As defined, cryptography is the tool used to keep messages and other information secrets. In standard use, it involves the use of ciphers, which are ‘secret or disguised way of writing.’ Cryptography as a field of study and employment is a recently developed (and growing) profession. The primary purpose is to use mathematically-based encryption methods to keep data and information out of the reach of unauthorized individuals. Stemming from code-making and code-breaking, the fields of cryptography and cryptanalysis have a long and informal history. Codes, ciphers, puzzles and brain-teasers have been around as long as language has existed. In terms of security, cryptography and cryptanalysis have a very specific meaning and purpose: it is deliberately designed to restrict access to data and information within organizations. The Cryptographer “creates the lock” and administers the primary key for a computer-based database or other electronically stored information; the Cryptanalyst seeks to break in and obtain access to the protected data, information and/or network. The role of Cryptanalyst is that of puzzle-solver – a very complex puzzle solver!
Foundations – Education
As with cryptography, a strong background in computer technology, information technology and mathematics make up the groundwork for cryptanalysis. Computer Science, Computer Engineering and/or other more technical degrees comprise the minimum requirements for entry into the field. Similar to other highly technical fields, a Master’s Degree is desirable; although there may be entry-level positions available for the Junior-level cryptanalyst. This allows them to grow into the position and market and hone their skills “on-the-job.”
Cryptanalysts often have a broader experience or background than cryptographers, using elements of different languages (human and machine), geography, history, philosophy and theology in their computer-based skillset. As the solver of the puzzle, the cryptanalyst takes many variables into consideration when working to decipher a code. Other, more common skills include critical thinking, social perceptiveness, reading comprehension and problem-solving.
Foundations – Experience and Certifications
Typically, an employer prefers 3-5 years’ of cryptanalysis, cryptography or other related experience in a candidate. Since no specific standard exists within the employment market, employer work experience requirements will vary. Often, good experience in a related field can open the door to a cryptanalysis position. There are entry-level positions by which experience can be gained.
Presently, only one Certificate for cryptography exists. It is sponsored by the International Council of Electronic Commerce Consultants (EC-Council): EC-Council Certified Encryption Specialist (ECES). The School of Cyber Security offers a Certified Expert Crypto Professional (CECP) certification. A general certification such as Certified Information Systems Security Professional (CISSP) can be useful. Other cybersecurity-related certificates are available to enhance a resume and background.
Please note that the National Security Agency offers summer programs in a cyber-security environment in order to meet the following goals:
Increase interest in cybersecurity careers and diversity in the cybersecurity workforce of the Nation
Help all students understand correct and safe on-line behavior, and how they can be good digital citizens
Improve teaching methods for delivery of cybersecurity content in K-12 curricula
Foundations – Continuing Education
The field of cryptography is still very fluid and ever-changing. Therefore, continuing education is vital for the long-term success of the Cryptanalyst. The “half-life” of technology gets shorter and shorter year by year; information travels at light-speed and code-making cryptographers work constantly to develop the next best coded defense to ensure the integrity of data, information and network security. It is imperative for the cryptanalyst to stay informed of technology advancement through trade publications, news, blog and organizational affiliations. Formal and informal continuing education programs, classroom training and field exercises are critical to maintaining pace with new methodologies in the security industry. Many other professional roles have designated requirements for continuing education; within the computer and technology industry, certifications must be refreshed every few years and it just follows logic to understand that trends and technology will change over time. The successful Cryptanalyst willingly keeps learning about the world of computer security.
Employment Opportunities – Job Titles
There are several job titles that encompass the work of cryptography; some examples are:
Of course, the duties of cryptanalysis are embedded within numerous cyber-security job roles; the list above represents a small sampling of job titles that specifically incorporate the cryptography keywords. The career path may also lead to unexpected areas of the Information Security industry, including Security Consultant, Financial Consultant or University Professor.
Employment Opportunities – Job Duties, General
The Cryptanalyst is the one who evaluates and decodes secret messages and coding systems to reveal information or gain access to data or networks. The typical organizations that use this ability are Police forces and Government agencies. Cryptanalysts will offer their work on a consultant basis in order to test the security of a data network to ensure that privacy is properly maintained. This will include working with (or for) banks and other financial institutions, insurance companies and government agencies at all levels. The cryptanalyst’s efforts ensure that financial transactions, access to personal and confidential information and communications are secure.
