The story dates to 1941, when mysterious letters appeared in the mailboxes of a few select students at Seven Sister colleges, seven liberal arts colleges in the Northeastern United States that are historically women’s colleges. These were students who had shown unparalleled skills in fields like Math, English, history, foreign languages, and Astronomy. Each student who received a letter was asked to meet with senior professors who asked them some rather peculiar questions — did they like crossword puzzles? Did they have wedding plans? All the selected students were women, and they did not have an inkling that they were being inducted into serving their country in a task that would stay secret for the next seventy years or more. These were the “Code Girls.”
By Augustin Kurian, Senior Feature Writer, CISO MAG
While history remembers the contributions of Alan Turing and his celebrated feat of breaking the enigma code helping Britain win World War II, these were his western counterparts who achieved a feat similar to the cryptographers at Bletchley Park. These women of prodigious intellect worked day in and day out translating documents and forming teams to solve the elaborate, ever-changing codes of the Japanese and German navies. Life wasn’t easy for them as they dealt with bureaucratic rivalries and administrative sexism. Liza Mundy in her book “Code Girls: The Untold Story of the American Women Code Breakers of World War II” tells the stories of these female cryptographers who cracked several diabolically difficult systems. In 1944, the code-breakers intercepted and decoded 30,000 water-transport messages a month. They were instrumental in enabling the U.S. Navy to pinpoint and sink several supply ships heading to the Philippines and South Pacific. They also created and spread false intel about Allied landing sites for the Germans to intercept.
The Code Girls were arguably America’s first ethical hackers, or rather the modern-day bluestockings — similar to the intellectual women of the 18th century.
Mundy’s book quotes a code-breaker named Ann Caracristi as saying, “It was generally believed that women were good at doing tedious work, and… the initial stages of cryptanalysis were very tedious, indeed.” She reflected “never in my life since have I felt as challenged as during that period… When the needs of society and the needs of an individual come together, we were fulfilled.”
But after the war was over, the women were expected to give up their jobs and jump right back on the baby-making bandwagon. Only a few were able to get high-level positions at the NSA, while for the rest, their tremendous achievements were buried deep in the classified pages of war secrets.
Cut to the present and women in cybersecurity have been a widely discussed topic. Women make up only 24% of the global cybersecurity workforce. “In the United States, I’ve observed that women consider the field to be too technical, preferring to work with people rather than technology. I don’t see that same reluctance among my international female students. I have to think it must be something tied to the culture—a meme that ‘girls don’t like this work,’” points out Barbara Endicott-Popovsky, Executive Director, Center for Information Assurance and Cybersecurity; Fellow, Aberystwyth University, Wales. “Some say that women don’t like the culture of cybersecurity organizations—they are too rough, too male, unfriendly—perhaps intimating bias. I’ve only had to address a couple of instances of clear female bias in my career; it may have been more prevalent, but my nature is goal-driven and curious, so I don’t allow myself to be distracted from my goals. In my experience, if you are passionate about what you are doing, distracting nonsense fades into the background. Find your passion, know how to prepare yourself, and then the rest of this resolves in the background.”
The first step towards solving any problem must be identifying that there is one. Several studies around women in cybersecurity point out how the disparity traces its roots back to school. “Lack of awareness among those advising students/girls of the many opportunities in high-paying cybersecurity careers is at the root of the problem. Colleagues who have held cybersecurity events specifically for young women have found a huge interest can be developed. The field is fun, exciting, ever-changing—like being a sleuth, tracking down adversaries, putting a puzzle together,” suggests Barbara. “This field wasn’t here 20 years ago when educators and advisors were getting prepared to teach and counsel. We need targeted programs to raise awareness among educators from K-12 through bachelor’s degree programs. We need a pipeline.”
In an online survey, Kaspersky Labs and Arlington Research pointed out that the average age at which young women decide on their future career is 15 years and 10 months, and those that haven’t decided by this time expect to have decided by the age of 21 and 9 months, making it very difficult for cybersecurity firms to influence their choices after this point. In 2010, even though 57% of undergraduate degree recipients were female, only 14% of them pursued majors in the same field.
Often, even when women do venture into the field, they struggle to make it into management positions. A global survey of nearly 22,000 firms revealed that “almost 60% of firms have no female board members, just over half have no female ‘C-suite’ executives, and roughly one-third of the sample has no women in either C-level or board positions. The results suggest that the presence of women on corporate boards and in C-suite positions may contribute to firm performance. The impact is greatest for female executive shares, followed by female board shares; the presence of female CEOs has no noticeable effect. This pattern underscores the importance of creating a pipeline of female managers and not simply getting women to the very top.
Gender diversity comes coupled with surprising benefits
“Let me start by explaining why I think having more women in cybersecurity makes us all safer. In cyber, you need diverse points of view or you’ll miss potential threats. You must be right 100 percent of the time. The flawed hypothesis methodology – with which I fully agree — ensures having a diversity of perspectives when you form a vulnerability assessment team. This diversity is critical because if your organization recruits people with similar backgrounds, you’ll end up seeing everything the same way; however, if you have a diversity of views, then your organization will benefit from a wider situational awareness of possible flaws in the system. What I would really recommend women do is set their sails and don’t look back,” Barbara stresses.
According to her, “There is something for everybody – pathways range from purely managerial to deeply technical. Go through the framework and find what you’re interested in. Think about your gaps and how to fill them with further education and training. I encourage women to do what they’re passionately interested in and be persistent in pursuing their goals.”
Women were in the vanguard of cybersecurity and played a pivotal role in World War II, but their potential has not been tapped in the digital war the world is currently fighting.
While CISO MAG has discussed, Turing possibly being the first and the greatest ethical hacker who ever lived, the stories of these young women aren’t that different from his. They were among the first to work in cryptography and early ethical hacking, making huge advancements for their country in a time of war. In an industry that has been marred by the oft-reported lack of gender diversity, these women’s stories should remind us that the realm of information security wasn’t always dominated by men. Their stories should also highlight the fact that we have a long way to go, as the 1940s weren’t all that different from some women’s experiences today in some respects. As Mundy points out in her book, “It was not easy being a smart girl in the 1940s. People thought you were annoying.”
About the Author
Augustin Kurian is part of the editorial team at CISO MAG and writes interviews and features.
CISO MAG’s March issue on Women in Cybersecurity is out. Preview here. Subscribe now!