First-Hand:Applying Advanced Technology to Cryptologic Systems: Some Special Management Challenges

This paper first appeared in AFIO's Intelligencer Journal, Spring/Summer 2014 edition, Vol 20, No. 3. This article is an adaptation of a talk that was given at the 2013 Symposium of the Center for Cryptologic History. The main topic of that symposium was the use of advanced technology in cryptologic systems. Dr. Clinton Brooks assisted in the review and editing process.

Submitted by James V. Boone

Introduction

I expect that we all intuitively know that applying truly advanced technology to any type of system is a challenge. While the promise of the new capability is exciting, the process is risky… but never dull! Any rapid development process that involves advanced technology is very difficult to manage in any conventional sense, and there are no little all-purpose software packages, or handbooks to help you. The so-called ‘manager’ is usually only sure that; 1) the program is not on the original schedule, 2) there isa need for more resources, 3) the prototype does not function quite like it was intended to and 4) the higher management chain is in constant need of care and feeding. It is always challenging! However, I assert that two rather unique national-level factors play major roles in shaping the management activities related to the development, deployment, and use of advanced technology in cryptologic systems.

The first factor to consider is that it is necessary for our nation to be in “first place” among all others in the field of cryptology. This situation applies to both offensive and defensive sides as well as to the systems used in related activities such as collection, processing, analysis, reporting, and operations. Those who are in second place are simply losers. The stakes are very high…and there is always time-pressure. It is not just a wartime problem…particularly today. The second factor is that in order to obtain and maintain our “first place” status, we must be able to do certain things that our competitors (and there are many) cannot do. Or, better yet, they have not even thought of.

The successful use of advanced technology is an important tool in addressing both of these factors. Please note that while these factors are attractive and logical, they contain a number of aspects that are extremely difficult (impossible even) to know with certainty.

We participants are easily energized by these challenges, we get excited and work hard, but we cannot afford to become arrogant, even when we seem to be succeeding, nor can we be overly cautious. While the cost of failure is very high, failure may not be immediately obvious. We must therefore include in any plan efforts to try to measure the ability of our adversaries. If that does not seem obvious, then just think of traitors/spies such as William Weisband, the Walker ‘family’, Dalton Lee and Christopher Boyce and their connections. Unfortunately, there are many other, some perhaps more complex, examples. A true cryptology-related system is not a game with a beginning and an end. It is a long-term activity with changing dynamics.

So, what are the major areas of management challenge? I will give you five to consider. Please note that they all interact:

  • Finding, supporting, and retaining people who have the right talents.
  • Maintaining appropriate security and secrecy capabilities.
  • Working at all levels of the resource chains (inside and outside your own organization).
  • Dealing with unusual legal and ethical issues.
  • Addressing long-term support and operations issues along with the development activities.

Since this list is hardly unique for any advanced development, I will quickly expand a bit on each area, and illustrate the peculiarities of our topic.

People

The science-fiction author and inventor Arthur C. Clarke wrote,

“Any sufficiently advanced technology is indistinguishable from magic.”

Most of us are not magicians. People with very unusual talents are required. They are the key to everything. It is my experience that many of these people are not, by definition, normal. They must be found, encouraged, and supported. They are probably not all in one organization or even one area of our economy. They are in government, industry, academia, or…who knows? They are probably only brought into your cryptologic problem through relationships that must be carefully developed. Professional societies and other similar activities can help make the connections, but our employers must support our efforts to find and apply these individuals and not just turn the issues over to some more routine part of their activity. Once the creative people are found, saying that they are ever “managed” is probably not the right use of the word. Ask Dilbert. You must create non-standard support systems to say the least. A brief, somewhat modified, example may help.

Consider the highly talented and unique mathematician who believes that she does her best creative work when she is playing her cello. She is a great mathematician, but not the world’s greatest cellist. So, “management” arranges the construction of a soundproof office within the SCIF for her to work in. When she emerges from this facility and says something like, “I have an idea that I must try out on the supercomputer! Now!”…it has been arranged that she can do this immediately. And it pays off more often than not. Normal facility and resource audits indicate strange and costly construction activities, and other audits indicate a very low percentage of use of the supercomputer. The “managers” must have a way to effectively tell the auditors, “Never mind,” while still meeting resource and legal reviews. This type of example is not confined to mathematicians. You should also believe that it is not accommodated naturally in large bureaucratic systems whether in government or industry.

