An Interview with SHEILA BRAND OH 489 Conducted by Rebecca Slayton on 29 September 2016 Pikesville, Maryland Charles Babbage Institute Center for the History of Information Technology University of Minnesota, Minneapolis Copyright, Charles Babbage Institute 2 Sheila Brand Interview 29 September 2016 Oral History 489 Abstract This interview with security pioneer Sheila Brand discusses her early training and career in mathematics and engineering before turning to her work in both private sector and government computer security. In the late 1960s and early 1970s, Brand helped to develop and secure time- shared databases at Commercial Credit Corporation, shortly after Commercial Credit merged with Control Data Corporation (CDC). In the 1970s Brand worked on computer security in the Social Security Administration and the Inspector General’s office of the Department of Health and Human Services before going to the National Security Agency’s new Computer Security Center in 1982. There she authored the Trusted Computer System Evaluation Criteria (TCSEC), or “Orange Book,” which influenced computer security standards around the world. In her later career at the National Security Agency she worked in intelligence as well as continued standards development, for example leading the task force that developed the Unified INFOSEC Criteria. Brand also discusses the processes whereby she overcame multiple obstacles to women pursuing careers in science and engineering, and the process of becoming a manager as well as a problem- solver. This interview is part of a project conducted by Rebecca Slayton and funded by an ACM History Committee fellowship on “Measuring Security: ACM and the History of Computer Security Metrics.” 3 Slayton: What I’d like to do today is just get a better sense of your background, your life story, and how you got to the career that you did - what you accomplished. So, can we start with some biographical questions? - some, basic stuff. Where and when were you born? - things like that. Brand: All right. I was born in Dayton, Ohio, in December 28, 1936. And my father was an electrical engineer, so we moved around the country. I spent a few years in California, a few years in New York, a few years in New Jersey, and then I went to Indiana University. And one of your questions was where I first got involved with computers, and Indiana had a computer. Brand: And I wanted to take a course, but they didn’t give courses to women. Slayton: Oh, wow. Brand: As a matter of fact, when I went to Indiana, I was told I should major in education because that was what women did. Slayton: You could teach. Brand: I could be a teacher, and I said I didn’t want to be a teacher. I wanted to be a mathematician, and they couldn’t stop me from majoring in math. But the professors at Indiana were a mixed bag. There were some really wonderful mathematicians, who were good teachers, and then we had one teacher who was from Princeton - just got his PhD - and he was a shiny new assistant professor, and he hated women. 4 And he came into the class, and he looked at the women in the class - this was advanced calculus - and he said, “Before the end of the year, you’ll all change your majors. You’re all going to flunk out.” And there must have been around 20 people in the class, and half of us were women, and most of the women did flunk out. I didn’t; I made it, but it was a horrible experience. Slayton: Did as many men drop out as women dropped out? Brand: No. It was only the women. He was fired, I heard, after. This was in the 1950s; I went to Indiana in the ’50s. And anyway, so I went to IU. I met my husband at IU, and then when he finished his PhD, we went to Brandeis. And I got my first job - my first real job was using my astronomy background tracking Sputnik. Slayton: When would that have been? - 1957, 1958? Brand: Sputnik was launched in ’57, and I got my degree in ’58, and we left Indiana in ’59, so it was in ’59. The Smithsonian had set up tracking stations around the world, and they sent the tapes - they were, I think, photographic tapes - back to Smithsonian in Cambridge, Massachusetts which is where they had their headquarters. Smithsonian Astrophysical Observatory is part of Harvard, or it’s linked with Harvard. Smithsonian hired me as one of their trackers, and I would get these tapes, and I would put them in a little machine, and I would calculate the right ascension and declination. There was a group of us who did this. 5 Slayton: Were there a lot of other women in the group? Brand: Half were women - it was very equal. Slayton: That’s interesting. Brand: It was not a biased thing. They were hungry for people who had some astronomy background, and I just fell into it. I don’t know how I even got the job. Slayton: And you minored in astronomy. Brand: Yes. Slayton: Yeah. Brand: So, that was my first job after we moved from IU. And then I moved down to the actual astronomy department at Harvard where I worked for a short time. So, that was basically my first encounter with anything dealing with computers. Slayton: Was at Harvard? 6 Brand: At Harvard, right. But I didn’t work in computers. I was strictly an astronomer-type person. Next I went to work at Bedford Research at Lincoln Labs, and, again, I did use mathematics to calculate various things for upper atmosphere analysis work, but again all of this work was done without a computer - never worked on a computer. At each of my jobs, I wanted to work on computers, but they didn’t give me the opportunity. Like at Smithsonian, they had a computer, they had a computer department, but it was impossible to get a job using the computer. Slayton: So, was it an explicit policy, or was it just the way things happened? They just happened not to hire women ever. Brand: Right, exactly. It was very subtle. The only place where it was absolutely spoken that they didn’t hire women was when I applied for a summer job while still in high school. My high school math teacher said, “You should be an actuary,” because the easiest subject for me was math. So, I wrote to Prudential Insurance Company in Newark- saying I’d like a summer job in the actuary department. And they wrote back, and they said, “We do not have women actuaries.” And I wish I had saved that letter because that was a real explicit policy. They did not hire women as actuaries. Slayton: It was very demoralizing… Brand: Well, in your era, you didn’t have quite the same level of discrimination. 7 Slayton: It wasn’t nearly so bad. Brand: But in Indiana University, already, I saw that it was going to be an uphill battle. But I was a very forceful person. I was never a wilted violet. There was nothing called women’s liberation in those days, but if you want to do something, you want to do it. There was no fear - no history behind me that said, “You’re not going to be able to do this.” So, I just forged ahead. In Israel, I learned, for the first time, about machine language. Slayton: I’m sorry. When did you go to Israel? Brand: We left Brandeis in ’61, and went to Israel for two years. My husband had a postdoctoral fellowship in the Weizmann Institute. Actually, he had it with the man who became the president of Israel. Slayton: That’s fascinating. Brand: Yes, it is. And I got a job in the math department at the Weizmann Institute working for a mathematician calculating tidal wave fluctuations, and it was a strange job. It was really a strange job where I calculated wave fluctuations for him. He gave me formulas, and I just did the calculations. 8 Slayton: So, when you were doing all these calculations, they didn’t involve machines at all? It was just paper? Brand: No, it was just paper, but they had a real computer: WEIZAC (Weizmann Automatic Computer) was the first computer in Israel, and one of the first large-scale, stored-program, electronic computers in the world [The first computers Weizmann Institute of Science, http://wis- wander.weizmann.ac.il]. It was built at the Weizmann Institute during 1954-1955. It took up a large room with a huge amount of paper tape drives, and everything was done in machine language. And I did not have a job in the computer department, but I did learn about computers, and I decided I really wanted to learn about computers. But, again, my job did not involve using one - it was all done with a Marchant calculator. Did you ever hear of a Marchant? Slayton: It sounds vaguely familiar. Brand: It’s hand calculator. It was one of these big hand calculators. Slayton: Was it electronic or mechanical? Brand: Mechanical. Slayton: Mechanical, okay. Brand: You did your calculations either with a slide rule or with one of these calculators. 9 Slayton: The mechanical calculator, yeah. Brand: In 1963, after two years in Israel we moved to Baltimore, my husband got a job here as an assistant professor. Slayton: At the University of Maryland? Brand: No, at the Johns Hopkins University. Slayton: At Hopkins. Oh, I’m sorry. Okay, it was Hopkins directly. Brand: Yes, he joined the Biology Department in 1963 and has been there ever since. Slayton: That’s nice. That’s not what happens all the time for academics. Brand: He was very lucky. Slayton: That’s great. Brand: He had good postdocs. Slayton: That’s fantastic. 10 Brand: I think that has…makes a difference. Slayton: Good mentors are everything. Brand: Yes, and he had very good mentors. My first job in Baltimore was with Martin Marietta, and my job was as a pseudo- aeronautical engineer. This was during the era of building missiles. And they were building the prototype for the shuttle program. It was called the Lifting Body, and I got a job in the wind tunnel section. It was very interesting work. There were three women in that department and 300 men. Slayton: Oh, my, goodness. Brand: Our department was in a huge hangar in Middle River, Maryland. Middle River is a suburb of Baltimore. Well, the Gemini work was done there also and only three women in the engineering department and we were given jobs plotting points. Now, this was career issue. Here I was - I had already been out of college five years, and I had had some real experience, and I was given a job plotting points. This wasn’t with a computer. This is just plotting points on graph paper. On the other hand the men, coming right out of college, were given jobs as project managers. So women were not allowed to really progress in any real way. And I did this plotting points for about a year, and then someone took pity on me and gave me some real calculations to do. 11 Before you do a wind tunnel test, they put little transducers on the models to be tested. We had a little model of the shuttle, (but it was called a Lifting Body) And you have to be able to have specific data to be used in actual wind tunnel test on the pressure points of these transducers My job was to make all the necessary calculations needed to arrive at the data. I was still an engineer; I wasn’t a computer programmer. And anyway, I did all these calculations, and the person who does those calculations is supposed to go on the wind tunnel test. The wind tunnel tests were done in Langley, Virginia, at the major Air Force wind tunnel facility. And when it came time, they said to me I couldn’t go because they didn’t allow women to travel at Martin Marietta. I went to the head of my little section, and I said, “Show me the policy.” And he couldn’t show me any policy, so I went to the head of engineering of all 300 men and three women. And he smiled, and he said, “There is no policy. You go right ahead.” So, I was the first woman, that I know of, from Martin Marietta, to go on a wind tunnel test, and in Virginia, where they had this wind tunnel, they didn’t know what do with women. They didn’t have any women in their facility and no Ladies Room. “You really can’t come here,” and the men said, “Oh, yes, she can. We will stand guard.” Slayton: Well, that’s good. Brand: So, the men were all on my side. I had very good friends, and they were all really on my side, and that really helped a lot. After working on the wind tunnel test there was a recognition that I had more technical/mathematical skill than had previously been recognized I moved up in aeronautical engineering. I was transferred into a group who designed the reentry of the shuttle. And I did 12 calculations. I really used my math for the first - probably the only time in my career where I used modern algebra and used calculus. I used everything. Slayton: This was reentry of Apollo? Brand: Of the shuttle. Slayton: Oh, the Space Shuttle. I thought that wasn’t until the 1980s. Brand: They were calculating. Slayton: Oh, already? I see, they were already planning for it? Brand: The Lifting Body was the original name of the project that became the shuttle. All right? The wind tunnel tests that we did were on a miniature little model of what you would call the shuttle. Slayton: Did they conceive of it as a shuttle at that time, or did it later become the idea that it would be the shuttle? Brand: You know, I wasn’t involved, really, in the function of the ultimate system. I just worked on the mathematics. At the time, it was the Lifting Body project. And I bet you could go to Google and find Lifting Body. I really should do that sometime. 