensation for military personnel is far more comparable than it looks, but is heavily weighted to non-cash compensation.
* Apologies if I’m being too pedantic here to much, but I wanted to make sure people who aren’t familiar with the subject can understand what I’m getting at as well.
You forgot to mention the fact that retired members can be recalled, that would dramatically factor into the calculations.
As well as the fact that many roles are tied to holding an active clearance, and while some things would be available in those amounts, debt generally is not one of them (a big opportunity cost).
I think getting recalled as a retiree is about as likely as a regular civilian being drafted though. Both theoretical risks but about equal, for career planning purposes.
I mean, the reason you're getting that much is due to the experience and creds you earned during service. I can't even post into real security roles at my current company because they only want external candidates with federal experience. They post internally for 1-2 days as a formality. Even then, most of those roles are under $120k. The only roles available to me are shitty ones like application security champion and managing/configuring SAST tools.
Also a major point not covered was defined benefits vs the 401k model.
That seems irrelevant when they can have internal employees also filling it under $120k. The real reason are the connections. They want people with a federal background so that they have ties to the federal authorities since the work together on reporting intelligence. It's all about "networking".
There are some aspects of the military culture that are a bit anachronistic, but it’s minor compared to the pay and the career progression problems the military creates. It forces an up and out system where you can’t continue doing what you’re good at for increasing amounts of pay.
But is that not also a common issue with many IT companies? The technical career path is short and the higher levels on that path are already supposed to work more on powerpoints and meetings than on code.
Pay is only part of it. There's a huge mindset difference between controlling organizational structure/policy and the type of people that want to freely explore creative ideas that don't fit in the normal boxes (hackers). As an example, lot of people wouldn't be ok with being told you have to move, or you can't move, which is common in the military.
$200k is huge for most people. Even $100k is a good salary for most of the country. Start adding in housing allowance and a defined benefits program and it's really pretty decent. Most branches will do direct commissions up to O5 for cyber roles now.
$122k is the median for cyber security professionals. $200k is substantially above that. More importantly and tothe point of my previous comment, $200k firmly puts one in the upper class nationally considering the median personal income is only $42k. The perspective on money here is wild.
I'm in no way trying to contradict your comment that $200k is a lot of money in the United States.
I'm arguing that if you're capable of performing cyberwarfare, $200k is a fairly low salary. The $122k median "cyber security professional" is including a lot of people with CCNAs who configure firewalls for a living.
The kind of people that tend to read about tech for fun, and have enough of an opinion on it to post, tend to be lean above average? At least I certainly like to think of myself as such.
People here are just remarking on what it would take to get them to take a job in the military.
"The kind of people that tend to read about tech for fun, and have enough of an opinion on it to post, tend to be lean above average?"
Sure, but they also tend to understand the importance of data and bias. So things like looking at the median instead of making assumptions would be expected more on here than other places.
But even knowing the median, that would just mean that you are objectively in a good position relative to the median.
You aren’t likely to compare compare yourself to the median, but to those whom you consider your peers. If you peers all have higher compensation, you’ll feel bad, regardless of the fact you are objectively in the top 90% of compensation for your role.
Maybe if someone is doing shotty analysis or is a narcissist. It's unlikely anyone knows what their peers are making without estimates relative to the median. It's also unlikely someone can even self-evaluate accurately without employment/comp data. Even something like levels.fyi doesnt go into actual attributes but basically what level someone is at a company. As an example, how does the defined benefits package in the military compare with the 401k model, especially considering for someone leaving the military and getting into the 401k model late (reduced compounding)? In many cases, a rational person in that sort of situation may see that the lower pay might not actually result in lower total compensation.
The real point is that you can still pull competent professionals under $200k because that's an attractive number to the majority of cyber warfare operators or cyber security professionals being that it's at least $50k over the median for either. Reducing that to $150k is still somewhat to slightly over the medians for either, and thus still a financially attractive number to the majority of the candidate pool. Money isn't the real issue here, it's the other restrictions, culture, etc.
This is a general problem for all (western) governments everywhere, not just the US or the US military.
The thing about contractors is that paying $ x million for a project is "normal", but paying a entry-level software dev twice the salary of e.g. the national police's commander in chief is completely unacceptable. If you do that, people in other branches of government will most definitely strike, and doing it will involve incredible amounts of feather ruffling. It's probably one of the hardest things for a government to do, and it stands against everything governments traditionally stand for.
I don't think democratically-elected governments have a good way out of this problem. Propaganda about "protecting the nation" probably helps somewhat with convincing people to just stomach the lower pay, but that's far from enough.
In the military though aren't people enlisted for specific amounts of time, so if the military no longer wanted them around it could just not allow them to reenlist when their current term expires?
Even if you have a lot of time left on your current enlistment period and they don't have cause to toss you out, couldn't they reassign you for the rest of your term to something else?
I mean, the government absolutely could fire people. They aren't giving money to Anduril because Anduril can fire people. They are giving money to Anduril because:
1. Anduril is more competent than the people they can afford to hire.
2. Giving Anduril money funnels funds into local enconomies and individuals that are important to political objectives.
It's notoriously difficult for the government to fire an employee. It can also be difficult to fire an employee in a defense contractor. From what I know of Anduril, part of their business model is that they've found a way to handle government procurement differently where they are not as constrained? They may well be able to fire people more easily, but I think they might also do a better job of hiring and retaining talent.
The government outsources things to contractors because they have no idea how to manage those projects. Do you want your mayor as the foreman for the crew paving your roads?
As with most businesses, the government has the money but not the know-how so they need to outsource or contract.
You need cause to fire a federal employee, and that requires documentation. You often need to put them on a PIP first, giving them a chance to correct and avoid being fired. If they do something that can cause them to lose their clearance you can fast track this a bit, because the ability to maintain a clearance is part of their job requirements.