Many of those who are involved in the management of these high-tech activities may not be magicians either. If they were, they would probably be doing the tricks, not all the other things that managers must do. However, it does really help to at least know something about the basics of the subject, but you may have to find ‘interpreters’ to help you. Oh yes, your best recruiters are usually other ‘magicians’ and good leaders and managers must help the HR departments understand this.

Security and Secrecy

This is a tough one. Not only must you limit the formal transfer of information to properly authorized (and hopefully wisely selected) individuals, but also you must not attract undue attention from the ‘outsiders.’ No matter what journalists and consultants say, it is really NOT a good idea for everyone to know everything at any point in time. This is very difficult to do and naturally provokes all manner of rules and regulations…some of which have the potential to be counterproductive at best and wasteful at least. A simple example comes from the time we were living in Germany and my wife was registering our elementary school students. The German registrar knew we were Americans and asked where I worked. My wife properly replied, “The Department of Defense”, and then noted that the lady wrote down NSA. She asked why she did that, and the lady calmly replied, “Because if you had said ‘US Government,’I would have written CIA.” That cleared that up. Probably just silly but we do tend to do that same type of thing in more costly situations. We must be serious about avoiding and eliminating the silly rules and concentrate our efforts on the truly complex and important issues that uniquely surround each system activity. One size does not fit all. But then, who determines what is silly?

Good security experts exist and can help with crafting good security plans, and the sooner they are involved in the process the better. They are hard to find also. Enforcement takes constant attention at all levels of the organization. There is a need for cleared people in many parts of the organization or unfortunate things can occur. I will address some in the segment on ‘ethics,’ but it is not always that sort of problem. I got introduced to this general problem early in my Air Force career when I was working on a team flight-testing one of the world’s first inertial guidance systems. It was somewhat classified of course. We were on a test flight from Eglin AFB to Hanscomb Field in Massachusetts. I was in the rear of the B-50 taking data; we were under the control of the new system, and we were doing pretty well. As we entered the Washington D.C. airspace, I heard the ground controller tell the pilot to change his heading, as he was about to enter a controlled airspace. The pilot explained that we were a bit off course, but that he did not have control of the aircraft. Those key words meant a lot even in 1956, and I expected to see a F-86 up close from my little observer bubble. Yes, we did get to keep going on our way, but only after some interesting conversations with others. There were special ways to file our flight plan, but the classified versions apparently never got to the actual controllers. It led to new ways to file flight plans for such tests. It also made us conspicuous… that was not a goal. Even the best plan does not work unless all of the essential players are using the same rules.

I will add that if you work in this type of environment for a long time, you may find that your thinking processes are becoming strangely modified. Another brief and modified recent illustration follows. Two of we older-types had been invited to a compartmented meeting to provide some advice. We were properly cleared, identified ourselves, and entered the large, non-descript building in this area (one of many). We showed our badges (from different organizations) and were given directions to the right floor and told to go to a certain room number for the meeting. We did that without difficulty and just noted that there were absolutely no people in the halls. We were comfortable. We reached the proper closed door and were faced with four advanced identification devices. We tried them all, and nothing worked. We were discussing our situation when an unknown person came up the hall and asked us if we needed help. We told him we were supposed to go to a meeting in this room, but our badges did not seem to work. He smiled, said “follow me,” and then just turned the doorknob and went in: the door was not locked. We never thought of that possibility! We later decided we needed a vacation for we had turned silly!

“What’s the point,” you ask? Management must promote the use of outside observers to help make some decisions, because they see things differently than some insiders. This assumes that our enemies are not insiders.

Just about everyone has a funny story about secrecy and security. We use them because we cannot use the more serious ones, but we must not forget the extremely serious aspects of this complex subject. For one example, I ask you to think about what disasters could have happened if Frank Rowlett, Genevieve Grotjan, Leo Rosen and their cryptanalytic team had not been able to keep their success against the Japanese diplomatic cipher system… “PURPLE”…REALLY secret.[1]

Working the Resource Chains

This factor is always an issue. A couple of years ago about a dozen of we ‘old folks’ got together to discuss some of our career experiences. We had a noisy, good time, but in the end there were just two things that we really agreed on. First, we appreciated the creative challenges and opportunities that were provided to us in this type of activity. Second, we all thought that we had to spend far too much of our time working the ‘resource chains.’ That applied to those chains inside of our specific organizations, but also those up through the legislative and executive branches of government. We had many opinions about the reasons for this. It is a ‘natural’ problem in all areas, but what are the main differences that make the use of advanced technologies in this particular area so difficult to ‘sell’?

