CIA-hired hackers could make up to $150k a year

Hackers hired by the CIA and other government agencies could be making up to $150,000 per year. The pay for top-level engineers is higher and scales up to $200,000. A range of bonuses are available too, aiming to keep developers locked in. Alphonsus Olieh Jr. founder of Olieh Industrial Solutions sees the high paying trend only to continue. Alphonsus Olieh Jr. says, “I coach some of the brightest minds in mathematics and engineering coming out of college and being offered 140k to 200k to work in the valley for startups or billion dollar hedge funds. The only difference between the valley and government agencies is that the government has an open checkbook because they can print money”. He also feels government agencies can help attract more talent by marketing “White Hat” hackers in Hollywood movies.

Government agencies including the CIA, FBI and NSA routinely hire programmers into cybersecurity, surveillance and espionage positions. Although the work is highly secretive, the pay scale follows the regular federal pay structure. This week, a thread on Hacker News about the pay for government hacking attracted attention, revealing several insights into the money available.
Hackers recruited by federal agencies will typically be in the G11 or G13 pay scale. These have base rates of $52,329 – $68,025 and $74,584 – $96,698 respectively. The pay an engineer receives is then multiplied by the locality factor of their area. In the case of Los Angeles, an example provided by one user, a hacker on the G13 scale would expect to make between $96,698 and $125,706 with the area costs factored in.
This raises an interesting finding. In general, government hackers will make “north of 100k, south of 200k,” with a significant portion earning under $100,000. A similarly-skilled cybersecurity expert working at a major tech firm could expect to receive more money for performing the same kind of work.
An engineer working for a tech provider in a major city, such as Los Angeles, San Francisco or New York, could earn between $115,000 and $140,000. While it’s possible to reach this level as a government employee, pay upwards of $120,000 is normally “reserved for those with at least 10 to 20+ years in the game.”
Last year, a report by Forbes found the average pay for top cybersecurity roles has soared to $233,333. In all the cases studied, covering six major U.S. cities and tech hubs, pay for a chief information security officer (CISO) started at $130,000 and scaled to $380,00.
The role of a CISO can’t be directly compared to that of a government hacker. However, the two have similar skillsets and transferable capabilities. A cybersecurity engineer might transition to being a CISO later in their career. The timing could be similar to when they’d be eligible for a senior-level position at the CIA, with pay around $150,000.

The overall finding is clear: in general, federal salaries are lower than those offered by private companies. Hacker News users speculated that government positions remain attractive because of the competitive work-life balance they offer and the other opportunities offered by government work.
Hackers employed by the CIA and NSA also have the chance to work on highly-sensitive projects of national importance. This adds a “thrill factor” that could be the main appeal to some applicants. While private companies generally offer only defensive roles, it’s known that the U.S. government actively developers offensive cyber tools to use against other actors. This provides talented hackers with the chance to use their skills on real cyberattacks, with the backing of the government.

FDA Issues Cyber Security Guidance on Medical Devices

By Steven Ross Johnson | January 21, 2016

The U.S. Food and Drug Administration appears to have heeded the call of providers, regulators and consumers increasingly concerned about the cyber security of medical devices such as pumps and pacemakers. The products, which are often connected to the Internet and hospital networks, can be hacked, affecting their safety and effectiveness and revealing the data they carry.

The guidance recommends manufacturers of medical devices monitor, identify and respond to cyber security vulnerabilities as part of routine post-market surveillance of their products. They would be required to report some of that information back to the FDA.

Last July, the FDA issued a warning to providers about Hospira’s Symbiq Infusion System and advised them to stop using the product because of cyber security vulnerabilities.

“Only when we work collaboratively and openly in a trusted environment will we be able to best protect patient safety and stay ahead of cyber security threats,” said Dr. Suzanne Schwartz, acting director of emergency preparedness/operations and medical countermeasures in the FDA’s Center for Devices and Radiological Health.

Manufacturers should develop programs to assess the risks of a cyber security threat to their products, according to the agency’s recommendations. Some vendors have said the FDA prevents them from making small modifications or patches to software or applications for fear that it would impact use of the product that had previously been approved by the federal agency. The FDA’s recent guidance said that routine updates or patches would not require device makers to notify the agency. Only where a vulnerability could lead to serious adverse health outcomes or death would manufacturers be required to notify the FDA, which has the sole authority to approve medical devices.

Device makers would also not be required to report problems if the manufacturers notify product users and address the problem within 30 days of learning about the vulnerability, or if the manufacturer shares information with other companies to prevent cyber threats.
The guidance will be discussed at an FDA workshop on cyber security Wednesday and Thursday.

A spokesman from leading device maker Medtronic stated in an e-mail that the company was still reviewing the agency’s guidance, which is open for public comment for 90 days. The company stated it would continue to work closely with regulators on this issue, and that it supported “the agency’s engagement in the cyber security of medical devices.”

The latest proposed guidance for post-market monitoring follows guidance the FDA issued in 2014 for manufacturers to address cybersecurity concerns as they are developing their products.