But this also requires supervisors willing to actually supervise. Often these folks just get shuffled around, they know no one wants them, but they know no one will go through the trouble of firing them either. Shameless, worthless people will happily suffer that indignity for years if they're also getting a low six-figure salary and know they'd get $0 outside of government because private companies would fire them with cause and they'd stop getting any salary.
Anduril is also more competent than the government's organizational structure; it isn't strictly a question of how competent individual people are. It might not even mostly be a question of how competent individual people are.
>"1. Anduril is more competent than the people they can afford to hire"
Interesting. They can't afford to hire person. But by paying to company like Anduril they somehow can afford not only salary of said competent person and a boatload of overhead. Kinda contradictionary.
Not really, government and academia can't fire people. Prior to Vietnam they could relieve them temporarily, but that's not the same. They get paid regardless.
The moment you can't fire people for not meeting a base level of competence is the moment your systems start failing.
> They aren't giving money to Anduril because Anduril can fire people. They are giving money to Anduril because [...] Anduril is more competent than the people they can afford to hire.
Note that this is logically impossible; if they can afford to pay Anduril to hire those people, they can more easily afford to hire the same people themselves.
No, because there are pay caps for federal employees. Often private companies can hire at a pay equivalent to 1-3 grades higher (or more) than the billets the government has for their equivalent people.
GS-12/13 is a common working level for these jobs. Even on the cyber side which gets a 25% or so incentive pay on top, it's not competitive with what industry would pay. And only a handful of truly critical programs might, might, be able to get GS-14/15 billets for their technical staff, that'll still only be for SMEs with years of experience or certain key skillsets. Above GS you start requiring congressional appointments as well, and they aren't going to setup hearings so they can pay people over $200k, it's easier to get a contractor willing to pay that much.
> if they can afford to pay Anduril to hire those people, they can more easily afford to hire the same people themselves.
They can't afford to hire the same people because they can't (as in, they legally cannot) pay the salaries those people are going to demand. That's what I was responding to. The gov't cannot afford to hire the same people themselves, they can hire other people at lower salaries but not the same people.
Because that's obvious? Hiring someone is always cheaper than hiring someone else to hire the original person.
You can't transform something into an affordability problem by wishing. Do you think giving the government more money would solve their hiring problem? No? Then their hiring problem isn't related to what they can afford.
I mean until the USG stops footing the bill for the President and VP this isn't going to change. You can pay an external contractor more than the VP but not a federal employee (some handwaveyness around locale benefits).
If Kamala had to actually pay for all of the stuff she did out of her $284,600/yr salary we'd see that number go way up real fast. I doubt that even covers her security detail if she stayed at the Observatory all year.
The USA has a revenue of ~4.5 Trillion and the 2nd in charge gets <300k while companies with well under 1T revenue have numerous employees with $xx million compensation.
> [1] The aggregate limitation on pay for members of the Senior Executive Service and employees in senior-level or scientific or professional positions covered by a certified performance appraisal system is the total annual compensation payable to the Vice President under 3 U.S.C. 104 on the last day of the calendar year.
Most federal employees are limited by the amount paid to a member of congress. The SES doesn't have a lot of people in it and they mostly run a bureaucracy, they're not doing real work.
I think that it's complicated. Military service always looks like a bad deal on paper yet my military service is probably what I'm most proud of. I think we are fixated on $ to an unhealthy degree.
Where is Anduril getting that money? They're paid the same rate for govt contracts as everyone else no? Do they boost that with investor cash?
Nobody is denying that many people find military service fulfilling. But certain roles have extremely limited talent pools. The odds that you'll find someone willing to take a position primarily for fulfillment when the starting salary for a contractor is double/triple/quadruple/quintuple what government offers, the public service role is immediately starting at a significant disadvantage.
Besides hiring talent, it carries through to career advancement and development (which plays heavily into personal fulfillment!) which on turn affects retention. If you're thinking of starting a family and settling down, being able to have more flexibility and significantly more money is a highly attractive option.
Sounds like you are really proud of your military. Well it might reflect how the things really work anyways. They should put it on their recruitment offices: "if you are a poor shmuck - come to us"
A mix of VC funding, foreign defense sales, and private sector deals, because their products are dual use. Also, as a private company, they don't have the same kinds of expenditures that a service has (pensions, capex on infra, etc)
> I think that it's complicated
Yep! Esprit de corps does play a role in retention to a limited extent.
Also, after this hearing happening in 2018, all the branches began pushing heavily for Cyber Reserves branches because it's the easiest way for them to remediate the skill and pay gap.
1. Palantir is a data store, and overstates it's "defense" credentials. A major defense customer they keep mentioning churned years ago. If Palantir is a cybersecurity company, then so is Salesforce.
2. Enlistees are bucketed based on rank and years within the service. It is almost impossible to make a case for Cyber Enlistees to get a separate payscale from other Enlistees because other enlistees can and do get pissed.
A mix of public-private offensive security partnerships plus a strong reserves component for cybersecurity related roles is the best solution - this is what Israel does.
Finally, CyberCom is a joint command, not a branch, so they are limited in comparison to what individual branches can do.
> Enlistees are bucketed based on rank and years within the service. It is almost impossible to make a case for Cyber Enlistees to get a separate payscale from other Enlistees because other enlistees can and do get pissed.
I wonder if (and maybe this is already in practice), there's an opportunity for warrant officers in this context. In the United States Army where I enlisted, our helicopter pilots were mostly warrant officers and then you had the staff officers who would always try and get more flying time.
The warrant officers were, I believe, paid less than the staff officers, but there's no reason to think the military can't provide additional pay. Retention and sign-on bonuses for expertly-trained cyber warfare and other compute-related activities warrant officers could be something to consider.