I don’t really know, but it seems to me that it is a mix of the two items I just mentioned, the talents of those involved and the restricted levels of information. Somehow, we must gain the trust of those who are responsible for the resource allocation by educating them and convincing them that we know what we are doing. It cannot be done by policy, we have to learn to communicate with specific individuals…many of whom have never met us before. This is very challenging. We all have stories. From the industry side I could tell you about the differences in communicating with a very intelligent CEO who was a Cal Tech Physics PhD, and then another very intelligent CEO who was a Yale Law School LLD. One briefing does not fit all. The manager must be able to translate on the fly. It is highly desirable to know something about who you are talking to.

Many of you also have such stories.

The facts are that our resource chains are filled with people of different backgrounds, and different talents, and these people change frequently. They mostly try to do their job and usually they do not all change at the same time. We must keep our attention on this situation and try to gain the confidence and understanding of enough of the people in those chains so that they can be our advocates when needed. We must also remember that we have serious competition for resources and their decisions are not easy to make. A good manager must be able to communicate to a wide variety of audiences.

Doing this task well is still not easy, and there is no way around it. Nevertheless, it is essential, and you must be prepared for the time-consuming hard work. Hopefully, there will be good mentors and advocates to help you. Thanks to them, I only got fired from my job once…the result of me telling a very senior flag-officer ‘No’ while trying to brief him on one of my favorite programs. Thanks to the intervention of Dr. Tordella, the Deputy Director of NSA at the time, I got my job back overnight, peace was made, and we all got along fine after that. Not all such stories have happy endings though.

Legal and Ethical Issues

You are probably thinking, “Well of course we do everything in compliance with the proper legal and ethical standards, so what is the problem here? Furthermore we have our own personal high moral standards and, in case that is not enough, there are many written standards to guide us.” True. One particularly good standard is even carved into a wall at West Point. It is the cadet honor code and it reads,

“A cadet will not lie, cheat, steal nor tolerate those who do.”

I discussed this topic with some students at a Military Intelligence educational activity as a part of a class on industrial relations. I told them that they would have problems in this area. They did not think so. Then I pointed out that, as seen from our adversaries’ point of view we violate that code all the time. In our field of cryptology we are stealing their secrets all the time and doing all manner of things in order to be successful. Along with a few examples, I made my point, and we had some good interaction. Well, we have our enemies. We must just be sure about who is the enemy. Sometimes we may look that way to our ‘un-cleared’ friends. This is not new.

This type of problem is not confined to enemy observations though. Suppose you are an employee of a corporation working on a public system, but you notice that some of your friends and co-workers seem to be doing some other things. They won’t tell you about it, and when you see a list of the organizational programs and look for charge-numbers for them, nothing shows up. Further, they seem to work off-site a lot and…well, you can make up the rest of the story, but we may have unwittingly given birth to a well-intentioned whistle blower, or something worse…like a “Qui Tam lawsuit”. You are going to meet a lot of lawyers at least. Remember, if you are going to try to hide something in a hay stack, you don’t make it look like a needle, make it look like hay!

Managers must know that ‘looking dishonest’ is almost as hard to recover from as actually ‘being dishonest.’ Good legal counsel is required from the start. Sometimes that is not possible on either side of the table at the right time. This general type of problem has been around for a long time. A good example from our past is the formation and early life of one of our nations earliest computer companies, Engineering Research Associates.[2] They did great work…and it caused great problems for some of the participants. There are many others. Good managers try hard to not be a part of such problems.

Because of the non-standard ethical situations of the profession, we must also be alert to assure that all of our team members do not ‘step over the line’ on some problems. Their judgment may become impaired if they are not reminded of the basics. This takes deliberate attention from managers. They have never wanted to hear versions of, “Well, it seemed like a good idea at the time!”