13 Slayton: That would be fascinating. Brand: This really high-powered, mathematical group were calculating things like heat reentry, and that’s what I did. And then when that contract ended, for some reason, and I was offered the job in the scientific computing department, I grabbed it. I mean it was a wonderful - Slayton: And, again, at Martin Marietta. Brand: Yes, Aerospace is a very fickle field. Companies get contracts, and they lose contracts. And Martin Marietta was no different. They lost a major contract, and they offered me a job in their Colorado facility, which I couldn’t take because my husband was at Hopkins. So, they said, “How would you like to work in the computer department?” Slayton: That’s great. Brand: So, that’s how I got into computers. I was sort of thrown over the wall into the scientific computer programming department, and those people really were pioneers. I mean they were the people who tested out Fortran II, and they were the people who wired boards, and they were people who started when the field was really in its infancy. By the time I got there, they had an IBM 7094. And the way they taught me was to give me a machine language trajectory program listing about a foot high, and they said, “We want you to take this and convert it into Fortran.” 14 And to do that, I had to first learn machine language, and after I learned machine language, I had to learn Fortran, and I did it. And it was the best training because I really learned what a computer was all about. I wasn’t a programmer, but I did not really have a choice: sink or swim! Those first weeks were terrifying. Slayton: Learning how to use computers by translating machine code all the way up to Fortran. Brand: Right, so that I could transfer this huge machine language program to be used on the 7094 in Fortran and I really learned what a computer was all about. After I left Martin Marietta - Slayton: So, when would that have been? - 1960 - Brand: No, 1967 Slayton: ’67, okay. Brand: In 1967 my boss, from the scientific programming group, at Martin Marietta moved over to a subsidiary of Commercial Credit Corporation, and he offered me a job in the systems department. He asked me if I wanted to become a systems engineer, and so that’s how I really became a systems engineer. 15 Slayton: And that was about designing this big database? Brand: No, that was maintaining operating systems. They had a CDC 3000, and my job, was to maintain it through sysgens to make sure it worked - to come in in the middle of the night when it didn’t work and find out why it was crashing. So, that was really a computer job. Slayton: How much of it was hardware, software? Was there a distinction? Both? Brand: Well, in order to do a sysgen - do you know what a sysgen is? Slayton: System generation - I don’t know. Brand: Yes. Yes, that’s right. In order to do a system generation, you had to actually interact with the hardware to tell it where cards are going to be coming in so it could start taking information. There was a little bit of black magic involved in being a systems engineer in those days. This was the beginning of my understanding of the need for computer security. Becoming a systems engineer was a real big deal to me. I mean I was really into the computers and to the operating system and understanding how the CDC operating systems worked. When our company got new configurations of hardware, you had to redo the operating system. And my first big job was to do a sysgen for a whole set of new disc drives that were coming in. And you did that at night because during the day, they did regular business, so everything was done at night. 16 Slayton: This was all batch processing machine? It wasn’t a real-time machine. Brand: Well, it was sort of real time. Slayton: Oh, was it? Brand: There were terminals, but they were just hard-wired through an internal network - I mean it wasn’t what you would think of as a network today. Slayton: It was a very small network, so a few terminals hooked up to it? Brand: Right. Slayton: Interesting. Brand: But my job, really, had to do with the actual hardware and software of the machines that ran everything. So, to do the sysgen I had this deck of cards. Everything was cards in those days, and I had my deck of cards all ready, and I had really rehearsed in mind, and I knew everything. I was all excited. And I went down to the machine room about 6:00 pm, and there were four of us on this team, and this was my big chance. It was the first time I was doing that, and it didn’t work. It 17 didn’t work, and I was panicked because I knew I had to do this before morning. So, I ran upstairs to my office to get my listings. And I was looking for my listings, and I opened the filing cabinet of the guy who worked next to me, and I found my deck of cards. He had sabotaged my deck of cards. Slayton: That’s terrible. Brand: Yes, it was. It was terrible, and that’s how I learned about computer security. Slayton: Oh, my, goodness. And was this because you were a woman? Was this because - what was this about? Brand: They just didn’t want me to be involved. It was a four person team. I was a newbie. I was taking work away from them. Slayton: I see. Brand: I don’t know if it’s because I was a woman or if they just didn’t want another - Slayton: You’re just a new person. Brand: A new person - I won’t blame that on being a woman, but that is how I got an awareness of computer security. 18 Slayton: That’s personal. Brand: It was very personal. My job was in a small subsidiary of Commercial Credit called CIPC. Eventually, CIPC was absorbed by the major Commercial Credit office, and we were all moved down to the main office, which was in a different location. When our subsidiary was merged with the Commercial Credit headquarters all our jobs disappeared. I mean our jobs maintaining the operating system ended. They gave me a job working with database. They were starting databases, and they were thinking of buying System 2000. And they sent me down to Texas where System 2000 was being developed to learn about the System 2000 system. I got involved with database design and making recommendations on whether we should buy it for Commercial Credit. That assignment lasted just for a few months because I was very unhappy that I had been taken out of the systems engineering. That was really what I enjoyed doing. Slayton: So, you were moved, not because this operating system didn’t work, but just - Brand: No. I became a big success in the operating system world at the CIPC. But CIPC was merged - it went away. It basically went away. Slayton: And then they took you out. 19 Brand: And then they took us and they moved us, physically, from this building that we were in to another building where the major Commercial Credit operations were - where they did business. Eventually they gave me a job, which was a very interesting job (after I did this database work) to figure how their remote offices could use the computer to generate checks. They knew they had to separate remote computer programs from work done at the home offices, and so they asked me to head up a task force, which I did, and made recommendations on how to change the operating system. And that was a real computer security job. I convened a task force of people at Commercial Credit and at Control Data to look at the operating system to design tasking that would allow for independent tasking for the people who did the design and development back at the home base and for the people in the district offices to use the same computers to generate checks. Slayton: So, they put you in a leadership role there? Brand: Yes. Slayton: So, clearly, you had a good reputation at that point. Brand: Well, I was very good at computers. The reason I didn’t like programming was that it was repetitive, and once I learned to do it, I learned to do it. And I did it well - I guess, very well in terms of verifying my code. It was the days before you allowed the system to debug your system. Well, now, they don’t program in Fortran anymore. 20 Slayton: No, although when I started grad school, there were - Brand: They did? Slayton: Yeah, I was encouraged at one point - I never did - but I was encouraged to learn Fortran. Brand: Well, you were a chemist. You were not a programmer. Slayton: Well, it was more or less a physics lab. But, yeah, I think there was so much legacy code that was Fortran that - Brand: Well, Fortran started in the early - Slayton: ’50s. Brand: - ’50s. Slayton: So, even in the 1990s, people were still learning Fortran because - 21 Brand: Well, Fortran was a very easy language for mathematicians. I guess it’s not as useful as some of the more modern languages, but, for me, it was just a natural transition from being an aeronautical engineer to using Fortran. It was not a big deal. But where was I? Slayton: Sorry. Brand: We digressed. Slayton: So, you were leading a task force on generating these checks. Brand: Well, it was a task force on changes that had to be made to the CDC operating system so that they could use the same computer for two different tasks. One was for doing development work in the main office, and one was for doing processing of customer work because CDC was basically a computer company, but Commercial Credit was a loan company. So, the merger was a strange merger. I think the reason that Commercial Credit merged with CDC was they wanted to get into the computer business. I don’t know how long it lasted. So, that was my first real job where I worked on the operating system in terms of understanding the need to divide tasking and somehow partition your system so that you could be doing two different types of work simultaneously. Slayton: Was your concern primarily about security? - not letting one side see the other. Brand: Exactly. See, you didn’t want people in the home office to be able to generate checks. 22 Slayton: Right, because timesharing wasn’t entirely new at that time, but keeping the processes separate was. Brand: No, it wasn’t. No, it was the beginning, I guess - one of the beginnings of timesharing and the CDC computers had peripheral processors. They did sort of parallel processing very early on, which was a big deal. I stayed at Commercial Credit until about 1972. I’m not sure of these dates. I can give you my - Slayton: I think that was actually in your bio, maybe. Brand: It was? All right. Slayton: Well, I’m not sure. Yeah, actually, it doesn’t give dates here. Brand: Anyway, in 1972, I went to work for Social Security Administration. Slayton: Okay, and what triggered that shift? Brand: I wasn’t given enough opportunities at Commercial Credit. And, you know, you could move easily in those days. There were jobs, and if you were a computer programmer or anything 23 it wasn’t that difficult. Today, it’s very difficult for young people to get jobs, but in those days, I don’t think it was quite - and I had a degree in math, and I had all this background. Social Security was starting a new program called the Supplemental Security Income (SSI) Program for the aged, blind, and the disabled, which opened the door for them to hire a lot of new people. And I was one of the people who came in with that influx of new programs that they were put in charge of. I was put in a little group in the SSI systems bureau, and they didn’t know what to do with us. They just hired us. They just brought us all in. And since I had just done all this work at Commercial Credit, I asked my boss if could try and look at their new online transaction system that they were implementing for the Supplemental Security Income Program. The government mandated that SSA be able to do online transactions from the district offices. In the states they had had this capability SSA didn’t, so SSA was building this capability, and they were building a national network. And my boss said, “Sure. I don’t know what to have you do.” I mean it was really a strange setup that none of us were given any real direction. Slayton: They just wanted you to somehow make this online transaction program work somehow? Brand: No. Slayton: Not even that? Brand: No. SSI didn’t have the responsibility for programming the computers. 