Even as an enlisted soldier since I worked in aviation we'd get extra pay because of the odd shifts we worked which was supposed to make up for/supplement on-base meals. I may be remembering incorrectly but being airborne trained provided some extra money as well, though nominal.
All that to say, if a W-1 is making $50,000 in base pay per year, if we wanted to we could just double that via retention and sign-on bonuses.
Of course you might say, well sure but then you know you really aren't making as much as that engineer who is pulling $180,000/year + bonus/equity, and you're right, but in a similar vein I'd say yea and you can only fly an AH-64 in the military....
> I wonder if (and maybe this is already in practice), there's an opportunity for warrant officers in this context ... The warrant officers were, I believe, paid less than the staff officers, but there's no reason to think the military can't provide additional pay. Retention and sign-on bonuses for expertly-trained cyber warfare and other compute-related activities warrant officers could be something to consider.
Already in practice, but a WO's salary can't compete with private sector pay.
The Marines gives Cyber personnel an officer level, because the marines are very budget constrained so they don't have the money needed to send personnel to upskill, and wants to attract people who can hit the ground running.
> Of course you might say, well sure but then you know you really aren't making as much as that engineer who is pulling $180,000/year + bonus/equity, and you're right, but in a similar vein I'd say yea and you can only fly an AH-64 in the military....
Yep! Imo, there will always be some attrition to the private sector due to the pay differential, but making Cyber roles reservist friendly solves this issue. (<-- already starting to happen)
Also giving the option to enlistees to upskill helps solve the human capital gap, plus builds their loyalty to their service and minimizes attrition to a certain extent. A dedicated Cyber ROTC might help as well, just like how the NSA has a similar program. (<-- slowly starting to happen depending on branch)
Honestly, the best solution is to probably convert CyberCom into it's own branch, just like the USSF, because that at least allows Cyberwarfare to not be treated as an afterthought due to service/branch commitments. (<--- probably not happening in the near future sadly).
Palantir has been overstating its benefits for decades at this point. Slick UI can’t hide the almost minimal usefulness you get out of it (and even that minor utility requires an army of support engineers anyways)
You wouldn't want to make something that can stand on its own and actually get complete the mission. How would you afford an army of Agile developers with inflated salaries constantly churning out code that solves problems that don't exist? How could you possibly pay back the VCs that poured millions into your company without ripping off the American taxpayer? If a defense contractor's website doesn't immediately show you what they make or can articulate the services they actually provide, there's a good chance are they are scam artists and should be in prison.
> The intersection of people who can run a 15-minute two mile and dissect a Windows kernel memory dump is vanishingly small.
When I was doing consulting computer stuff for aviation safety[1], I used to joke to myself that I had The Right Stuff... for sitting on my butt, typing on a computer.
But I never voiced that joke in the presence of clients or partner organizations. Where some of the personnel were actual fighter pilots, and who knows what else.
[1] Incidentally, that might be the work I'm most proud of being a part of. I'm not disrespecting government work at all. I only pivoted from Federal technical consulting, back to tech industry startups, because of performing like a FAANG ~L7 for years, yet still not being able to afford a condo in my HCOLA. (And, just when I'd finally verbally negotiated a big chunk of work that would've fixed the money problem, a perfect storm of bad luck ruined that.)
I almost graduated (switched programs) from a graduate school cybersecurity program. They tried making the program "interdisciplinary" which essentially meant that they dumbed down the technical classes so that non-technical undergraduate degrees could pass them.
I tried to put together a team of students to compete in one of MITRE's cybersecurity competitions, but struggled to get other students to create SSH keys so that they could get access to the competition server. Not hack into the server, just follow instructions that I gave them to create keys and give me the public ones so that they could log in and participate.
The industry has a similar problem that the military does: It's very difficult to take non-technical people and train them to be cybersecurity professionals, much less hackers.
You need to start with an engineering background, and it almost has to be electrical or computer engineering, or at least computer science. Of those people with that background, hacking in particular is a type of thinking, problem solving, and mentality that not everyone has.
If you want to defend, attack, or manipulate cyber infrastructure you need an understanding of how that infrastructure is designed and operates. An engineering background will at least give you the building blocks for that.
Can we say that Technical vs. Non-Technical in this space isn't so much about formal credentials, as it is about putting in a lot of time to learn about many relevant things, hands-on and probably exploratory?
The person whose only degree is Art school dropout, but who's logged many hours coding personal projects, running their own Linux or BSD machines, playing with networking, tweaking a game binary, etc., will wipe the floor with more-credentialed others, at a lot of real-world computer technical stuff.
Compared to person with a Engineering degree, or even a Computer Science degree-- but who spent no time outside of classwork, Leetcode memorizing, and a GitHub profile that was motivated only by FAANG-application coaching.
Those people who couldn't create their keypairs probably have fine raw material for becoming the kind of Technical person you need. But they're just having a pile of information shoveled at them in lectures and homework. And maybe they just wanted a job. And nobody told them that, if you want to be good, you have to put in the hours of quality unstructured learning time.
Pay has gotten better, plus the individual branches all have stronger CyberCorps now.
That said, CyberCom still has issues because it's a unified command and not a branch, which means it has limited say and will always get overshadowed by individual branches and the NSA.
Another interesting change is the rise of private sector players and public-private partnerships to help remediate the pay gap - this is what China and Russia did due to similar issues around renumeration, and most other NATO+ allies like Israel, UAE, Singapore, etc leverage this model.
Anecdotally, outside of the NSA, it appears that most what I'd term "white collar lifers" within branches prefer Intel over Cyber because it's easier to learn due to less STEM, and a significant portion of those who do Cyber will tend to leave for private sector.
