Victims and Successes
What The Woman Who Smashed codes can teach us about risk: Killer Cryptography; Cyber Insurance; Cyber Assurance; Public Defense; Climate Clubs
Happy holidays to everybody, and a Merry Christmas Eve to those who are celebrating today! Next week, I still plan on writing a letter, but be forewarned, it may be brief. Thank you for all your support and many correspondences over the last six months.
Our office doesn't make 'em, we only break 'em
— Elizebeth Smith Friedman
Risk Developments this letter:
Killer Cryptography
Cyber Insurance
Cyber Assurance
Public Defense
Climate Clubs
Sponsor, Scale and Story
How did a Shakespeare enthusiast and a geneticist fall in love, fight the Nazis and create the forerunner to the world’s most dominant signals intelligence organization? The life story of Elizebeth Smith Friedman is recounted in “The Woman Who Smashed Codes.” Her tale is a drama in three acts. In the first, she rose from obscurity, due to the patronage of an eccentric businessman and an unlikely teammate. In the second, she answered the call to public service and birthed a powerful intelligence agency. In the third, she fought to reclaim her narrative, one that was almost erased by prejudice, technology and bureaucracy.
Friedman demonstrated an independent streak and a penchant for literature at an early age. Born in 1892 to a large Quaker family in rural Indiana, she bucked the norm and paid her own way through college, studying poetry and philosophy at Wooster and Hillsdale colleges. After trying out teaching, she yearned for more intellectual stimulation and moved to Chicago where, on a quest to see Shakespeare’s first folio, she was introduced to the textile magnate, George Fabyan who offered her a curious job at his private research facility, Riverbank Laboratories.
Before Bletchley Park there was Riverbank, a proto Silicon Valley. The 325 acre estate, outside of Chicago, was home to a japanese garden, a private zoo, a Roman swimming pool, a lighthouse, greenhouses, libraries, laboratories and a five story windmill. It was in this windmill that a young scientist, named William Friedman, was performing genetic experiments on fruit flies. Among the genetic, radiation, acoustic, veterinary and other experiments was Fabyan’s main obsession, Baconian cryptology. Fabyan ran Riverbank as his own personal dictatorship of the intellect, down to the very outfits that Elizebeth was allowed to wear. He lavished his guests with food and research tools, but at the same time he berated them and made unwanted sexual advances. Whatever his faults, Fabyan was incredible at identifying and collecting talent. In some ways, he was America’s first venture capitalist.
Fabyan had convinced William to leave Cornell for Riverbank with a vaguely zionist agricultural pitch (not unlike Elizebeth’s Quaker forefathers) about genetically modifying wheat to grow in arid climates. The son of Jewish-Russian immigrants, William was, like Elizebeth, independent and unorthodox. His amatuer interest in cryptography, due in large part to Edgar Allen Poe’s The Gold Bug, made him a natural confidant for Elizebeth who was beginning to doubt the Baconian theory.
Three hundred years before Charles Babbage’s difference engine and George Boole’s Boolean algebra, Francis Bacon, invented a method of hiding messages in plain sight known as a bilateral cipher. Bacon, an English statesman, philosopher, author and scientist (whose older brother was a spy) discussed in his letters the method of his encryption. His scheme represented letters of the alphabet by five boolean values. These boolean values could be enciphered by alternating fonts (or colors) in a visible message. For an example see the graphic below:
Elizebeth, who had supposedly been hired for her knowledge of Shakespeare, found herself examining typography in photographs (many of which William took) of the first folio for signs of a hidden message. She learned cryptoanalysis under the tutelage of Elizabeth Wells Gallup, who was a proponent of the theory that William Shakespeare was the pseudonym of Francis Bacon, but the more Elizebeth Smith and William Friedman investigated, the less Gallup’s theories made sense. Grateful for Fabyan’s patronage, and uncertain how he would take the news that his favorite theory was a hoax, they hid their findings as long as they could.