24 Slayton: And what does SSI stand for? Brand: Supplemental Security Income. Slayton: Security Income, okay. Brand: No, Supplemental Security Income It’s a major program today. I mean if you have disability and you want to get disability payments - you can apply for SSI through Social Security Administration. So, I was hired into the SSI bureau, not into the computer bureau - into the SSI bureau. Slayton: So, they weren’t necessarily hiring you because you had experience with computers or security or any of that stuff. Brand: No. Slayton: They got lucky to get you. Brand: No, I think they hired me for computers, but I don’t know. I don’t really know. You know, getting a job with the Federal government was a big deal because, number one, up until that point, my salary had always been lower than men’s, especially at Martin Marietta. When 25 Martin Marietta sort of fell apart, in a sense, because they lost this major program, all of my compatriots in the aeronautical area, were looking for other jobs. And we were comparing notes about salaries. Now, this was before I was offered the job as a programmer. Anyway, I realized that I was being paid $6,000 a year, and the guys were being paid $10,000 or $11,000. Slayton: Wow, that’s terrible. Brand: Yes, it was terrible, and that’s how stupid we were. We had no idea. Slayton: Well, how would you know? Brand: How, exactly. Exactly. So, after I found out that I was so underpaid, money became a big factor in moving. And when I went to work for the government, they were much fairer. Their salary structure was a GS level. You got a GS level, and I was hired at a GS level that made more - so, I made more money than I did at Commercial Credit. And it was a good opportunity. Anyway, to get back to security - so, what I ended up doing, as my first job at Social Security, was to learn all about this online transaction system that was being designed for the SSI program. And since I was in the SSI bureau, it seemed absolutely natural for me to get involved with learning about the SSADARS telecommunications network In 1973 I wrote a paper for internal SSA distribution providing results of my investigative work detailing why the SSADARS system was going to be a completely insecure system. And I wrote this paper with blessing of my boss, who was also new and also didn’t know what he was 26 doing. And the paper was very inflammatory because basically what I said was that they’re developing a system that has no security. And conjecturing that anyone could get at the SSA database, which has millions of records. And I sketched a utopian hacking, which in that time, people just thought I was crazy. I don’t know how much of it could have been done or not, but I had this whole scenario in my paper of how people could break into the SSA system through these terminals in these district offices and basically steal all this information, sell it to the insurance companies, etc. People thought I was crazy. They really thought none of that is possible. Our systems are too complex. How would anyone ever do this, etc., etc.? Anyway, the line management at SSA was not that interested in my paper, but I had friends in other departments that were interested. So, one of them had connections with the commissioner’s office, and he took my paper, and he gave it to his friends in the commissioner’s office. And the commissioner gave it to the Associate Commissioner for Administration, Frank DeGeorge. Frank DeGeorge gave it to his assistant, who was Sidney Leibowitz, and Sidney Leibowitz was a very smart guy, and he read it. And he said that it was true; it could happen. So, they decided to let me start thinking about security for SSA. In your paper, you talked about all these risks analysis, and I decided that the first thing we needed to do, which was crazy, was to do a major risk analysis of all of the programs at SSA. An enormous amount of data came in to me. I had a little task force, and I got all this data about various files (programs) used within the system. And I didn’t know what to do with it. I really didn’t know what to do with it because, as your paper pointed out, it’s subjective - very subjective. And in those days, we didn’t know about hacking, and nobody really knew 27 what the vulnerabilities were. They knew they had files that were very sensitive, but they didn’t really know how to deal with that in terms of a risk analysis. And I certainly didn’t, even though I was heading this mammoth data collection thing. Anyway, I became very well-known and probably not well-liked for the work I had done on the SSADARS system because I basically raised a real red herring about their new network. Slayton: That’s interesting. Brand: And I stayed at SSA from 1972 to 1978, and in 1978, I got a job with the new inspector general at Health and Human Services. That was the first time they had had an inspector general - a statutory inspector general. Slayton: If I can just pause for just a minute. So, as you were starting to get into all the security at SSA, were you aware of any of the other work going on at the time? Brand: Oh, thank you, thank you, thank you. I’m sorry. I missed that one. Slayton: No, this is fascinating. Brand: No, I thank you for the question. Health and Human Services (HEW - it was called HEW) had a standards task force, and I was asked to be on that task force. So, first of all, you mentioned, I think, one of your questions about the Privacy Act. So, I was asked to be on the task force to write the security standards for HEW - for that - and I have that here. I was looking at it. 28 Slayton: To comply with the Privacy Act. Brand: Right, exactly. Slayton: Was that in 1975? Brand: Yes. It was the Privacy Act of 1974, but the actual work we did was in ’75. Slayton: But you were still at SSA at this time? Brand: Yes. I was still at SSA, but I became very friendly with the people downtown. And one of the people downtown was part of the group that had input to the Rand Report with Willis Ware. Slayton: Okay, right. Do you remember the name of that person? Brand: His name was David B.H. Martin, Executive Director of the HEW Secretary’s Advisory Committee on Automated Personal Data Systems. Brand: Mr. Martin said, “What you need to do is get in touch with Dennis Branstad because Dennis Branstad is starting a security task force at the National Bureau of Standards.” That was called TG-15. Are you familiar with TG-15? 29 Slayton: I think I’m only familiar with it because he worked on it, and it’s here in your bio. Brand: TG-15 was a public advisory group started by Dr. Ruth Davis, and she was, at that time, Director of the NBS Institute for Computer Sciences and Technology. She asked Dennis Branstad to start this public advisory group. And the way that public advisory group worked was people from the private sector were invited (experts are invited) to be part of this task force, but they needed to be, basically, nominated by someone from Congress. So, it took a little bit of political finesse. I don’t know how they got in, but people from the government were invited through their agency. Dennis invited me to come, and through people at HEW, I became an HEW rep on TG-15. Slayton: Even though you were still, technically, at SSA. Brand: That’s right. Slayton: That’s fascinating. So, everyone in DC kind of knows each other this way. Brand: Well, SSA was part of HEW. Slayton: Oh, okay. Yeah, that’s right. That makes sense then. Brand: SSA, now, is independent, but in those days it was part of HEW. 30 Slayton: I see. Brand: And this was just before I went to work at the IG’s office. I went to work at the IG’s office in 1978, and I was already in TG-15. And my work in TG-15 was - I was involved in everything that was going on. I was writing a FIPS Pub on application security, and I was involved in the development of these workshops that you asked me about. And it was a wonderful few years that TG-15 was in existence. And we met periodically. I think we met every six weeks or so in Gaithersburg, and people would come from all over the country for this task force. I met Clark Weissman there, and I met Steve Lipner there. I met a lot of people from the military complex. See, I was not involved, at all, in anything military, all right? And all these people from the private sector were from the DOD side of the world, and I was coming from this completely non-secure arena. Slayton: Although you recognized that security was necessary. Brand: And I was involved, and I was very involved, so anyway - Slayton: So, really quick - so, the TG-15 - that was roughly ’75 to ’78? Brand: I don’t know. I’d have to look that up. It didn’t last more than a few years. Slayton: A few years, okay. 31 Brand: But the workshops, which were ’77 and ’78, were part of TG-15. Zella Ruthberg, who was the head of one these workshops - she was at NBS. She worked for Dennis. Do you know Dennis Branstad? Slayton: Not personally. I know the name because it’s all over. Brand: So, Dennis was head of TG-15. During that period, I moved from the SSA to the IG’s office, and that was a wonderful move because there I could really - and I was the senior advisor for computer technology and fraud abuse and error. And there, I basically designed audits for computer security. And the major one that I did - I did one that was extremely notorious. I love talking about this. I was asked by the IG to look into the development of Social Security cards because they were being sold on the black market. My job was manifold. One was to help design the audit, and the other was to actually do the work on the audit of the computerized part of the Social Security cards because Social Security cards were printed at Social Security in Baltimore. Then they were distributed around the country. So, in order to do this audit, I had to be in the computer room at Social Security. And they already knew me - did not like me very much because they knew I could find things out. Or they were worried that I might find something out that they didn’t want me to know, so I was heavily guarded. The Social Security cards - the whole system of printing these cards was done at night because it was a major operation. So, I came early in the evening, and I was heavily guarded and 32 watched. If I wanted to go to the ladies’ room, if I wanted to go anywhere, there was somebody with me at all times. And what you learn by just watching people putting card decks into card readers? - not much. So, I spent this whole night, basically, watching this operation, which didn’t tell me a thing. But as I was leaving, like at 2:00 or 3:00 in the morning, my guard (quote, unquote), who was just an employee at Social Security - he wasn’t a guard guard. He said, “I have to go into this other room. You might just wait here for me.” And he stood me in the doorway to another room where there was a gigantic pile of blank Social Security cards on the floor. And he must’ve known what he was doing. He couldn’t have done that without knowledge. So, I went in there, and I opened my attaché case, and I stuffed it full of blank cards worth around $500,000 on the black market. I came back to the IG’s office the next day and presented the IG with these cards. And that was a major coup because, basically, it showed that they were very sloppy with the maintenance of their card system. At the same time that I did this, the Commissioner of Social Security found out about it. And he was furious, and he called the IG to complain that this woman had stolen all these cards. Slayton: Done her job. Brand: Yeah. Well, see, this is also a form of computer security because it’s the procedural side. It wasn’t exactly what I was trying to find out, but it was a very big deal at the time. Slayton: That would have been about ’78 then? - ’79? 