In the very early 1990s, I was a Deputy Division Chief at the National Security Agency - roughly a second-level supervisor. For the Information Assurance Directorate IAD, the defensive mission at NSA), ours was the first organization created to perform the security/vulnerability analysis of software and the emerging technology of networks. The Internet had just started to take off as a major disruptive force in our lives, and our Division (thanks to some very clever computer scientists) was on the "bleeding edge" at NSA with a handful of shared Internet terminals located on a table in the workspace.
The technical culture of the times? The NSA as a whole was a sort of “closed society,” with its own body of knowledge developed since World War II. Most security analysis was centered around the mathematics of cryptography and the technology to implement it. It was the same in the IAD. Computer and network security were sort of “startups”—or maybe even “upstarts”- something less than Really Important Work.
When I returned from a 2-year assignment at Sandia National Labs, one of my analysts spent an afternoon walking me through the early World Wide Web. It was clear that the world was changing, and we needed to change with it to stay relevant. And we could not do that from our classified-only networks.
So I put money and justification into a budget proposal to acquire open Internet access to every analyst in our Division.
Someone tipped off the Group-level Technical Director, Bob, about what I was doing. (“Group” was two levels up in the organization, and Bob was the lead Technical advisor to the Chief and a well-known pillar of the crypto math community.) Bob came rushing down to my desk to confront me, just short of horrified.
As-near-to-exact-quotes as I can recall......
Bob: "What the heck are you thinking? What could we possibly learn from the Outside that would be worth the risk of Unclassified terminals in our workspaces???!!?"
Me: "Uh, Bob, the entire network and software analytic capability of the mission is sitting here, maybe 8 or 10 of us. If there are 10 of us, there are ten thousand and many more ‘outside’ working on network and software security."
Bob: "Rank amateurs!!"
A heated and painful conversation followed; about analysis, the value of classified versus unclassified information, the creation and sharing of a body of knowledge, the commercialization of security, blah, blah, blah.... At one point, our voices raised, we had to take the argument out to the hallway.
Finally, Bob, more perplexed now than angry, says....
Bob: "When are you computer guys going to be able to do what the math community has done??"
Just a note for context. I started my NSA career as a crypto mathematician in IAD. Bob was one of the people who told me, with the very best of intentions, that I was making a career mistake by shifting to computer science (in about 1981).
Me: "Bob, I stand in awe of the cryptomath community at NSA...the in-house body of knowledge, the development of people, the incredible literature, world-class tools. I get it.”
“But never again in our history will we get 4 decades of uninterrupted monopoly to build a body of knowledge and our own analytic community. Those conditions will never exist again, and that's not a good model for the future."
He eventually gave up and walked away.
I have no idea if I convinced him of anything, but we got our terminals.
I don’t share this story to criticize Bob. He had earned his place as a pillar of the NSA math community. But he had grown up in what was essentially an information and mission monopoly - a great one, but a monopoly nonetheless. And the times were changing fast. Technology and universal connectivity were becoming the foundation for our social, political, and economic lives. And so knowledge about information security was becoming part of the public discussion. We at NSA needed to be part of that.
An organization with a strong techno-centric culture can become resistant to change. Smart people sometimes believe they are smart at everything, and almost every aspect of an organization evolves to reinforce and even protect a dominant culture.
Early in my first management job, I clipped an article from a government-oriented trade magazine that struck a chord. It’s been in a paper file since then - a reminder to respect the past, but never be trapped by it.
Wonderful context for what NSA came to be able to do, with lessons for many of us now. Your penultimate paragraph is eminently quotable. However, I would quibble with the headline of the article in your paper file. Would that we could simply toss experience out--it would be so much simpler if we could. It can often help, though it is not a thoroughly reliable guide and must be called on judiciously.
I do recall those times trying to grow a scary discipline - network security. We did carry lessons forward but the entire mission was transformed due to the lack of control over the technical area. We went from COMSEC (a monopoly) which dictated what was necessary to the realization that we had to manage the space as Information Assurance and not dominate it.
Becoming more involved in the public market space was humbling and invigorating at the same time. It seems the mission lurched forward but there was a lot of resistance to change that remained strong. I think it still remains strong!