That said, Cyber Reserves forces are fairly prominent now and probably the best way to remediate this gap.
I'm biased, but imo, the US needs to adopt the Israeli model of public-private offensive security capabilities plus a strong reserves component, because the pay gap and the respect gap just won't be fixed due to internal intertia in the services.
CyberCommand might be able to do something like the Navy nuclear-propulsion program: Enlisted "nukes" get enlistment bonuses and (if they "re-up" after their initial six-year enlistment) fairly-decent "STAR" reenlistment bonuses.
CyberCom is a command, not a branch. Individual branches have leeway to make those compensation changes. A unified command can only provide some additional monies.
That said, individual branches absolutely are doing that, and have started doing that after the 2018 hearing referenced in the article above.
> To add insult to injury, tool developers often perform technical due diligence for capabilities procured from contractors. These capabilities typically mirror the capabilities that talented tool developers create on a quarterly basis, and the government will pay multiples of a developer’s annual salary for them. Nowhere else in the military is its economic rent so clear to the servicemember.
As someone who feels more like a thing-builder than a thief-saboteur, this description is definitely off-putting.
That sounds like an attempted "gotcha", but I think you missed the "matter of perspective."
Imagine some strain of surviving bacterial-descendants are a marginally less-deadly than their predecessors after one solar year. What measure would you use for the comparison?
If you were to pick "generations", that might be ~9000 for the bacteria, while applied to humans it's ~40x longer than all recorded history.
Anywho, point is that for every "too big to fail" things there is usually a longer timescale where it stops looking that way.
The answer to every problem cited is simply pay. When there’s unlimited DoD budget for Palantir or Anduril contracts compared to barely livable wage for enlisted personnel, it’s a no-brainer why people go work for defense contractors instead.
Enlisted or Officer, you’ll not break $200k annual earnings until at least 20 years of experience and Lieutenant General or higher rank.
NSA after a decade of experience you may approach 200k.
Anduril starts entry-level at $200k.
The pay is part of the equation, absolutely.
But in my experience, there comes a point where people start saying "OK, now I'm earning $x00,000 I'm rich enough to afford some luxuries, what luxuries would most improve my life?" and it turns out things like "not being on call" are kinda popular.
I'm not sure there's any reasonable amount of money that would make me want to go to a boot camp and get hazed by a bunch of jocks.
So they might need pay and fixes to the culture.
And that's before considering things like the probably higher-than-usual rate of neurodiverse workers in software, for whom military cultural issues would often go from merely unpleasant all the way up to fundamentally incompatible.
The military's difficulties with the hacker mindset and common neurodiverse mindsets goes deeper than "culture". The military wants/needs to be able to give orders and expect them to be followed. An _active rejection_ of orders, conformity, standardisation, and externally-driven imposed change are all very common within those communities at a level that is closer to biology than culture; it's not something that could straightforwardly be coached out of either side.
To be a comfortable place for a lot of us to work, the military would need to understand that "because I felt like it" is both a complete explanation and a valid justification for either a 100,000 line software project or a two day nap.
I agree, but one oft neglected part of these things is the assumption that military and private companies are the same when we know they aren't.
The pay is one issue, but the social aspects are the much bigger issue.
In bureaucracy where jobs are almost impossible to be fired from for lack of adequate performance there is always an entrenched notion that anyone performing better is making everyone else look bad, and this results in sideband bullying, silencing, and various other forms of coercion which meet a definition of torture.
This is why Academia, and Government have such a hard time finding and keeping qualified people. Structurally, those in charge are the ones promoting negative production value, they may say otherwise but people lie all the time and its only rational to take people by their actions over what words they speak.
There is no amount of money that someone will justify selling/losing their sanity in exchange for money. Money isn't worth anything if you can't spend it.
If you sieve the entry with arbitrary requirements, while also making the job intolerable... of course you aren't going to attract talent.
Its not mainly a matter of money, or for that a matter of culture. Its a matter of structure, and structural failures that incentivize these deficits, they are the same deficits found in central planning.
If you can't relieve people for doing a bad job, you only ever attract parasites which crowd out your productive members, and eventually the reputation gets around and no one even bothers to apply or go down that path if they can avoid it. Couple that with systems which are designed to propagate evils without the individuals alerting to the fact, and who would risk their soul for a job?
The wisest understand that the job you choose can warp and defines you. If you segment and compartmentalize information you'll never know when you commit attrocities, and you'll be equally responsible regardless of that knowing.
Overall, Government job? Academic Job? nope moving on. Sanity, and religious beliefs are valued well above anything so base as money; but there are those types too.
> go to a boot camp and get hazed by a bunch of jocks
Marine Corps recruit training and Air Force BMT are world’s apart.
Does one or the other of them not involve being hazed, in an occasionally fatal fashion, by a bunch of jocks?
> I'm not sure there's any reasonable amount of money that would make me want to go to a boot camp and get hazed by a bunch of jocks.
This sounds like it’s more a problem of boot camp, not so much the cyber department.
[dead]
Agreed! I left the Air Force with 12 years of service, 4 SANS certs, certification as a federal law enforcement officer, and experience working against APTs. At the time I left, I was getting less than $80k in compensation (excluding healthcare, cause I don’t know how to account for that), and accepted the first job offered ($103k). Left that less than a year later for a job paying $140k plus bonuses, and now I’m in an even better spot 2 years later. The military can’t compete unless they change how they pay their service members.