33 Brand: God, I don’t remember. Slayton: Not long after you went to work for the IG. Brand: I worked for the IG for four years - from ’78 to ’82 - Slayton: Okay, some time in there. Brand: So, it was during that period that I did this. And the other major thing I did at the IG’s office is I chaired an interagency task force of IG personnel looking into the security of their various departments. We also looked into the hacking - or we didn’t call it hacking - but problems that people were having with break-ins to their systems. And, unfortunately, I didn’t finish that. I had a friend who finished that work because in May, 1982, I moved to the NSA. And at NSA, my first job was Division Chief for Standards for the new DoD Computer Security Center. Now, this is interesting because NSA is in the intelligence business, and SSA is in the open I’m-here-to-help-you business. So, going from the environment of SSA, IG, HEW to NSA was a major change in everything. And the way I got that job was very - it was interesting. NBS had these national conferences, and they started around the time that I was in the IG’s office. Slayton: I think in 1979 was the first one. 34 Brand: All right. Then I was in the IG’s office, and they were very small at first. I mean they were held in these huge auditoriums at NBS, but they weren’t filled up with people. There were maybe like 100 people, 200 people. They were very small, and they always had panels, and I was never invited on any of the panels even though I knew everyone on the panels because all these TG-15 guys had a military perspective. And they would always talk about the vulnerabilities in the government, but the government, to them, was the military. And even to this day, I think, when you talk to people in the Department of Defense or the intelligence community, they talk about the government. They mean the defense side of the government. They don’t mean the entire government - OMB, Labor, Commerce. They don’t mean that. They mean the military side, so Steve Walker was in charge of this panel, and I went up to him, and I said, “You know, we’re doing things in the IG’s office and in Social Security in security, and yet you never invite me to be part of your panel.” And he said to me, “You really should go to work at NSA. We’re starting a new center there, and they would be interested in you.” He said, “If you really want to do something in security you’ve got to move from Health and Human Services to this new center that’s being started.” So, that’s how I ended up - he knew people there, and they interviewed me, and I got a job. And my job was as head of standards. And I didn’t have any people working for me. It was me, and each of the offices - there were four offices in the center - and each one had two division chiefs. Our office had two division chiefs - one for standards and one for evaluation, all right? But they couldn’t do anything until I wrote my standards, so that’s when I got involved with writing of the Trusted Computer System Evaluation Criteria (or Orange Book for short). 35 Slayton: Now, the Orange Book was based on a lot of these ideas that were developed in the 1970s about trusted systems. Brand: Yes. Slayton: Was that the first time that you heard of James Anderson, of the Ware Report? Brand: No. Slayton: You heard none of that. Brand: I knew James Anderson because when I was working in TG-15 - he was not part of TG- 15, but I was writing the standard on application security, and Steve Lipner said to me, “There’s this guy you really should get to know - Jim Anderson. He can help you with this work you’re doing.” So, I called up Jim Anderson, who was a private entrepreneur. He had his own company, and I introduced myself. At that time, I was still working at Social Security, and I introduced myself, and he came running. Of course, he thought maybe he could get a contract. Jim Anderson was my first mentor. He was one of my best friends. I mean I loved Jim Anderson. And he died while I was on a cruise, and I got an e-mail on the boat, and I couldn’t believe that he had died. Anyway, Jim Anderson and I became very good friends, and he was a 36 very helpful person to me. And also, all these people who worked on the Orange Book and Rainbow Series were very helpful. - I’ll show you the books. I’m going to show them to you. When I got to the center, they had just published the first mini-criteria defining a trusted computer system - you called it a trusting computer. It wasn’t trustworthy. Slayton: It was trusted, wasn’t it? Brand: Your paper said trustworthy. That’s a mistake in your paper. Slayton: Okay, I made a mistake. Sorry. Brand: It wasn’t trustworthy. It was trusted evaluation criteria. It was written by MITRE by a woman named Grace Nibaldi. And MITRE had done all the work. Basically, they were the contractors with the most expertise, and they worked closely with the people who had all these ideas - Ted Lee, Steve Walker, Steve Lipner, Roger Schell. And they had this small pamphlet - about 30 pages - and they handed me this pamphlet, and they said, “This is what we want you to do. We want you to take this, and we want you to make this into our first standard.” So, I took that book, and I sent it out to 200 of my best friends both in the military and in the non-military side of security. A lot of those friends were part of the industries that built computers. So, out of the 200 people who I sent it to - and that was unheard of in itself because NSA was this closed, secret, secret organization, but the center was not. The center wasn’t called national. It was just called the DoD Computer Security Center, 37 There must have been around 40 or 50 people in the center when I started in 1982. And they had no problem with me sending this out because this was going to be a standard that they wanted industry to use to build computers. And they wanted the DoD and all of the different services to use it to develop RFPs. So, they had no problem with me sending it out, and I got around 100 responses back. I took those 100 responses, and I developed the first draft of what became the Trusted Computer System Evaluation Criteria (the Orange Book). And I published that in - let’s see. I came in May - in around November of ’82. Slayton: ’82, right. Brand: And I sent that out to those 100 people plus other people, and I got another set of comments back. Now, you’ve got to understand that standards work is all words, and people fight over words. They fight over concepts. They fight over what is is. Literally, they do. I mean words are very important. So, a lot of the rewriting and the rewriting of this book had to do with arguing with people, discussing with people how to phrase definitions, how to phrase sentences in the Orange Book. And my main job, as far as I was concerned, was to make it legible, understandable, and usable by a large group of different types of users. So, I introduced to the Orange Book, a concept that was not in the original MITRE draft; that of control objectives. And I got that from the work that I had done with Arthur Andersen’s audit people on that task force that you asked about where you asked about Jerry Short and 38 Robert Roussey who were in that group. Robert Roussey, a partner at Arthur Andersen, taught me all about control objectives. So, I brought control objectives into the Orange Book. I also brought auditing into it because the original Grace Nibaldi draft really only talked about the operating system - the very essence of what they wanted the kernel to do - not anything about a real operational, ongoing system because the whole focus of the Orange Book was building an operating system. It was not on building an operational system. Slayton: Sure. With the auditing, did you ever have any training with auditing, or did you just pick it up as you were going? Brand: Just picked it up. Slayton: I know there was a whole community of computer security audit in the 1970s. Brand: Well, what happened was that NBS had this task force, and I think they worked very closely with GAO. And GAO was starting to get very interested in auditing computers. That was where they started. I think that’s about when the Privacy Act came about, and the Privacy Act focused on the security of systems. It was all about privacy. The GAO got very involved, and they made very, very strong recommendations about auditing and accountability. Also, I came from the IG’s office. Now, the IG’s office was divided into auditors and systems specialists. and the two groups worked together. The auditors were real 39 auditors. They were not accounting auditors. They were computer auditors. They were also accounting auditors, but they were auditors of systems. They were auditing procedures. They could go into an agency, and they could say, “Oh, you left all those computer cards on the floor. You left all those Social Security cards on the floor.” So, that’s the kind of thing that auditors did, and at the same time, there was a small set of them who did computer auditing. It was all in its infancy. And, of course, since NBS was working closely with GAO, and these audit workshops came about because they were working closely with GAO, a zealous partner in that second workshop was Bob McKenzie, who was from GAO. He brought into that workshop auditors - real computer auditors, and Roussey was one of them. But the auditing community was very separate from the computer security community. The computer security community, in those days, was made up of people like Clark Weissman and Marv Schaefer and Steve Lipner and Roger Schell, who were interested in building a kernel - a security kernel. Their focus was really on the security of the operating system, not on the security of a big operation. Slayton: And it sounds like, also, their focus was on military systems, for the most part. Or is that wrong? Brand: You are correct. It was on military systems, but it was very focused on operating systems to be used in computers running in a military environment. Slayton: On the technology of the operating systems. 40 Brand: The technology of operating systems, and I came from a different background. My background was of systems - looking at the Social Security issuance system. It’s a major system. Slayton: System as including procedures and - Brand: Everything. And outlying networks - this was before networks were that important. Networks were just starting to become important in the early ’80s. But, in my opinion, the Orange Book was strictly about building trusted operating systems. Slayton: Right. Did that bother you? I mean given that you knew that the problem was bigger? Brand: Of course, it bothered me, but I wasn’t hired to develop operational system level standards. My problem was that I was very interested in transactions. Transactions start at terminal A and go to the computer and then they go to terminal B and then back to terminal A. In other words, I was interested in transactions systems because that’s where I earned by bona fide - not in kernels. But I also had this operating system background from the work I had done at CIPC/Commercial Credit Corp. So, I was a natural to do this kind of standards, and I had done standards work because first I did it with the Privacy Act, and then I did it at HEW with this task force. So, standards was something I felt very comfortable with. But I had to learn about operating system security in the most basic way because the Orange Book was all about the operating system. 