One specific duty is to play the role of a hostile agent (hacker) to determine the strength of an organization’s security program.
Cryptanalysts understand how to decipher codes as well as write codes that cannot be decoded by hackers. The largest employment opportunity is within the financial services and retail market environments. The number of transactions that occur daily is staggering – each individual transaction represents an opportunity for a breach of security and financial loss for customers, sellers and third parties. The cryptanalyst’s work protects these transactions to preserve the flow of business.
As a security consultant for a specific organization, there are certain tasks assigned to the Cryptanalyst (with some degree of variation). For example, daily duties within the National Security Agency will vary from those in a large financial services company. On any given day, a Cryptanalyst could be tasked with any of the following:
Study, evaluate and test ideas as well as alternative theories
Conduct research in cryptology and cryptanalyst techniques for specific applications such as computer science, telecommunications or other fields
Develop mathematical theorems and formulas
Perform cryptic computations and numerical analysis
Create new cryptic processes
Act as consultant to research staff involving cryptic and mathematical methods for specific applications
Help solve security-related problems
Employment Opportunities – Job Duties, “Soft” Skills
Apart from specified duties as described above, a Cryptanalyst must have specific skills to complete their work effectively. These skills include (but are not limited to) the following:
Good understanding of major programming languages (C, C++, Java, Python, etc.)
Good understanding of computer architecture
Excellent mathematics skills (linear, matrix algebra, probability)
Good understanding of complexity theory, number theory and information theory
Expertise in encryption, key exchange and digital signatures
Expertise in symmetric and asymetric cryptography in areas of hash functions, authentication coding and encryption
Expertise in data structures, statistics and algorithms
Additionally, there are other, somewhat more universal skills required for excellence in the field:
‘Challenge accepted!’ mindset and an interest in puzzles
Strong ethics and good judgment
Employment Opportunities – Job Duties, Private Sector
Businesses and non-governmental organizations use cryptography in daily activities. Encrypted emails, secure websites and secure cellphone transmissions are just a few examples of the specific application of cryptography skills. Nearly all purchase transactions – both point-of-sale and online – involve encryption to keep the buyer’s financial data and information secure. Brick-and-mortar retailers use encryption in their check-out lines as well as their general security systems. “Shrinkage,” or loss due to theft, costs retailers millions of dollars annually. A Cryptanalyst will work to ensure that a business’ security practices are secure.
Online retailers rely on data encryption to protect their customers’ private data within the transaction. The secure webpage provides the consumer with the confidence that the business’ online security is robust enough to allow buyers to purchase with confidence. That confidence is provided by the Cryptanalyst and their skills in their trade. The once-described “strong encryption” techniques formerly used in military applications are now widespread throughout all business sectors.
Cellphone providers are researching a methodology to encrypt cell phone signals to ensure privacy of conversations and prevent unauthorized access. This idea is not new, but after the events surrounding the investigation of the San Bernadino shooting (contained in the case FBI v Apple), phone security and privacy issues are at the forefront of business thought.
Business runs on email conversations; encryption programs protect information and require monitoring, evaluation and upgrades in order to maintain a high level of information security and integrity. There are specific companies that offer encryption software and larger organizations may have internal security teams develop proprietary protection software.
Employment Opportunities – Job Duties, Public Sector
The National Security Agency (NSA) is considered to be “security central” when it comes to cyber-security. Protection of data is critical within governmental agencies, military and federal law enforcement teams. Cryptanalysts will assist law enforcement to solve crimes, mitigate threats or other security concerns; they will also ensure the protection of all conversations (voice, text and email) within governmental agencies.
Each branch of the military requires data and information security similar to that of the NSA, with the additional level of importance being the national defense. Troop/personnel orders, statistics and locations must be shared with appropriate individuals and kept away from enemy combatants. Launch codes, weaponry locations and other critical data must be protected as well.
The Cryptanalyst’s role is uniquely challenging as they must stay ahead of the opposite role (cryptography) to reveal any gaps in the security of information and data. Because the nature of the business is so complex and changeable, the cryptanalyst is always learning. This is a role that has universal application and a never-ending learning curve!