Long-Term Support and Operations

Just getting a really new and advanced technology to work well enough to prove the concept is usually challenging. Getting it incorporated into a larger-scale system is always complex. Designing, supporting and conducting early tests is a treat for all of those who are involved in the initial work, but there are usually not enough of those people who are available, or competent, to actually conduct true operational tests. Others, including some potential future users, must be trained and involved. It will take time and energy. While that time runs on, our adversaries may change what they are doing for one reason or another.

We are then in a reaction mode. While that is almost always the case in intelligence-related systems, it is particularly difficult to accommodate into early testing plans. As a result, it is usually very worthwhile for managers to have at least the outlines for a variety of ‘exit strategies’ for modifying the new system development and test cycle. Planning for upgrades is more fun, but at least having thought about how to change directions is often very worthwhile. Sometimes it provokes new ideas too!

Once the new technology is deployed into operations it is highly likely that some extra contact will be needed with the operators to help them exploit the new capability. Just like the latest version of some home-software package that we buy, our product changes may not bring instant joy to the user. We must plan for that too. We cannot forget about our great new accomplishment once it leaves the lab.

Conclusion

I hope I have convinced you that applying advanced technology in the cryptologic field has its special rewards and also places some special demands on management. In my experience at least, it is a very dynamic and inventive field. It is under continuous observation by many parties, some of which (our adversaries) are very unfriendly. Most “on our side” are potentially friendly, but we developers are not always familiar with them, nor or they really familiar with us. This situation has always demanded special management attention. Of course, a history of success really helps. There has been a lot of that in the cryptologic arena. Explaining that history, convincing others of the national importance of the subjects, and relating them to new technological advancements without creating security issues remains a difficult task. People remain the key to success. And please remember, only first place really counts.

Afterthoughts

As you consider the challenges briefly discussed in this article, you may also reflect on some public current events that are surely challenges for today’s managers. I think you will conclude that there is a strong connection between the advancement of technology and today’s management problems. But that is not a new problem. Just knowing that there is a potential problem and being able to negate the risk has never been easy. You may wish to reflect further on this point by reading an article from an issue of the 1991 Cryptologic Quarterly, “Out of Control” which can be found at: http://www.nsa.gov/public_info/_files/ cryptologic_quarterly/Out_of_Control.pdf. Remaining in “first place” has never been easy! It remains the only place that counts though.

About the Author

James V. Boone obtained a BSEE as an AFROTC Distinguished Military Graduate of Tulane University School of Engineering in 1955. After a short time working for the Glenn L. Martin Aircraft Co., he was called to active duty with the Air Research and Development Command at the Air Force Armament Center. He obtained a MSEE from the Air Force Institute of Technology in 1959. He then received an assignment to the Air Force Security Service with duty at NSA where he worked as a design engineer until converting to civilian status in late 1962. As a civilian, he held a variety of engineering and management positions including an assignment in Germany. In early 1981 he resigned from the position of NSA’s Deputy Director for Research and Engineering and went to work in the aerospace industry with TRW Inc. There he also held a variety of management and staff positions, including the VP and GM of the Electronic Systems Group. He retired from TRW in 1996. He has also served on the board of directors of the Armed Forces Communications and Electronics Association, and held teaching positions at George Mason University and the Joint Military Intelligence College. He is a recipient of the NSA Exceptional Civilian Service Award (1975), and received the 1994 Outstanding Alumnus award from the Tulane University School of Engineering. He is a Life Senior Member of the IEEE, the author of the Naval Institute Press book, A Brief History of Cryptology published in 2005, and is a part-time volunteer in the Center for Cryptologic History at NSA.

Notes

  1. For some evidence that ‘luck’ was involved in even this case, see Ladislas Farago, The Game of the Foxes, The Untold Story of German Espionage in the United States and Great Britain During World War II, p473-474 (David McKay Company, Inc., New York, NY, 1971). This indicates that the Japanese did receive information from the Germans that their ciphers had been compromised, but assured their German partners that their system was safe and then continued to use it.
  2. Erwin Tomash and Arnold A. Cohen, “The Birth of an ERA: Engineering Research Associates, Inc. 1945-1955,” Annals of the History of Computing, Vol. 1, No. 2, Oct. 1979. This publication tells the story of ERA and includes a segment on the origins of their legal adventures.