Part of the “problem” is that much military pay is “hidden”. An e-6 at 12 years makes $55.6k. That is very low compared to the private sector. However, basic allowance for housing (BAH) for an E6 with dependents is another $20-40k, so let’s call it $30k. Finally there is retirement. Retirement is harder to calculate, but traditionally if you reach 20 years then you get half your pay for the rest of your life as soon as you leave the military. An E6 @20 would get almost $30k/year, which will automatically increase with inflation. If you retire at 39 (enlisted at 19) and live to 80 you get $1.2M in inflation adjusted payments. The net present value of that is not something I know how to rigorously calculate, but $1M seems in the ball park. That’s an additional $50k/year over a 20 year career if you make it.
That means if you are a 12 year E6 and plan to stay in to 20 your real total comp is closer to $130k/year, and that’s not including BAS, retention bonuses, and other compensation. And it excludes tricare and other VA benefits post retirement.
The total potential compensation for military personnel is far more comparable than it looks, but is heavily weighted to non-cash compensation.
* Apologies if I’m being too pedantic here to much, but I wanted to make sure people who aren’t familiar with the subject can understand what I’m getting at as well.
You forgot to mention the fact that retired members can be recalled, that would dramatically factor into the calculations.
As well as the fact that many roles are tied to holding an active clearance, and while some things would be available in those amounts, debt generally is not one of them (a big opportunity cost).
I think getting recalled as a retiree is about as likely as a regular civilian being drafted though. Both theoretical risks but about equal, for career planning purposes.
We've recalled retirees, most recently in the mid 2000s. There were a lot of them recalled in the gulf war in the 90s.
So a bit more likely than the draft.
I'm technically also subject to the UCMJ for the rest of my life as well.
That retirement plan no longer exists just for the record.
The "total compensation" numbers that military recruiters tout are not actually real.
I know, I lived it for 23 years.
Did you get BAH? In high CoL areas like DC metro the housing allowance is like an extra 33k, tax free.
But it would take you much more to jump to that $140k if you were not in military.
It wasn’t like you could get that right of the bat.
Military experience is valuable on itself.
Yes you don’t want to stay there for whole career- but doing 5 or 10 years is going to pay off later. Just be good for your mates ;)
I mean, the reason you're getting that much is due to the experience and creds you earned during service. I can't even post into real security roles at my current company because they only want external candidates with federal experience. They post internally for 1-2 days as a formality. Even then, most of those roles are under $120k. The only roles available to me are shitty ones like application security champion and managing/configuring SAST tools.
Also a major point not covered was defined benefits vs the 401k model.
So the real reason here seems to be that they know candidates with previous federal roles can be picked up for under 120k?
That seems irrelevant when they can have internal employees also filling it under $120k. The real reason are the connections. They want people with a federal background so that they have ties to the federal authorities since the work together on reporting intelligence. It's all about "networking".
Yup. 95% pay. 5% antiquated culture.
There are some aspects of the military culture that are a bit anachronistic, but it’s minor compared to the pay and the career progression problems the military creates. It forces an up and out system where you can’t continue doing what you’re good at for increasing amounts of pay.
But is that not also a common issue with many IT companies? The technical career path is short and the higher levels on that path are already supposed to work more on powerpoints and meetings than on code.
There’s thousands of companies you can hop between, but there’s only a single military. They need to have good career progression.
You could probably switch militaries once, but it gets tricky.
Pay is only part of it. There's a huge mindset difference between controlling organizational structure/policy and the type of people that want to freely explore creative ideas that don't fit in the normal boxes (hackers). As an example, lot of people wouldn't be ok with being told you have to move, or you can't move, which is common in the military.
$200k is huge for most people. Even $100k is a good salary for most of the country. Start adding in housing allowance and a defined benefits program and it's really pretty decent. Most branches will do direct commissions up to O5 for cyber roles now.
$200k isn’t huge for people capable of cyberwarfare.
$122k is the median for cyber security professionals. $200k is substantially above that. More importantly and tothe point of my previous comment, $200k firmly puts one in the upper class nationally considering the median personal income is only $42k. The perspective on money here is wild.
I'm in no way trying to contradict your comment that $200k is a lot of money in the United States.
I'm arguing that if you're capable of performing cyberwarfare, $200k is a fairly low salary. The $122k median "cyber security professional" is including a lot of people with CCNAs who configure firewalls for a living.
Ok, so cyber warfare operators make a median of $144k per year. Higher, but $200k is still over one third above that.
> The perspective on money here is wild.
The kind of people that tend to read about tech for fun, and have enough of an opinion on it to post, tend to be lean above average? At least I certainly like to think of myself as such.
People here are just remarking on what it would take to get them to take a job in the military.
"The kind of people that tend to read about tech for fun, and have enough of an opinion on it to post, tend to be lean above average?"
Sure, but they also tend to understand the importance of data and bias. So things like looking at the median instead of making assumptions would be expected more on here than other places.
But even knowing the median, that would just mean that you are objectively in a good position relative to the median.
You aren’t likely to compare compare yourself to the median, but to those whom you consider your peers. If you peers all have higher compensation, you’ll feel bad, regardless of the fact you are objectively in the top 90% of compensation for your role.
Maybe if someone is doing shotty analysis or is a narcissist. It's unlikely anyone knows what their peers are making without estimates relative to the median. It's also unlikely someone can even self-evaluate accurately without employment/comp data. Even something like levels.fyi doesnt go into actual attributes but basically what level someone is at a company. As an example, how does the defined benefits package in the military compare with the 401k model, especially considering for someone leaving the military and getting into the 401k model late (reduced compounding)? In many cases, a rational person in that sort of situation may see that the lower pay might not actually result in lower total compensation.
The real point is that you can still pull competent professionals under $200k because that's an attractive number to the majority of cyber warfare operators or cyber security professionals being that it's at least $50k over the median for either. Reducing that to $150k is still somewhat to slightly over the medians for either, and thus still a financially attractive number to the majority of the candidate pool. Money isn't the real issue here, it's the other restrictions, culture, etc.