41 Slayton: And when did you really start learning this? Was it when you got to know Jim Anderson or was it when you started at NSA? Brand: NSA. Slayton: Really, okay. Brand: No, I learned about operating systems and a bit about security because of the work I had done at CIPC, but in terms of the kind of security that we’re talking about with the Orange Book, it basically was initiation by fire. I mean I was thrown into this. They said, “Here, do this.” Slayton: Now, how did they recruit you? I mean what triggered the shift from - Brand: Well, as I said, Steve Walker and I had this discussion at the NBS conference, and he said, “You should go to work at NSA. They’re hiring.” He called Roger Schell. I sent my 171 - the 171 is the personnel papers that you put in for a job in the government. It’s a form that says SF171. Roger Schell interviewed me. Dan Edwards, who was also on TG-15, became my boss. I was hired immediately. My clearance came through in zappo time because they needed people quickly, and you had to have a top-secret security clearance - compartmented security clearance to work there. You couldn’t work there without it. Slayton: But, you didn’t do classified work or did you? 42 Brand: Not at that time. Slayton: Not at that time, okay. Brand: No, the work at the center was not classified. They didn’t want it to be classified. So, that’s how I got my job. I mean I got my job because I had been very involved with the TG-15. I knew all these people. I knew all the major players. I didn’t know Roger Schell, but I knew Dan Edwards. But Dan Edwards didn’t hire me. Roger hired me. Roger was the deputy director of the center. He was a colonel in the Air Force. Have you interviewed Roger Schell? Slayton: I haven’t. I think Jeff, actually, interviewed him. Brand: Because he’s one of the giants in the field - Slayton: Yeah, I know. Brand: He’s a luminary. I mean he’s really one of the major thinkers. He’s the godfather - I’m often called the godmother of the Orange Book. He is the godfather or the father of the security kernel of the trusted, multi-level secure A1 system. I mean that’s Roger Schell’s whole reason for being. And he was very, very, very involved in my writing the Orange Book. I mean when I finished writing my first draft, he was trembling with rage because I hadn’t put in a discussion about the reference monitor. It had nothing to do with building of a 43 computer, but it was the essence. It was the heart and soul of an A1 system - was the reference monitor. There were three rules, and I had not put that into - it wasn’t mentioned in my first draft. I mean if you look at my first draft and you look at the published book, they look very similar. But there are certain things that were the Holy Grail that I didn’t know about, I didn’t care about. I had Grace’s original draft. I worked with Grace. I worked with people at MITRE. But, see, the difference was that up until the time I joined the effort everything was done, basically, by MITRE people. And when I came to the center, I said to Dan Edwards, “I’m not here to bake cookies and serve coffee. I’m here to do a real job.” I’ll never forget that. “And I want to be the person actually doing the writing.” So, that’s how I really did all the writing. Slayton: That’s great. Brand: Now, remember, I didn’t have a staff at that time. I just had me, and then halfway through the development, I hired a young man who had never worked before. He was just out of college, and he was a computer science major - Jeff Makey. And Jeff Makey and I basically published the Orange Book. Now, that was after only a year. It took me less than a year to get it published. That’s very fast because most government publications take forever to get published. But the center was very, very in need of a standard to put their name behind. So, our work was expedited. Slayton: So, was the sense of urgency about needing to have something to show or to use? - 44 Brand: Something that they could use - Slayton: For Evaluations. Brand: - For computer vendors to build to, and for the center to base evaluations on. The whole purpose of the center wasn’t the standard, but the standard was like the tail wagging the dog because without the standard, they couldn’t evaluate products. And if you read those workshop papers - those workshops were very interesting that you mentioned to me in your questionnaire because they were developed by the National Bureau of Standards, but they invited all these DoD types. And the DoD types had one thing in mind - the Orange Book. I mean they didn’t call it the Orange Book, but they wanted the standard. So, the groups that were composed of the DoD contractors and people in the DoD - their focus was on the operating systems, and if you read those papers, their focus was on getting a standard so that people could start building to it and evaluators could start evaluating those products. So, the standard was very important. It was a very important first step. Slayton: Right, okay. Boy, I’ve still got a few more questions. Do you want to take a break or anything? Brand: No. Slayton: No, you’re okay? 45 Brand: No, I’m fine. Slayton: I don’t want you to get too hungry. Brand: I’m fine. No, I’m not hungry. I had my Medifast. Slayton: Okay. So, gee. Where were we? Brand: Do you want to take a break? Slayton: No, I’m okay. This has been amazing and rich and fun. I’m trying to make sure that I get my bases covered. Brand: Well, your questions were wonderful. You know I read your questions. I thought, “My, God. She’s covered everything.” Slayton: I’m sure I’ve missed things, but, basically, I mean, I can only go by the written record, right? Can I ask a little bit more about the role you played at those NBS GAO workshops in 1977 and ’78? 46 Brand: Oh, okay. Well, TG-15 developed the workshops. So, we were all a part of the workshop. I mean everyone in TG-15 was in the workshop, and then we invited additional people to the workshops. Slayton: And what was the main trigger for it? Was it the kind of - Brand: I don’t know what the main trigger for development of the workshops were. Workshops were a big part of security in those days. Like you mentioned the Accessibility Workshop, which was held before I got involved. Slayton: ’72, so you didn’t know that was going on when it was happening. Brand: No. I didn’t know anything about it - I have the book right here on my desk, but I didn’t know anything about it at the time. Slayton: At the time. Brand: I think the impetus for the workshops was GAO - the Privacy Act. I’m not sure. You’d have to talk to Dennis Branstad or somebody like that. Slayton: And he’s still around? 47 Brand: He lives in Texas. I don’t know where he is any more. Did you ever hear of the show - “The Diane Rehm Show?” Slayton: Oh, yeah, of course. Brand: She has this - Slayton: I’ve listened to it. Brand: She has this voice problem. Slayton: Yeah. Brand: He had the same voice problem. Slayton: Oh, okay. Brand: He still does, so he’s hard to talk to. His wife, Martha Branstad, is sharp as a whip, and she wasn’t involved in the TG-15. She was a cryptographer, mainly. Slayton: Okay. Brand: But they live in Texas, and I’m sure you could find out where they are. 48 Slayton: Okay. Brand: But the workshops were a big part of TG-15 towards the end of TG-15. That’s when the TG-15 started to come to an end. - because it was expensive. I mean it was expensive for people to come from all over the country, and I think it was probably pretty expensive for NBS to hold every six weeks or whatever. But my role at the workshops - I volunteered to be a recorder. I didn’t want to just be in a room. I wanted to be part of it, so I volunteered to be a recorder. Slayton: And then you ended up actually writing the report. Brand: Well, I ended writing the report for the second workshop. The first workshop, where I met Carl Hammer, who was an incredible person - he was absolutely an incredible person - that’s the workshop where I met Steve Walker and that workshop I was the recorder also, but I didn’t write the report. I had input to the report, but when the report came out, it smacked of this DoD orientation more than we had talked about in the actual workshop. Slayton: That’s interesting. Brand: At the second workshop, I wasn’t in a DoD-type group. I was in this auditing-type group, and you asked about Jerry Short. And I don’t know why Jerry Short didn’t step up to the plate, but he just didn’t. He was the chairman of - he was part of TG-15. He was a good guy. He knew 49 a lot about security, but for some reason - you’d have to ask Zella on this, and I don’t know why he just didn’t want to produce a report. And so, we had all these disparaged areas in this group - all these auditor types - so, Zella said to me, “You’re the recorder.” Slayton: So, you’re stuck with writing it. So, even though you were the recorder on these, you also played a very active role in the - Brand: Oh, yeah. Slayton: I would think so. Brand: Yeah. Slayton: Everybody who recollects these seems to suggest that you actually played a pretty active role in shaping the content. Brand: Yes, I did. Now, being a recorder was not being a secretary. They had to have a recorder in every group. Someone had to write - like I had a major network workshop in 1985, and I had a structure rather similar to what these workshops were - different people. Like I had Vint Cerf chairing one of my groups. But the fact is that in each group you had to have somebody writing down, in some way, what was going on, whether they used a laptop in later years or did it by hand in the early years. 50 So, being a recorder wasn’t a demeaning job. I didn’t feel like I was - because, believe me, if someone thought I was a secretary, I would have run the other way. I would not have been involved. And I think there’s another thing about writing in those days. Security was much less complex. The whole issue - like these risk analysis methodologies - you could put your arms around your idea of what needs to be done. It wasn’t as complicated as it is today. We didn’t have clouds. We didn’t have worldwide networks. Everything seemed so clear and crisp like the development of the security kernel and the Bell-LaPadula Model. I mean they were able to think very clearly about these concepts because there was none of this work going on. The development of Standards was basically an intellectual - I shouldn’t say that, but it really was an intellectual exercise. I never was a security officer. I never had to implement any standards that I worked on. Slayton: Oh, wow. Brand: I never wanted to be a security officer - I have friends - I have a girlfriend who is the head of security for Mandarin Hotels worldwide. She has to implement security. She has to make people use it. I am sure that others would debate what I am saying: but none of the work that we did, in those days resulted in operational systems - that is systems that actually had to be implement and used by real people to do real work. So, in my own mind, a lot of what I did was very intellectually challenging, and I didn’t really think in terms of people not wanting to maintain an audit trail, let’s say. And I didn’t think about how were they going to analyze the audit trail. They were going to read it. They were 51 going to find out if it worked - people were stealing or cheating or ripping off the system. And I think that a lot of the work in those days was that way. Slayton: You didn’t see any of that when you were doing audit for OIG? Brand: Well, I did because I worked on the security of the Social Security system. Yeah. Slayton: So, there’s a distinction between auditing, which is actually being the people being audited or doing the information - Brand: Right, and I was not implementing the security. That’s the big distinction. People who audit are basically looking over your shoulder and saying, “Well, did you do it right?” And in those days, the checklist was still a major vehicle. I think it still is today. Slayton: Oh, it is, absolutely. There’s a whole book, right? - “The Checklist Manifesto” that’s defending checklists. Brand: And that started with auditors. Auditors are big on checklists, and that came from the accounting side. I’m sure it came from the accounting side, so I mean the auditor was very impersonal, and, to this day, she said they still use checklists. But they’re not implementing the security. They’re not making people use it. Slayton: So, what happened after you worked on the Orange Book and then the Rainbow Series? 