At the same time that this internal drama was playing out, the geopolitical drama of World War I was unfolding. The infamous Zimmerman telegram, that drew the United States into the War embarrassed the American military establishment. British code breakers had been able to decipher a German proposed Alliance with Mexico against the United States, and to make matters worse, it had been transmitted using American diplomatic naval cables. Fabyan offered up The Riverbank Department of Ciphers to the U.S. military, and in classic startup style, he hired a dozen clerks, translators and stenographers, when he heard that a colonel would be sent to make an inspection.
When Elizebeth and William broke the news that Gallup was a charlatan to Fabyan, he did not take it well, but now, with a potential U.S. government contract, he didn’t want to lose his crack cryptanalytic duo. Elizebeth and William had made such a strong impression on Colonel Mauborgne that he recommended they begin work for the War and Justice Departments immediately. From 1917 to 1918, William and Elizebeth served as the cryptographic department for the U.S. war effort, wrote at least eight publications on cryptography, foiled a Hindu-German conspiracy, married one another, and trained the first generation of American military cryptographers. Below is a photo of the first class encoding a message (see here for more information):
Their methods were unorthodox, and their success was as much due to their process which included joint brainstorming, long walks, jokes and banter, as it was to their individual genius. When William got stuck using his analytic methods, he would rely on Elizebeth’s facility with language. In one early test, the U.S. military requested Riverbank try to break a new British cipher device. Elizebeth recounted:
He asked me to lean back in my chair, close my eyes and make my mind blank, at least as blank as possible. Then he would propound me with questions to which I was not to consider the reply to any degree, not even for a second, but instantly to come forth with the word which his question aroused in my mind. I proceeded as he directed. He spoke the word cipher, and I instantaneously responded, ‘machine.’ And, in a few moments bill said I had made a lucky guess.
They broke the “unbreakable” code in less than three hours.
The partnership did not sit well with everyone, however. William’s mother was aghast that he married a shiksa, and Fabyan became even more controlling, possibly fearing a conspiracy of lovers. When the couple learned that Fabyan had been reading their mail, bugging their home and withholding alternative employment offers, that was the last straw.
The Friedmans moved to Washington and accepted jobs with the Army Signals Corps. Elizebeth became indispensable in prohibition efforts to break codes employed by bootleggers and rum runners. She was so successful that the U.S. Treasury soon recruited her to start her own team of cryptanalysts. As word spread of her successes in crime fighting at the Treasury, she got more requests. The Coast Guard (under the Treasury Department at the time) had been intercepting coded German messages in South America since the late 1930’s. Elizebeth realized, upon breaking these codes, that they were no ordinary smugglers, but Nazi spies, laying the foundation for global domination.
While Elizebeth worked in public, William’s efforts with the Signals Intelligence Service were top secret. The success of her exploits drew the attention of British security services, who had been rebuffed by J. Edgar Hoover and the FBI. Desperate for an ally in the United States, they sought out Elizebeth and her Coast Guard team. Together the Allies foiled the German Operation Bolívar, a South American espionage ring aimed at winning allies in the Western Hemisphere. Closer to home Elizebeth was crucial in unraveling the “Doll Woman” case against Japanese spy Velvalee Dickinson.
In total, Elizebeth’s Coast Guard Cryptanalytic Unit decrypted four thousand Nazi messages, conquered forty-eight radio circuits, broke three Enigma machines, stopped numerous coups and likely saved thousands of lives. How did she achieve such results? Elizebeth had incredible stamina. Her team worked tirelessly through 110 degree days in the Navel Annex that housed her office.
“Elizebeth was not shy behind closed doors, sometimes quarreling with Jones about the direction of their work, disagreeing about which puzzles were more urgent or less urgent to tackle (she found his judgement clouded sometimes by careerism, a hunger for promotion that was irritating), she didn’t mind being anonymous on the page. Her experiences as a cryptologic celebrity in the 1930s had convinced her that in this secret world, attention was a kind of poison.”
Publicly Hoover’s FBI took credit for these victories, waging a propaganda campaign that included a seven page expose and a fifteen minute newsreal. After the war, the Friedmans would have a rocky relationship with the newly established NSA, which confiscated many of William’s papers from his personal library in 1957. In their sixties and retired, they returned one last time to the Baconian theory and put to rest the wild Shakespeare fantasies in a book titled. “The Shakespearean Ciphers Examined.”