This is a general problem for all (western) governments everywhere, not just the US or the US military.
The thing about contractors is that paying $ x million for a project is "normal", but paying a entry-level software dev twice the salary of e.g. the national police's commander in chief is completely unacceptable. If you do that, people in other branches of government will most definitely strike, and doing it will involve incredible amounts of feather ruffling. It's probably one of the hardest things for a government to do, and it stands against everything governments traditionally stand for.
I don't think democratically-elected governments have a good way out of this problem. Propaganda about "protecting the nation" probably helps somewhat with convincing people to just stomach the lower pay, but that's far from enough.
Anduril fires people. That’s why the government can give Anduril money. The government can’t do things that Anduril can.
In the military though aren't people enlisted for specific amounts of time, so if the military no longer wanted them around it could just not allow them to reenlist when their current term expires?
Even if you have a lot of time left on your current enlistment period and they don't have cause to toss you out, couldn't they reassign you for the rest of your term to something else?
I mean, the government absolutely could fire people. They aren't giving money to Anduril because Anduril can fire people. They are giving money to Anduril because:
1. Anduril is more competent than the people they can afford to hire.
2. Giving Anduril money funnels funds into local enconomies and individuals that are important to political objectives.
It's notoriously difficult for the government to fire an employee. It can also be difficult to fire an employee in a defense contractor. From what I know of Anduril, part of their business model is that they've found a way to handle government procurement differently where they are not as constrained? They may well be able to fire people more easily, but I think they might also do a better job of hiring and retaining talent.
The government outsources things to contractors because they have no idea how to manage those projects. Do you want your mayor as the foreman for the crew paving your roads?
As with most businesses, the government has the money but not the know-how so they need to outsource or contract.
You need cause to fire a federal employee, and that requires documentation. You often need to put them on a PIP first, giving them a chance to correct and avoid being fired. If they do something that can cause them to lose their clearance you can fast track this a bit, because the ability to maintain a clearance is part of their job requirements.
But this also requires supervisors willing to actually supervise. Often these folks just get shuffled around, they know no one wants them, but they know no one will go through the trouble of firing them either. Shameless, worthless people will happily suffer that indignity for years if they're also getting a low six-figure salary and know they'd get $0 outside of government because private companies would fire them with cause and they'd stop getting any salary.
Anduril is also more competent than the government's organizational structure; it isn't strictly a question of how competent individual people are. It might not even mostly be a question of how competent individual people are.
>"1. Anduril is more competent than the people they can afford to hire"
Interesting. They can't afford to hire person. But by paying to company like Anduril they somehow can afford not only salary of said competent person and a boatload of overhead. Kinda contradictionary.
3. Andruil sales are “friends” with people making decisions
??
Just asking, not accusing anyone of anything.
Not really, government and academia can't fire people. Prior to Vietnam they could relieve them temporarily, but that's not the same. They get paid regardless.
The moment you can't fire people for not meeting a base level of competence is the moment your systems start failing.
> They aren't giving money to Anduril because Anduril can fire people. They are giving money to Anduril because [...] Anduril is more competent than the people they can afford to hire.
Note that this is logically impossible; if they can afford to pay Anduril to hire those people, they can more easily afford to hire the same people themselves.
No, because there are pay caps for federal employees. Often private companies can hire at a pay equivalent to 1-3 grades higher (or more) than the billets the government has for their equivalent people.
GS-12/13 is a common working level for these jobs. Even on the cyber side which gets a 25% or so incentive pay on top, it's not competitive with what industry would pay. And only a handful of truly critical programs might, might, be able to get GS-14/15 billets for their technical staff, that'll still only be for SMEs with years of experience or certain key skillsets. Above GS you start requiring congressional appointments as well, and they aren't going to setup hearings so they can pay people over $200k, it's easier to get a contractor willing to pay that much.
13 is basically the max unless you get into management. There are a very few 14 positions and nearly no 15s.
Almost no one in tech gets into SES, and they wouldn't want to -- SESs don't write software.
That is a question of whether they're allowed to hire people, not whether they can afford to.
Then why did you write:
> if they can afford to pay Anduril to hire those people, they can more easily afford to hire the same people themselves.
They can't afford to hire the same people because they can't (as in, they legally cannot) pay the salaries those people are going to demand. That's what I was responding to. The gov't cannot afford to hire the same people themselves, they can hire other people at lower salaries but not the same people.
Because that's obvious? Hiring someone is always cheaper than hiring someone else to hire the original person.
You can't transform something into an affordability problem by wishing. Do you think giving the government more money would solve their hiring problem? No? Then their hiring problem isn't related to what they can afford.
I mean until the USG stops footing the bill for the President and VP this isn't going to change. You can pay an external contractor more than the VP but not a federal employee (some handwaveyness around locale benefits).
If Kamala had to actually pay for all of the stuff she did out of her $284,600/yr salary we'd see that number go way up real fast. I doubt that even covers her security detail if she stayed at the Observatory all year.
The USA has a revenue of ~4.5 Trillion and the 2nd in charge gets <300k while companies with well under 1T revenue have numerous employees with $xx million compensation.
> [1] The aggregate limitation on pay for members of the Senior Executive Service and employees in senior-level or scientific or professional positions covered by a certified performance appraisal system is the total annual compensation payable to the Vice President under 3 U.S.C. 104 on the last day of the calendar year.
[1]: https://www.opm.gov/policy-data-oversight/pay-leave/pay-admi...
Most federal employees are limited by the amount paid to a member of congress. The SES doesn't have a lot of people in it and they mostly run a bureaucracy, they're not doing real work.
I think that it's complicated. Military service always looks like a bad deal on paper yet my military service is probably what I'm most proud of. I think we are fixated on $ to an unhealthy degree.