52 Brand: Yeah, all right. So, then you have no more record of me. Slayton: Well, I found a paper… Brand: I worked on standards for four years as chief of standards, and then I decided - Slayton: This was ’82 to ’86. Brand: Yes, and I decided that I wanted to do something else because that was very hard work. By that time, I had a staff - maybe around ten or 12 people. And we worked very well together, and I went to the head of the center, and I said I wanted to do something else. And he said, “How would you like to become my advisor?” because he was new to the center himself. He was from another part of the agency. So, I became his advisor. That was Pat Gallagher, and I worked for him for two years. I had problems with some of the people. By then, the center was going away. It was absorbed by the rest of the - I don’t remember what ISO was called in those days - Information Systems Security Organization. Most of the NSA’s whole idea of security was cryptography. I mean NSA’s major security emphasis was using cryptography, and most of the security that had been done before the center was organized, was cryptographic. They designed cryptographic algorithms. They used cryptographic algorithms. It was all cryptography. So, the center was like a foreign body injected into this huge bureaucracy that had known nothing but encryption. And they were so happy to get rid of the center. It was a very sad time. 53 Slayton: And remind me - that was the late 1980s? It got absorbed into - Brand: It got absorbed into ISO. Slayton: Okay, which was - Brand: Well, I’ll tell you exactly when it happened. Roger was the deputy of the center for two years after I arrived. He left in ’84. Marv left in ’85. In ’85 - ’86 time period, it was a period, I think, when the center started to be absorbed by the rest of the agency. It stayed a center in name, but it didn’t have the same emphasis or backing. Slayton: On system security? Brand: On computer security. See, everything was supposed to be encryption, so there was this group of people who said, “You have to use nothing by encryption.” Then there was this group of people who said, “You should do nothing by computers.” Slayton: And operating systems, in particular, it sounds like. Brand: Right, exactly. So, what was your question? 54 Slayton: Oh, I was just wondering what happened next. So, you said went to work at the center for Pat Gallagher. Brand: So, I worked for Pat. After 2 years I told him that I really needed to expand my horizons in terms of NSA because the center was becoming less influential. My work was basically done with Pat. He didn’t need me anymore because I really went to work with him to help him get up to speed on the computer security side. He was an encryption engineer. He was an engineer, all right? He built crypto machines. So, I got a job. By then I was pretty well-known for my work with the Orange Book, and I had given talks all over the world and conferences. And you asked about conferences. I gave talks everywhere about the Orange Book, but I didn’t publish papers everywhere. I had my little set of slides, and I would go. So, I gave so many talks. I mean I was constantly on an airplane flying somewhere. Slayton: It sounds the Orange Book, then, had an international presence very early. Brand: Yes. Slayton: What countries were considering emulating? Brand: England and Germany were the first countries to show interest but each had slightly different ideas on how the criteria should be presented and emphasized. At the same time we had a friendly coexistence with NBS. NBS always felt that they should be in charge of security for 55 the world. We were really only in charge of security for the DoD and the intelligence community. So, they wanted this Orange Book changed into something that was more adaptable to non-DoD environments. And the Orange Book was very much with the A1 and the B3 and the verification and Bell-LaPadula, it really asked for very extreme measures for security. So, NBS wanted it to be democratized, so they started the Common Criteria, and I didn’t want to work on the Common Criteria. I said, “I’ve had enough.” I got a job on the other side of the agency. I became a division chief in the signals intelligence gathering side, and I had a large staff. I learned all about the other side of the agency, which I cannot really talk about. Slayton: I understand. Brand: And I was there for two years. Slayton: Can I ask - were you working with computers still? Brand: No. Slayton: No. Brand: No. I was a manager - a strict managerial job - managing a division of analysts whose job it was to produce Intelligence product. 56 Slayton: That sounds like a real change. Brand: It was a horrible change. It was the worst thing I ever did. Slayton: Oh, I’m sorry. Brand: I wanted it; I wanted to do it. On paper, it sounded like the right thing to do, but it was not. It took me a long time to get used to NSA because NSA was so different from HEW. But I got used to NSA through the side of the agency that I knew, but when you go over to the intelligence side, first of all, almost everybody who I worked with had started out of college or even out of the military doing intelligence work. And I was this woman who had been running around the world and giving talks all over the place. I knew nothing about that side of the house. It was very hard, and it was very hard for them to accept me because they had never had a woman division chief who knew nothing about their business. They hardly had any women division chiefs, but they had no division chiefs who had come from the other side of the agency. So, it was a very difficult two years. I learned a lot; I saw a lot. It was very interesting, and it was very eye-opening. Slayton: That was ’88 to - Brand: No, that was - yeah, ’88 to ’90. 57 Slayton: ’88 to ’90. Brand: And then I decided I wanted to go back to what I knew. It wasn’t a good match. Slayton: So, you went back to the computer security systems. Brand: Yeah. They were ready, on the intelligence side, to groom me more for higher things. You know, it’s one thing to be a reporter. Like they were reporters. They were people like you see writing newspaper articles. They weren’t writing newspaper articles, but it was this difference between being a reporter, reporting on what others were doing and being a doer.. It’s coming out wrong. The standards work that I did was creative. The work I did had meaning to me. I was making things happen. I was involved in development of standards that were being used all over the place. The people on the other side were basically there to collect information as a reporter would collect information. That’s what I mean. So, it was a different type of work. And the people I worked with loved it, and they were very dedicated to it, and they were fantastic. It’s just that that was not what I was trained to do, so it wasn’t something I enjoyed doing. And I wasn’t very good at it. So, I went back to the ISO side, and my first job was working, basically, for Jim Philblad who was, at that time, head of the center I worked for him for about a year or so, and then the director of ISO came to me and said, “I would like you to head up a task force to combine all the standards that we use for cryptography with all the standards we use for computer security.” It was a fantastic job, and I collected a group of senior information security specialists from both the crypto side and the 58 computer side. And we worked on it for two years. It was called the Unified INFOSEC Criteria (UIC). It’s classified; you cannot get a copy of it. And it became a 13-volume tome of everything we know and the combination of the two and the ability to use this for monitoring real systems. Slayton: So, that was something that I’ve heard people talk about in the early 1980s - was the division between the people who were in favor of cryptography and then the systems security people. So, it sounds like this was trying to bridge those two communities. Brand: Yes, and I had already started that when I convened my network workshop in 1985. When I did the network workshop, I brought together communication types and I brought together computer security types. And the communication types used cryptography, and there were some people who weren’t even security types. They were communication types. Like, Vint Cerf was head of the ARPANET, so I mean these were incredible people in that workshop. And I wanted to bring all this together because I saw that they should be working together. I don’t know if they ever really had worked together. I think what has happened in the past few years is that cryptography has crept into a lot of the safeguards used in computer security. So, in that way, they have come together, and the UIC was the start of that. And that took about two years to do. After I finished the UIC, I went to work for the deputy commissioner (Director) of the ISO. The same man who asked me to do the UIC asked me to be an NSA rep on a DoD/DCI security commission. 59 They had a set of big shot commissioners - people like the Deputy Secretary of the Navy (very high-level people) - not all government people, who they brought together. And they had a staff, and the staff was composed of people from CIA and DoD, all right? And there were two reps from the NSA. I was one of the two reps, and my job was security. So, I wrote the part of the report dealing with security. Slayton: And that was a classified report or unclassified - Brand: I can give you a copy of that report. Slayton: That would be great. Just getting back to the UIC briefly, did anybody want that to be unclassified in order to influence industry more? Brand: No. It was an internal NSA standard. It was a working document. It became really used. That’s the interesting thing. You know, one of my problems is that once I finish something, I don’t want to deal with it. So, after I became a programmer - did that. After I finished the Rainbow Series - did that. I enjoy changing jobs to learn more. I never got a PhD, never continued my education - Slayton: You effectively did that though with all that work. Brand: Well, I had a husband who - he’s a professor, and I know the pain that people like you went through to get your master’s and your PhD. It’s not an easy job. 60 Slayton: The work you did sounds harder, actually, to me. Brand: It was more fun. Well, let’s put it this way. I wanted to get a PhD in economics. I went to my first class in economics as a graduate student at IU. My husband was still a graduate student. And the first thing that you had to do at IU to become an economist was take Accounting 101. Can you imagine taking accounting? And I sat in that class - debits and credits and spreadsheets. And I said, “I don’t want to do this. This is not what I consider economics.” So, I left. I went and got myself a job as a technician in a lab - actually, a physical chemistry lab. And I did measurements for this chemist for a year until my husband got his degree, And I never looked back. So, I spent one day in graduate school. Slayton: That’s funny. That’s great. Brand: So, anyway, while working at the Commission I was commuting to the CIA for that. That was a hideous commute. I worked on the commission until they finished their report. That was all done at CIA headquarters in McLean Virginia. And I came back to NSA, and I went to work in a group that did nothing but standards - international standards for the agency. Slayton: Interesting. So, NSA was doing international stuff too? 61 Brand: Yes. They always had a presence on ISO (International Organization of Standardization) committees, and I got myself into that group and worked, obviously, in the computer security side of the ISO. So, I worked in ISO SC 27. Are you familiar with that? Slayton: No. Brand: Well, there’s a whole bureaucracy in the international standards community. Slayton: SC 27 - what does SC stand for? Brand: SC - subcommittee - I don’t know. Slayton: Okay. I can look it up. Brand: ISO is the International Organization of Standardization, and they have standards in all kinds of areas. I worked in two areas: I worked in ISO/IEC JTC 1/SC 27 IT Security and I worked on the banking standards done in ISO/TC 68/SC 2. Now, all of these standards group have mirror groups in the United States. So, for example: the mirror group in the United States for SC 27 was something at NBS called T-4, and it’s all in my resume that I’m going to give you. Slayton: Oh, great. 62 Brand: So, there’s an American standards committee, and then there’s the international standards committee. And the American standards committee was known first as T-4, and then it became CS-1, but it’s bureaucracy. It was all done through NBS. Slayton: This is a Common Criteria? Brand: No. Slayton: Totally separate, totally separate - Brand: Not exactly, some US standards developed by NBS eventually are adopted internationally, such as the Common Criteria became an international standard via SC 27. They had a mirror group in SC 27, and it did become a standard through SC 27. But SC 27 also worked on cryptographic standards, database management standards, Cloud standards etc. Just before I retired, SC 27 starting work on security of clouds. They worked on all areas of security. Slayton: And all of the work that you were doing on standards was computer security standards. Brand: Yeah. I didn’t work in crypto standards. There was another NSA rep who worked on the crypto side. She was part of this. The US group was made up of mainly people from the vendor community because they wanted their hardware and their software standardized internationally. So, this American group was mainly made up of those people - private sector people. 