Neither Elizebeth nor William ever became entirely comfortable with where the field they pioneered was headed, either from an organizational or technological perspective. They broke the first machine cryptosystems in a superhuman feat similar to John Henry, but the computer age was fast approaching. Although William made great contributions to the founding of the NSA, he resented the control over his life and suffered numerous mental health issues throughout.
There are a few types of stories that get told of Elizebeth Friedman. One is as the wife and support figure of William Friedman. “The Woman Who Smashed Codes” dispels this sexist narrative, and points out the many obstacles she had to overcome. Yet, Elizebeth did achieve fame and success in her time, and today she is credited alongside her husband. The pat narrative of “Girl Cryptanalyst and All That” is true, but not the whole truth. The three acts to her story: finding funding and a team, scaling her success, and living to see others commandeer her story, is the more interesting truth. The former story is one of the success of a victim, and the latter a victim of success.
Risk Developments
Killer Cryptography
In other cryptographic news, the zodiac killer’s 50 year old message has finally been cracked by a team of international amatuer cryptanalysts, Sam Blake (Australia), Jarl Van Eycke (Belgium) and David Oranchak (USA). This success is yet another demonstration of the power of open source intelligence, but part of me hesitated to write about it here, because I’d rather that we paid attention to the victims. Despite solving the riddle, we don’t seem much closer to justice, but evidence has a strange way of turning up when one least expects it.
Cyber Insurance
In lighter news, when I worked at a catastrophe modeling company, there was a wonderful sort of humor that pervaded the office. Folks who think about catastrophic risks all day, every day, develop peculiar jokes as a way to cope. This is in part due to business cycles of insurance.
When a new product is introduced there are few buyers and sellers. Brokers stoke demand by scaring their potential insured and allaying the fears of carriers. Then a mass event occurs, a hurricane, earthquake or flood that spikes demand just at the precise time when supply dries up. Risk modelers, who help suppliers manage their pricing, step in to provide an arbitrage opportunity, so any big event is a windfall for the industry. It’s a game of years of patient R&D followed by an arms race of adoption.
We may be witnessing one of those spikes with the SolarWinds breach. The cyber insurance market has been soft up until 2020, but a spate of work from home related breaches followed by SolarWinds headlines is making insurers a victim of their success. To be fair, this article is specifically about ransomware, which is not SolarWinds related, but narratives drive action. For example, startup Cysurance is partnering with endpoint software provider Crowdstrike (founder is a former VP at FireEye) to offer Managed Security Service Providers (a common security outsourcing solution) who use Crowdstrike a discount on coverage. In an industry that desperately needs to align incentives, this is a welcome attempt. One hundred years ago, the same thing happened with steam boiler technology and insurance. Here’s hoping it doesn’t take as long this go round.
Two other trends in insurance are personal cyber lines and parametric insurance. Both are broadening the market. Personal cyber lines create more demand as cyber fears ratchet up. Parametric insurance, that is insurance contracts that pay out automatically based on a trigger, creates more supply by making insurance accessible to nontraditional pools of capital, such as insurance linked securities. While the promise of smart contracts is still a ways off, these two early signs are pointing towards a day when all risk will be priced and claims settled immediately.
Cyber Assurance
While cyber financial markets are repricing, the technical side is still dealing with the fallout from SolarWinds and likely will be for some time. Evidence of a second hacking campaign related to the SolarWinds Orion product was announced by Microsoft researchers. CEO of cybersecurity software and hardware vendor Palo Alto, Nikesh Arora, chastised SolarWinds for not being “vigilant and diligent” enough. And, sure, it’s a good chance to get some free publicity. Venture capitalist, Chamath Palihapitiya has even praised Nikesh for making long term investments in R&D. At the same time he raised a good point:
What Chamath is talking about here are public goods. Public goods are non-rival and non-excludable. Non-rival means selling to one customer does not reduce the value for another customer B. Non-excludable means you cannot prevent people from consuming the good. Typical examples are providing defense, provisioning public health and enforcing environmental standards. All software is non-rival, but access controls make it excludable. Club goods are non-rival but excludable, like software.
