I do think the real issue is not whether the NSA can fill cubes, but whether they can stay ahead of the threat curve. NSA competes with, but not for, the employees of foreign intelligence services; likewise, they used to compete for the same talent pool as top tech companies, but not against those companies.
Then they decided to turn the Big Ear inwards and go to war with US tech companies. Now firms like Google, Microsoft, Apple, etc. are building active defenses against the NSA, which means that they're hiring for the same problem domain, with better salaries and benefits, no security checks or polys, and no stigma (and a lot of prestige) attached to the position. As a result, NSA is threatened with losing precisely those talents necessary to keep ahead of foreign adversaries.
The savage irony of this is that both the NSA and tech companies are at a Nash equilibrium that is non-Pareto optimal; NSA loses top-tier candidates, and tech companies have to expend resources to protect themselves from NSA and other threats. An ideal scenario would be for a trusted NSA to work with tech companies to support strong crypto and security, but that's a nonstarter in the political and bureaucratic climate.
Personally, I'd like to see the defensive aspects of the NSA broken out into a separate agency, preferably either cabinet-level or independent, with the singular mission of protecting the security and privacy of all Americans, covering everything from crypto to vulnerability discovery to privacy recommendations and (where applicable) rulemaking. You would assume that NSA would still be in competition with a hypothetical Information Security Assurance Agency for discovering vulnerabilities, but the ISAA would not have the balancing test of "does this vulnerability threaten Americans more than it helps us listen on our adversaries?" Think of it as a FEMA for the cybersecurity age.
Then they decided to turn the Big Ear inwards and go to war with US tech companies. Now firms like Google, Microsoft, Apple, etc. are building active defenses against the NSA, which means that they're hiring for the same problem domain, with better salaries and benefits, no security checks or polys, and no stigma (and a lot of prestige) attached to the position. As a result, NSA is threatened with losing precisely those talents necessary to keep ahead of foreign adversaries.
The savage irony of this is that both the NSA and tech companies are at a Nash equilibrium that is non-Pareto optimal; NSA loses top-tier candidates, and tech companies have to expend resources to protect themselves from NSA and other threats. An ideal scenario would be for a trusted NSA to work with tech companies to support strong crypto and security, but that's a nonstarter in the political and bureaucratic climate.
Personally, I'd like to see the defensive aspects of the NSA broken out into a separate agency, preferably either cabinet-level or independent, with the singular mission of protecting the security and privacy of all Americans, covering everything from crypto to vulnerability discovery to privacy recommendations and (where applicable) rulemaking. You would assume that NSA would still be in competition with a hypothetical Information Security Assurance Agency for discovering vulnerabilities, but the ISAA would not have the balancing test of "does this vulnerability threaten Americans more than it helps us listen on our adversaries?" Think of it as a FEMA for the cybersecurity age.