63 That’s how I met my friend, who’s now head of security for the Mandarin Hotels. And there were a few of us who were from the government. And from NSA there were two or three people, and one of the two or three was me, and one of the other ones was the woman who worked in cryptography. Slayton: Interesting. Brand: So, we all attended SC 27 meetings - the whole group - T-4 went into various groups in SC 27. SC 27 had - I don’t know - four or five different subgroups. And my group was the computer security one. One of the groups was cryptography. One of the groups was procedures management. So, they had a much broader charter than just computer security Slayton: And computer security then meant - since it wasn’t procedures, it was operating systems, really? Did it get to be bigger than that over time? Brand: It was more the whole cabal. I mean, for instance, when I started, no one talked about security policy. Now, when I started working on the operating system security, security policy was the policy that the kernel had to follow in mediating access to objects and subjects because that was what the kernel did. It had a set of policy rules. Well, policy has now become a much more generalized term in security. It means that policy is starting at the very top by management. It dictates what must be secured: how much security should be given. It employs a security officer. It tells a security officer, “Do a risk 64 management. Tell me what you need. Tell me how we’re going to do it.” Then it gets down to a lower level. And then, finally, policy will get down to the operational systems people and the programmers who buy - today, you buy packages. I call them toys. There are thousands of computer security toys out there. Slayton: That’s probably a good word for them. Brand: It’s insulting, but - Slayton: Sorry. Maybe I shouldn’t say that. Brand: There are millions and millions of companies. There were no companies when we started - none. There were just a bunch of thinkers and some very brilliant people. I was not one of the brilliant ones. The brilliant ones were the people who wrote the pamphlet that was handed to me. And they were the ones who I give all the credit to in terms of developing the Orange Book - my major contribution was the cover of the Orange Book. Slayton: I suspect it’s a little more than that. Brand: No, but I really wanted people to be able to come into an office and see the book as soon as they came in. Most government books were either gray or beige. 65 Slayton: So, this didn’t have hot pink yet. Brand: No. There was no Rainbow Series. And so, I did some research on color and what colors were pleasing and what colors were not pleasing, and I picked orange. And I went to the publisher at NSA, and I said, “I want this in an orange cover with blue letters.” And he said, “We don’t do orange covers. We do beige covers, and we do gray covers.” Slayton: That’s great. So, you’re talking about the industry sort of growing up and how many companies there are now. Did the Orange Book or the work that you were doing on standards - did you see that have a big influence on the industry? Brand: It had influence at the beginning because there were all of these vendors who wanted their computers to be bought by the DoD and the intelligence community. But there was a big void because the intelligence community didn’t write RFPs. First of all, there were two things. First of all, the RFPs that had to be written to include an Orange Book-type of system were never written. There were a few. When Roger Schell was still chairman or deputy head of the center, he really put his will to work in getting high assurance systems put into RFPs for highly sensitive systems. But that was the first thing. There were very few requirements that actually put in writing, “You have to have a system at this level.” That was the first. The second thing is that the evaluation process became so onerous that it took years for the center to bless a vendor’s computer as even a C2, let alone an A1. So, vendors, basically, gave up. They said, “We cannot afford to do this. It takes time. We have all of these 66 commercially available products coming out, and what you’re asking for is a product that’s going to take years to evaluate.” So, they gave up. They stopped coming to the center for evaluation. Slayton: Did you interact with the evaluators much? Brand: Not at all. Slayton: Really? Interesting. Brand: They never came to me and asked what did I mean by this or that. They developed their own set of interpretations of the Orange Book, which became, basically, a whole institution in itself - the interpretations. And that’s what took all the time - is that they would fight over - they were where the rubber hit the road. I mean a vendor would come and say, “Here’s my system. I think it meets the Orange Book.” The evaluators would go through the Orange Book or whatever criteria they were looking at, and they would decide whether or not the vendor’s interpretation met the Orange Book. And that’s where the interpretation of actual words in the Orange Book came about. Well, they say they did this, but I’m not sure that they really did it. So, they had major, major workshops on interpretations of the Orange Book - evaluation workshops galore. It became a big industry, and I had nothing to do with it - nothing at all. 67 Slayton: Was it important as an area of expertise or knowledge to be thinking about - I mean did the Orange Book play any role in developing expertise in the field, I guess, is part of what I’m asking? Brand: What’s your question? Slayton: Did the Orange Book play a role in developing expertise in computer security? Knowledge about it [computer security]. I mean the evaluators all had to be trained. Did it improve best practices among the vendors? Did it have any impact? Brand: Oh, yeah. I am sure that until the Common Criteria came along, the Orange Book was still the thing to go to. The vendors did become much more conversant with security and the needs for security and the ability to develop systems that provided at least some level of security. I think that before the Orange Book, it was haphazard, and afterwards it wasn’t that haphazard. But, I mean, each vendor had their own set of mechanical techniques and their own architectures, but I do believe that it brought an awareness to security that didn’t exist before. But it was unfortunate that it was still considered a military - it was a military standard. Slayton: So, you didn’t get much sense of private sector interest in getting evaluated. Brand: I tried, but I did not get the sense that they really adopted it. Slayton: They didn’t care. 68 Brand: Now, Steve Lipner, who you met at that workshop - he worked for DEC at one time, and he tried to build an A1 system. And the managers of DEC said, “We can’t do it. It’s too expensive.” He had to give it up, and that was his baby. Steve Walker started Trusted Information Systems, and I think he probably, in his own way, promulgated a lot of the ideas of the Orange Book. But the Orange Book was full of requirements that never really had been put to use in an operational sense, in my view. Now, if you talk to Roger, he will say differently. He will say that everything in the Orange Book had an implementation. Well, maybe it did, but it was a research implementation. It wasn’t something you found everywhere - so, there were never computers that were designed for an everyday, operational use that had A1 in them. And I don’t even know what the concept was for its use. Slayton: For the Orange Book’s use. Brand: Right. For A1 level of security, the use of a reference monitor. And a reference monitor infers using labeling. Labeling means classifications. There were many workshops or sessions in different conferences where people talked about the transference from the military classification system to the non-military - the commercial classification system - that had a lot of analogous issues like the research done by Apple. I am sure that would be considered top-secret code word. Slayton: Probably, yeah. 69 Brand: But the non-military world didn’t have an infrastructure built around labeling as far as I can tell. So, I think, well, the Orange Book had its use. It became the Common Criteria. It morphed into the Common Criteria. Common Criteria was an international standard, which was accepted by many countries. I don’t know if it’s still in use today or not. I don’t think so. I think it’s sort of fallen. Slayton: In the early days, before the Common Criteria, when you were flying around and giving talks about the Orange Book, were there particular countries that were trying to emulate the Orange Book? Brand: Yes. Slayton: Which countries were those? Brand: Germany and England. Slayton: Germany. Brand: England. Germany had their criteria. England had its criteria. Slayton: And they were kind of modeled after the Orange Book. 70 Brand: Yes. They probably wouldn’t call it that, but that’s what they were. And those different countries became part of the Common Criteria working group, and they all brought their own interpretation of what the criteria should look like. The big difference between the Orange Book and the Common Criteria was that Orange Book was not a criteria that was developed by a committee. The Common Criteria is definitely a product of a committee. So, when you have a product that’s developed by a committee, you have to build consensus in a much greater way. Now, we thought we built consensus, but I don’t think that we really did. I think we built consensus among the people who needed the consensus, but we didn’t really build consensus because it was hard. It was a difficult - to build an A1 system you have to have verified code. You have to have mathematicians who are able to deal with that. I mean it’s not an easy job, and it’s an ambitious job. The building of consensus in an international market is a very different - like in SC 27. I mean I felt I was in a little UN. The first day of our meetings - we met twice a year in a different country. And the first day of the meeting and at the end of the meeting, we would have these - I wouldn’t call them introductory. I can’t remember what the name of them are. We had the whole group - everyone - come together. And I think SC 27 had around 120 people in it from all over the world. We’re talking from China, from Russia from every country in Europe, from Singapore, from Japan. I think I spent more time in Japan than any other country in my career. And a few South American countries. I don’t think any Israelis or Arabs ever became part of it -- none from the Middle East - so, you had a little UN, and you had to build consensus. To get an ISO standard published, you had to get the buy-off of all these people. 71 Slayton: Right. So, I know the TCSEC - the Orange Book standard - was very influenced by DoD concerns. Was the Common Criteria, as this more international thing - did other countries have the same - Brand: No. Slayton: - DOD focus? No? Brand: Yes. I’ll put it two ways. The original reason for them writing their version of the Orange Book was DoD, absolutely. And the people who were involved in developing their version were basically DoD types. Slayton: Their militaries. Brand: Their military people. Now, I’m not sure about France. One of our conferences was held in France, and I can’t remember whether their people representing them were from the military or banking. I told you I also represented the agency on the banking standards didn’t I? Slayton: Oh, did you? Brand: Yes, and that was very different. That was very different. And they had their US contingent of bankers, and then they had the international contingent of bankers. I was a 72 convener of one of the international subcommittees because I was writing a standard for them, and they were all bankers. They were not DoD at all. I think, outside of the DoD, the banking community had the most stringent security in the private sector - Slayton: That’s interesting. And by banking, are you including the entire financial sector? Yeah. When were you working on those? Is that early ’90s, late ’80s kind of? Brand: At the same time I was working on SC 27 - from 1998 or 1999 until I retired. I retired from the government in 2007. I then worked for another two years in private sector. Slayton: Okay, so this is later, then. Brand: So, the Orange Book was over. I finished working on the Orange Book in ’86, and I went on to do other things. I went back to standards, basically, when I went to work in this group that did international standards. Well, no. I did the UIC, which was a major standard, but you can’t see it, unfortunately. Slayton: Yeah, I know. I figured we were probably going to run into this if you spent most of your career at NSA. Brand: Well, you know, you asked me if I worked on classified information. I didn’t work on anything classified at the center. 