Economist James Buchanan pioneered club theory, and noted that for every club there is a maximum optimal number of members. Think of a swimming pool. Owning your own swimming pool is not optimal because there is deadweight loss created by underuse, but a public swimming pool may get overcrowded. Security software cannot get “overcrowded” from a customer point of view, but from the supplier’s perspective there is an optimal price. This makes security software vendors price setters and customers price takers (similar to monopoly pricing), resulting in the underprovision of security software.
Under our current regime we have managed to be successful victims due to magnanimous individuals such as this Grey Hat hacker who anonymously patched systems, or coordinated civil action, such as the collective suit against the NSO hacking group by Microsoft, Google, Cisco and Dell. The public sector has been conspicuously absent in providing collective defense, relegating itself to a watchdog role (hey, it’s better than nothing!). For example, the NSA released a warning about a privilege escalation technique associated with the SolarWinds hack. Going back through logs of permissions granted in the last six months to check for forged privileges is going to be a long cleanup.
Still, there is one bit of bright news on the incentives front. The Federal Energy Regulatory Commission (FERC) is looking at rate and subsidy incentives for utilities that meet cybersecurity standards. One way to get more people in the club is to offer assistance for club memberships. While the Cybersecurity and Infrastructure Security Agency scales up, incentives to join the cybersecurity club may be the best news we can expect. If CISA gets to scale, we’ll have a different problem, being the victim of success.
Public Defense
National defense is the quintessential public good. We’ve discussed the issues with providing protection before in Rackets in Everything. The military-industrial complex has made the U.S. a victim of our success. The U.S. is spending $4.6B on M1 Abrams tanks, the workhorse of the Iraq War. Being the most successful military in human history and providing defense for the who neoliberal order has cost the American tax payer dearly, but despite the continued costs, there are early signs that’s starting to change.
The German government paid a premium to private equity firm KKR to buy a 25% controlling stake in defense firm Hensoldt. Meanwhile, the U.S. is looking to address some of its costs with AI piloted planes. In other aerospace news, Japan is hiring Lockheed Martin to build them a Japanese designed fighter plane. In Byrne Hobart’s The Diff, he shared how legendary semiconductor company TSMC became a behemoth by manufacturing, not designing chips (paid subscribers only). This model shares a lot of the club good dynamics discussed above. Now a similar phenomenon may be happening at a national level as countries formerly under the U.S. security umbrella begin to design their own weapons platforms, hiring American firms to build them.
Speaking of semiconductors, the U.S. DoD is looking to bring manufacturing of semiconductors back onshore to prevent supply chain attacks. The value of a club membership in national defense goods is always cycling between advantages of cost and scale on the one hand and control and secrecy on the other. TSMC may soon find themselves a victim of their success.
Climate Clubs
Lastly, there’s been movement on the climate change issue in the private sector, with some nudges by public sectors. The Federal Reserve took a page out of the NSA’s book providing a warning to banks about the risks of climate change. The world’s largest asset manager, BlackRock pledged to make climate change central to its 2021 strategy. So far this is mostly lip service, but the incentives could be shifting.
For one thing, housing prices in the U.S. are responding to the impacts of climate change. French electronics manufacturer Schnieder Electric completed a deal to invest in Planon Bheer; a big bet that real estate firms will spend money to upgrade the sustainability of their buildings, essentially creating green clubs that can charge tenants for memberships above market rents. The difficulty with climate clubs is that the benefits of environmentalism are non-excludable.
One way to get around this problem is to tie climate to defense, making it a public good more palatable to the public. Estonia is doing just that as they build condenser plants that create a redundant supply of energy to stabilize their national grid, currently beholden to Russia. The real utopia is not to be a successful victim, as Estonia has been historically, or to achieve dominance and live to become a victim of your success, but to eschew success altogether and aim for independence.
Gratitude
Thank you to Derek Browers, Griff Foxley and Dillon Chen for motivation and edits! Also thank you to Jason Fagone, Byrne Hobart and Chamath Palihapitiya for sharing your inspired thoughts.