Where is Anduril getting that money? They're paid the same rate for govt contracts as everyone else no? Do they boost that with investor cash?
Nobody is denying that many people find military service fulfilling. But certain roles have extremely limited talent pools. The odds that you'll find someone willing to take a position primarily for fulfillment when the starting salary for a contractor is double/triple/quadruple/quintuple what government offers, the public service role is immediately starting at a significant disadvantage.
Besides hiring talent, it carries through to career advancement and development (which plays heavily into personal fulfillment!) which on turn affects retention. If you're thinking of starting a family and settling down, being able to have more flexibility and significantly more money is a highly attractive option.
> They're paid the same rate for govt contracts as everyone else no?
No. Where did you get the idea the government pays the same rate for every contract/contractor?
Defense procurement is notoriously complicated, and there are myriad ways contracts can be structured. There is definitely no single rate.
because the military can't retain talent, they pay through the nose for contractors who don't enforce their "standards"...
But military doesn’t and shouldn’t retain talent.
You should go there for 5-10years if you are a poor shmuck so they train you, get some value from you and that’s it.
What the hell, man. How would any entity function if the institutional memory was 5-10 years tops?
People hand over the knowledge all the time. It is not like everyone quits at the same time.
>"if you are a poor shmuck"
Sounds like you are really proud of your military. Well it might reflect how the things really work anyways. They should put it on their recruitment offices: "if you are a poor shmuck - come to us"
Most of 18-25 year olds are poor shmucks. Ask around who has their own apartment at 20-something and what their prospects are.
Military is one of valid options to improve their lives .
I’m really happy that my military is a team of professionals that are there because they want to be.
Anduril doesn't generally sell hours to the government like most defense contractors.
> Where is Anduril getting that money?
A mix of VC funding, foreign defense sales, and private sector deals, because their products are dual use. Also, as a private company, they don't have the same kinds of expenditures that a service has (pensions, capex on infra, etc)
> I think that it's complicated
Yep! Esprit de corps does play a role in retention to a limited extent.
Also, after this hearing happening in 2018, all the branches began pushing heavily for Cyber Reserves branches because it's the easiest way for them to remediate the skill and pay gap.
They also get a ton of money from the US DoD.
1. Palantir is a data store, and overstates it's "defense" credentials. A major defense customer they keep mentioning churned years ago. If Palantir is a cybersecurity company, then so is Salesforce.
2. Enlistees are bucketed based on rank and years within the service. It is almost impossible to make a case for Cyber Enlistees to get a separate payscale from other Enlistees because other enlistees can and do get pissed.
A mix of public-private offensive security partnerships plus a strong reserves component for cybersecurity related roles is the best solution - this is what Israel does.
Finally, CyberCom is a joint command, not a branch, so they are limited in comparison to what individual branches can do.
> Enlistees are bucketed based on rank and years within the service. It is almost impossible to make a case for Cyber Enlistees to get a separate payscale from other Enlistees because other enlistees can and do get pissed.
I wonder if (and maybe this is already in practice), there's an opportunity for warrant officers in this context. In the United States Army where I enlisted, our helicopter pilots were mostly warrant officers and then you had the staff officers who would always try and get more flying time.
The warrant officers were, I believe, paid less than the staff officers, but there's no reason to think the military can't provide additional pay. Retention and sign-on bonuses for expertly-trained cyber warfare and other compute-related activities warrant officers could be something to consider.
Even as an enlisted soldier since I worked in aviation we'd get extra pay because of the odd shifts we worked which was supposed to make up for/supplement on-base meals. I may be remembering incorrectly but being airborne trained provided some extra money as well, though nominal.
All that to say, if a W-1 is making $50,000 in base pay per year, if we wanted to we could just double that via retention and sign-on bonuses.
Of course you might say, well sure but then you know you really aren't making as much as that engineer who is pulling $180,000/year + bonus/equity, and you're right, but in a similar vein I'd say yea and you can only fly an AH-64 in the military....
> I wonder if (and maybe this is already in practice), there's an opportunity for warrant officers in this context ... The warrant officers were, I believe, paid less than the staff officers, but there's no reason to think the military can't provide additional pay. Retention and sign-on bonuses for expertly-trained cyber warfare and other compute-related activities warrant officers could be something to consider.
Already in practice, but a WO's salary can't compete with private sector pay.
The Marines gives Cyber personnel an officer level, because the marines are very budget constrained so they don't have the money needed to send personnel to upskill, and wants to attract people who can hit the ground running.
> Of course you might say, well sure but then you know you really aren't making as much as that engineer who is pulling $180,000/year + bonus/equity, and you're right, but in a similar vein I'd say yea and you can only fly an AH-64 in the military....
Yep! Imo, there will always be some attrition to the private sector due to the pay differential, but making Cyber roles reservist friendly solves this issue. (<-- already starting to happen)
Also giving the option to enlistees to upskill helps solve the human capital gap, plus builds their loyalty to their service and minimizes attrition to a certain extent. A dedicated Cyber ROTC might help as well, just like how the NSA has a similar program. (<-- slowly starting to happen depending on branch)
Honestly, the best solution is to probably convert CyberCom into it's own branch, just like the USSF, because that at least allows Cyberwarfare to not be treated as an afterthought due to service/branch commitments. (<--- probably not happening in the near future sadly).
>I'd say yea and you can only fly an AH-64 in the military...."
Nice argument when you are single...
Palantir has been overstating its benefits for decades at this point. Slick UI can’t hide the almost minimal usefulness you get out of it (and even that minor utility requires an army of support engineers anyways)
You wouldn't want to make something that can stand on its own and actually get complete the mission. How would you afford an army of Agile developers with inflated salaries constantly churning out code that solves problems that don't exist? How could you possibly pay back the VCs that poured millions into your company without ripping off the American taxpayer? If a defense contractor's website doesn't immediately show you what they make or can articulate the services they actually provide, there's a good chance are they are scam artists and should be in prison.
