the biggest surprises during his time at
the NSA. As George puts it, “DES gave
people a good problem to work on.” A good
problem made all the difference.
George identifies another critical
ingredient to the development of
academic cryptanalysis. Just as DES
was helping to define the discipline of
cryptography, the early Internet was
chipping away at what had been one of
the NSA’s exclusive advantages—the
sheer number of bright people it had
collected in a single physical location.
Some of the academic interest
generated by the DES project was due to
the controversy surrounding two changes
the NSA made to IBM’s algorithm. The first
was straightforward: NSA changed the
key length from 64 bits to 56 bits. This
simplified the hardware and software that
was required to implement DES, but also
made it easier to decrypt DES-encrypted
data for the same reason that shorter
passwords are easier to guess—there are
fewer alternatives to consider. A more
mysterious change was made to a part
of the algorithm called the “S-boxes” (a
fancy word for eight functions from 6-bit
numbers to 4-bit numbers). No reason
was given for the change, and outside
researchers wondered if these changes
represented a “backdoor,” a weakness
that the NSA might use to more easily
decrypt DES-encrypted messages.
This picture became clearer only
decades after the publication of
DES, after the academic community
discovered a technique called “differential
cryptanalysis.” Academics quickly
discovered that DES was quite resistant
to differential cryptanalysis, but that
seemingly minor changes to the S-boxes
would make it much more vulnerable to
the attack. The apparent conclusion,
confirmed by IBM’s Don Coppersmith
in 1994, was that the NSA and IBM had
known about differential cryptanalysis
in the ’70s. Their changes protected DES
against the technique; explaining the
changes would have required explaining
differential cryptanalysis, which the
government did not want to do. George,
in a keynote address to the RSA Security
Conference in February 2011, said that
“this is going to be used by the U.S.
government and the U.S. banks...it had to
be as good as advertised.”
MAKE THINGS HAPPEN
George’s career blossomed concurrently
with the academic discipline of
cryptography and security research.
He climbed the ranks at the NSA, from
leading a dozen men and women as a
manager to eventually leading several
thousand as a technical director.
When he mentors younger managers,
George compares his former position
to the neck in a stick figure: There are
critical decision makers in the head
above, and the arms of the stick figure are
connections with others outside the NSA,
particularly bureaucrats elsewhere in the
government. “I can’t overemphasize the
importance of a social network for getting
things done,” he says. “I had to know that
if I called someone at another agency they
would trust me and they would work with
me.”Completing the metaphor are the
legs of the stick figure, which represent
the people who indirectly or directly
reported to George. Here, he says the
fundamental work he did was critical to
his later credibility as a manager: “The
key to getting ahead in any technical field
is to get a resume of accomplishments.”
One reason for this, George says, is the
importance of knowing who to trust.
When you’re the manager for thousands
of employees, then on any given issue,
there are “t wo or three hundred people
that want to give you advice,” and sorting
through the flurry of people and advice
requires technical expertise.
THEN AND NO W
Security is a very different game than it
was in the ‘70s when George joined the
NSA. An obvious difference is the Soviet
Union is no longer a primary threat. As an
adversary for the NSA, the Soviet Union
was similar to the U.S. in a number of
important ways, which George recited
offhandedly: “capabilities, resources,
intention, motivation, access, and risk
aversion.” The Soviet Union even had a
government official, Victor Sheymov,
with roughly the same job as George.
(Sheymov defected to the U.S. in 1980.)
Modern threats come from much more
diverse adversaries, and the Internet’s
global connectivity can make it very hard
to trace attacks to their source.
The risks, too, are different. George
presents GM as a prototypical company in
the 1970s. It’s difficult to covertly attack
a company like that, George explains,
due to their physical resources: “they
had steel, they had inventory, plants,
machinery.” On the other hand, America’s
modern economy is driven by companies
that are more like Google. “The value
of that company is in its intellectual
property, and it’s very easy to steal.”
George is encouraged by the general
response of industry to these new
threats. “Fifteen years ago industry was
not that interested in talking to us,” he
says. Now, “everyone understands that
their products need to be more secure.”
In fact, a lot of George’s post-retirement
time has been spent traveling and making
connections. “I have a pretty good view
of industry” from experiences at the NSA,
and while “I can’t hook up two companies
together...I can certainly tell them who
they might want to talk to.”
He’s also in frequent contact
with academic institutions since his
retirement, giving lectures and talking to
people about curriculum development.
The modern partnerships between
security research in academia, industry,
and government means that there are
a range of opportunities for people
interested in the field. George speaks
with clear passion about the need for
smart young people to get involved in
security-oriented careers both inside
and outside of the NSA. “I think it’s really
important that people in general out there
understand that there is a threat to this
country and we need really good people
working on it...they don’t have to be
working for me.”
Some of the information in this profile
comes from a declassified multi-volume
history of the NSA written by Tom
Johnson, “American Cryptology during
the Cold War.” See http://cryptome.
org/0001/ nsa-meyer.htm for more.
© 2012 ACM 1528-4972/12/03 $10.00
