My NSA career of almost 35 years was spent entirely in the defensive mission (Information Assurance) and divided roughly into thirds. These are "conceptual" thirds, not a literal timeline.
The first third I spent learning the science and craft of finding vulnerabilities and potential attacks against systems in the name of better defense. Next, I moved into technical management jobs, supervising the same sort of work. Finally, I spent the last third trying to figure out why nothing ever seemed to get fixed – and then trying to do something about it.
My career path was traditionally known as "security evaluation" at NSA – an innocuous term for independent, mock-adversarial security analysis. It historically focused on NSA's cryptographic algorithms and devices but evolved along with technology to encompass the full range of technologies, components, systems, and practices. I sampled this career field during one of my tours in the COMSEC intern program, and I was hooked. The work was always fascinating, and the people were terrific – smart, creative, and dedicated. There was a powerful sense of mission and responsibility and an environment of teaching, mentoring, and advancing the science of analysis. (One of my favorite mentors often spoke wistfully of "pushing back the frontiers of ignorance"). And the work was balanced with an atmosphere of fun and collegiality. There were a few dark corners and blind spots in hindsight, but I could not have asked for a better place to start my professional career.
After a couple of years, I wandered onto a new path. In the late 1970s, early 80s, the "personal computer revolution" was starting to take off in the marketplace. (This is not to be confused with the earlier "microprocessor revolution". I recall taking a self-paced course on that topic in my first year at NSA – the highlighted example in the class was that "smart traffic signals" would soon be possible. Wow!). Bob started a small team to look at the security implications of microprocessors and commodity personal computers and asked if I wanted to join. Bob was an engineer by training, and I had worked with him briefly during my Intern tour in the Computer Security Design Guidance Division in 1978 (I didn't know there was any such topic until I worked there). The clincher? Bob said I would get an Apple II+ for analysis, testing, and development. Sign me up!
This step took me from a career focused on mathematics and cryptography into one that was directly on the evolutionary path of what we now call "cyber". But of course, no one knew that at the time. At least a couple of senior mathematicians pulled me aside to gently advise me that this move would derail my promising NSA career. "but… an Apple II+…."
So I changed jobs and moved my desk around the corner, and also switched my graduate school major from applied mathematics to computer science. I spent the next few years learning about personal computers and embedded systems, learning to program in various microprocessor assembly languages, developing specialty applications for spooky people, and establishing the fundamentals of what we would eventually call software security evaluation.
For the second phase of my career, I moved into management jobs. I refer to my start as a front-line supervisor as "recruitment by attrition". No one else seemed to want the job, so they looked around and asked me. I'm not kidding. For now, I'll just say that moving into higher and higher management jobs gave me some unique opportunities to see "failure" (vulnerabilities, flaws, attacks) at a vast scale: through analysis, lab testing, field testing; at every level of technology, component, and system; using every imaginable type of technical discipline, and across government and the private sector. As a bonus, I think I am one of the very few career-long cyber defenders who worked inside an intelligence agency. So, I got to observe and participate directly in the nation-to-nation fight in multiple dimensions. I also had the honor of founding and leading what was likely, in its day, the largest full-spectrum vulnerability-finding "machine" in the US Government dedicated to defense (the Vulnerability Analysis & Operations Group).
Another way of looking at my NSA career is through the names of missions, organizations, and career fields in which I served (below). This is not a linear list or timeline, but more like a conceptual collection of loosely grouped and evolving threads leading to the world we call cyber today.
This picture is adapted from a talk I gave a few years ago at The Center for Education and Research in Information Assurance and Security (CERIAS), Purdue University, hosted by the legendary Gene Spafford.
There was no linear path, no roadmap. Just threads of technology, society, and national defense coming together, with an occasional glimpse of a fantastic future. The technology evolved, the security challenges broadened, and the missions and organizations grew in response. I would love to tell you that I had a grand vision of where technology and society were going, and masterfully planned my career to take advantage of the opportunities. But of course, that's not true. I just stumbled into a career path that allowed me to ride the cybersecurity wave.
These experiences led me to the third phase of my career, which didn't end even with retirement from government service – what are we (the "Big We") going to do about this problem? It was apparent that finding and highlighting vulnerabilities was not enough. In every domain of security analysis, we keep seeing the same issues over and over again. And it is not because developers, operators, managers, and technologists are lazy or don't care. Solutions are hard – often not conceptually, but operationally. Meaningful data is scarce and incomplete, models are simplistic, root-cause understanding is elusive, and economic incentives are misaligned.
Over the next few months, I plan to write regularly about these issues and about what I saw of the evolution of cybersecurity, mission management, and leadership. And lots of odds and ends and observations. Don't expect any deep, dark secrets that would get you or me in trouble. But do expect a lot of stories about people. All along this journey, the greatest blessing has been to find myself in the company of great co-workers, mentors, colleagues, and friends, from all across government, industry, academia.
"I think Cyber is going that way!"
--tony@sagercyber.org