> The intersection of people who can run a 15-minute two mile and dissect a Windows kernel memory dump is vanishingly small.
When I was doing consulting computer stuff for aviation safety[1], I used to joke to myself that I had The Right Stuff... for sitting on my butt, typing on a computer.
But I never voiced that joke in the presence of clients or partner organizations. Where some of the personnel were actual fighter pilots, and who knows what else.
[1] Incidentally, that might be the work I'm most proud of being a part of. I'm not disrespecting government work at all. I only pivoted from Federal technical consulting, back to tech industry startups, because of performing like a FAANG ~L7 for years, yet still not being able to afford a condo in my HCOLA. (And, just when I'd finally verbally negotiated a big chunk of work that would've fixed the money problem, a perfect storm of bad luck ruined that.)
I almost graduated (switched programs) from a graduate school cybersecurity program. They tried making the program "interdisciplinary" which essentially meant that they dumbed down the technical classes so that non-technical undergraduate degrees could pass them.
I tried to put together a team of students to compete in one of MITRE's cybersecurity competitions, but struggled to get other students to create SSH keys so that they could get access to the competition server. Not hack into the server, just follow instructions that I gave them to create keys and give me the public ones so that they could log in and participate.
The industry has a similar problem that the military does: It's very difficult to take non-technical people and train them to be cybersecurity professionals, much less hackers.
You need to start with an engineering background, and it almost has to be electrical or computer engineering, or at least computer science. Of those people with that background, hacking in particular is a type of thinking, problem solving, and mentality that not everyone has.
If you want to defend, attack, or manipulate cyber infrastructure you need an understanding of how that infrastructure is designed and operates. An engineering background will at least give you the building blocks for that.
Can we say that Technical vs. Non-Technical in this space isn't so much about formal credentials, as it is about putting in a lot of time to learn about many relevant things, hands-on and probably exploratory?
The person whose only degree is Art school dropout, but who's logged many hours coding personal projects, running their own Linux or BSD machines, playing with networking, tweaking a game binary, etc., will wipe the floor with more-credentialed others, at a lot of real-world computer technical stuff.
Compared to person with a Engineering degree, or even a Computer Science degree-- but who spent no time outside of classwork, Leetcode memorizing, and a GitHub profile that was motivated only by FAANG-application coaching.
Those people who couldn't create their keypairs probably have fine raw material for becoming the kind of Technical person you need. But they're just having a pile of information shoveled at them in lectures and homework. And maybe they just wanted a job. And nobody told them that, if you want to be good, you have to put in the hours of quality unstructured learning time.
2018, FWIW. I'd be curious to hear how (if) things are different now.
USAF now has Cyber Warrant Officers.
Year added above. Thanks!
Pay has gotten better, plus the individual branches all have stronger CyberCorps now.
That said, CyberCom still has issues because it's a unified command and not a branch, which means it has limited say and will always get overshadowed by individual branches and the NSA.
Another interesting change is the rise of private sector players and public-private partnerships to help remediate the pay gap - this is what China and Russia did due to similar issues around renumeration, and most other NATO+ allies like Israel, UAE, Singapore, etc leverage this model.
Anecdotally, outside of the NSA, it appears that most what I'd term "white collar lifers" within branches prefer Intel over Cyber because it's easier to learn due to less STEM, and a significant portion of those who do Cyber will tend to leave for private sector.
That said, Cyber Reserves forces are fairly prominent now and probably the best way to remediate this gap.
I'm biased, but imo, the US needs to adopt the Israeli model of public-private offensive security capabilities plus a strong reserves component, because the pay gap and the respect gap just won't be fixed due to internal intertia in the services.
CyberCommand might be able to do something like the Navy nuclear-propulsion program: Enlisted "nukes" get enlistment bonuses and (if they "re-up" after their initial six-year enlistment) fairly-decent "STAR" reenlistment bonuses.
https://www.navytimes.com/news/your-navy/2023/06/23/big-enli...
https://www.mynavyhr.navy.mil/Portals/55/Career/ECM/Nuclear/...
CyberCom is a command, not a branch. Individual branches have leeway to make those compensation changes. A unified command can only provide some additional monies.
That said, individual branches absolutely are doing that, and have started doing that after the 2018 hearing referenced in the article above.
> To add insult to injury, tool developers often perform technical due diligence for capabilities procured from contractors. These capabilities typically mirror the capabilities that talented tool developers create on a quarterly basis, and the government will pay multiples of a developer’s annual salary for them. Nowhere else in the military is its economic rent so clear to the servicemember.
As someone who feels more like a thing-builder than a thief-saboteur, this description is definitely off-putting.
It is important to learn from one's own mistakes, but if an institution is too big to fail, then does it ever really learn?
If any entity can't fail, does it need to learn? :p
That said, some of it is a matter of perspective: To bacteria, individual humans are "too big to fail" in the same way geography is.
> To bacteria, individual humans are "too big to fail" in the same way geography is.
...which is why diseases rapidly evolve away from lethality?
That sounds like an attempted "gotcha", but I think you missed the "matter of perspective."
Imagine some strain of surviving bacterial-descendants are a marginally less-deadly than their predecessors after one solar year. What measure would you use for the comparison?
If you were to pick "generations", that might be ~9000 for the bacteria, while applied to humans it's ~40x longer than all recorded history.
Anywho, point is that for every "too big to fail" things there is usually a longer timescale where it stops looking that way.
[dead]
TLDR: Copy the medic track model. Makes sense to me.