73 Slayton: Was there classified work that ever happened at the center? Brand: Yes. Slayton: Oh, there was. Okay. Brand: I didn’t know about it. Slayton: Oh, really? Brand: No. In the intelligence community, if you’re not involved, you don’t know. Slayton: No need to know. Brand: No need to know. Everything is very compartmentalized, so if there’s something going on that you needed clearance for and you don’t have that clearance, you don’t get read into it. You aren’t involved with it. You don’t need to know. Slayton: Right. Okay, I’m trying to think if there are other questions I need to handle. Are there other comments that you - oh, I wanted to ask you a little bit about, when we talked about the sexism that you faced when you were - certainly, at the beginning of your career and, I imagine, to some extent, even later. 74 There are a number of women who seem to have done really well in computer security. Did you know each other? Was there a sense of camaraderie then? Brand: I knew Ruth Davis very well. Hilda Faust is one of my best friends. Slayton: Oh, yeah? Is she still around? Brand: Well, she retired many years ago, but she’s still alive. She was involved with security on the DoD side of security way before me. She was an office chief when I came to the center. Slayton: Is that when you met her? Brand: Yes. Actually, I think I was invited to a seminar that she hosted at NSA when I was still working in the IG’s office, but I didn’t really know her. But I really got to know her when I went to work at the center. There were four offices at the center. She was head of the office of research, so she knew all these players way before I did. And she knew them when they were trying to build secure systems. Slayton: That’s interesting. Brand: And if you want to talk to her - I don’t know if you want to talk to - 75 Slayton: I would be interested in talking to her. She probably has interesting insights. But I haven’t formulated a question list yet, though. Brand: You won’t find anything published by her. Slayton: But her name shows up a lot, and people acknowledged her. Brand: Oh, she was a wonderful chief. I thought she was one of the best chiefs of an office of the four offices. Of course, I’m biased. I like her a lot. We didn’t like each other there, though. She was from the old school of NSA where you didn’t go outside and talk to other people. She was one of these people who was basically brought into the center because the center was formed from various parts of the agency that already existed. And she was part of that, but she wasn’t part of this Orange Book crowd. She knew them; she worked with them. But she never thought, in a million years, that there would be someone going around the country giving talks. Slayton: What about Ruth Davis? You said you knew her- Brand: I knew Ruth Davis. Slayton: When did you meet her? 76 Brand: I met her at NBS. Later in my career, I don’t know how we got together, but I would go to see her in her offices, which were either in Bethesda or in Virginia. I can’t remember where I would visit her, and then I think she got sick. Slayton: Oh, she did? Brand: Or her husband got sick, or her husband was dying. I cannot remember how I hooked up with her again, but I hooked up with her, and I spent a lot of time talking to her, and I’m not even sure. It wasn’t part of TG-15 because she left NBS - went off by herself. Slayton: What was she doing? Brand: Where? Slayton: After she left NBS. Brand: I think she was head of technology for some part of NIH. I think - I’m not sure. I’m sure you can find that - Slayton: Probably. Brand: I think she became head of technology for a major section of NIH. 77 Slayton: Stayed in government then. Yeah. Brand: Or maybe I met her again - really met her through Carl Hammer because when I met Carl Hammer, because he became chairman of this working group I was on, we became very good friends. And he might have brought me together with Ruth. I don’t even remember. Isn’t that strange? Slayton: Well, it’s a lot to remember. Brand: Who else was in that group that you mentioned? Slayton: Grace Nibaldi you mentioned earlier. Brand: Oh, yes. Slayton: Yeah - who you worked with. Did you first meet her when you were with the computer security center working on the Orange Book? Brand: Absolutely. I called her and said, “Help. I need your help. I’m at the very end, and I need your help for these areas.” And she was very good. Slayton: So, was part of the reason that women were able to get into this field because it was so new? Yeah? Okay. This is one thing that people have talked about quite a bit in the history of 78 computing is that it sounds like it wasn’t universally the case, but that a number of women did really well because it was a new field. Nobody knew anything about it. Brand: That’s how I got into it. I am sure that it’s harder today than ever - I don’t know. My main thesis about getting ahead as a woman in technology is that - in my day, you were not given the responsibility to do management. As I said, I was asked to plot graphs, not projects to run. So, when I went to work for the center, that was my first real management job where I was in charge of a group with a real distinct management role. I didn’t know how to be a manager. I had never been a manager. I had been a task force leader. It’s a very different thing. You’re an equal among equals. You’re not in charge of these people. You all go off on your own directions after the meetings, but at the center I had this title of division chief. It’s a big deal to be - I was brought in as a GS-15 division chief. And I didn’t know what it meant to be a manager. I didn’t realize that to be a manager you have to actually be interested in the people who work for you. That’s a big deal, and I was not good at that. I was a task force person. I was a doer. I liked to make things happen. So, for instance, when I started getting people to work for - first, I had nobody, so I worked by myself. I would sit in a room with a long yellow legal pad and a pencil and write the Orange Book. But then when I got people working for me, I had to be able to motivate them, and I wasn’t good at that. And I wasn’t good at communicating. I would go to the staff meeting, and I was supposed to bring back the information from the staff meetings of the center to my staff - to my staff. 79 And I didn’t know what that meant. It took me many years, so then when I became a division chief in operations in the real NSA, I was a terrible division chief at first. I didn’t know how to motivate them. I didn’t know how to understand - I didn’t understand them. And I think it takes a different type of personality than I had or that I had been trained to be. So, for women, getting ahead - like, when I see a woman like the head of HP - she had a hard time, but how did she get there? The head of Google - how did these women get there? I have no idea. They had to become good with people. It had nothing to do with their technical skills. It had to do with their managerial skill, which is a very different type of skill. Now, Ruth Davis - I don’t know anything about her background. I don’t know how she became so powerful. Slayton: I think she actually has - there are papers of hers at - I forget what college it is. I need to call them up, but there are archives. They’ve archived her papers, if I’m remembering this correctly. And I think she had a math degree as well and was basically - yeah, she was told that IBM would only hire women for clerical positions in the 1950s. Brand: It’s true. Slayton: It’s so similar to - Brand: It’s exactly true. They never hired me. I applied for a job at IBM. There was an IBM department right down the street from where I lived, and the first place I applied when I moved 80 to Baltimore was at the IBM. They wouldn’t hire me. But see, every job I had, basically, was a first job for that place. Well, except for Martin Marietta - I guess they just figured I had a degree in math, and she must be able to plot a point. I don’t know why they hired me. Now, that was the era when they were hiring everybody. Slayton: They needed people. Brand: They needed people. But most of the jobs - I had breakthrough jobs except for the systems when I became a systems person because Charlie knew me - he knew I was very good. But women were not accepted. We were not taken seriously. They always said, “Well, you’re going to get pregnant and leave.” Well, that’s a lot of crap. Men can leave for other reasons, but there were so many reasons that they gave - that women couldn’t do it, they wouldn’t stay, they didn’t have the training. Well, I had all the training. I didn’t need more training. They didn’t want to train us to be managers. They really didn’t want us to - Slayton: And they weren’t comfortable with women being in charge of men, it sounds like. Brand: That’s very true Slayton: It would come with the territory for a manager. 81 Brand: Absolutely. Now, the only place that I was really a good manager was the UIC. By then, I had had, under my belt, the center standards, and I had been a manager in operations. And when I did my work at the UIC, I really knew what a manager was supposed to do. And I had people who I could respect. I had very high-level people working for me. I had some of the highest-level people in the ISO working for me, and that was because I was chartered by the head of ISO. And I had a very calm, good plan on how to work, and I worked well with all these people and all the other people who came in after them. It was easy because I knew what they needed, and I knew how to work with them. But I didn’t want to be teacher. I’m not good with - I guess I’m just not interested in people. I love problems. You’re a teacher, right? Aren’t you a teacher? Slayton: Yeah, but I’ll be honest. I find research more relaxing than teaching. Brand: Oh, so maybe you’re more like me. Slayton: I was a scientist originally. Brand: I remember my first job at Lincoln Labs or Bedford Research or whatever it was called, sitting at my desk with a problem, and I said to myself, “I like this. I like working with problems. I like solving problems.” There are no people involved, and that’s why standards was also very good. So, the women who made it - I don’t know. 82 My quote, unquote claim to fame always happened because I had a job that I loved, and I did well in it. And I superseded the men in those jobs, but I never got ahead at NSA. I never got promoted at NSA. Slayton: Well, it was a very different culture there as well. Brand: They hated me. They didn’t hate me as a person. They hated the idea that the agency would hire an outsider as a GS-15 because they were used to hiring people out of college as a 7. Slayton: Right, were they also uncomfortable with this new sort of - the National Computer Security Center? Brand: Right, exactly. Slayton: Part of that whole package. Brand: Oh, yeah, it was all the package. I was a person brought is a 15 to this alien, new entity called the center who went around the country giving talks. Slayton: Which is public-facing. Brand: So, I was not part of their culture, and that was a very bitter pill for me to swallow - that I wasn’t promoted. 83 Slayton: I can see that. Brand: It was not an easy thing, but I lived with it, and I did okay. I can’t complain. I had a good career. Slayton: Yeah, a very good career. So, is there anything else you want to add? Any questions I should have asked? Brand: Well, it’s 12:00 p.m. Slayton: You must be hungry by now. Brand: No, I had this. This is like a salad. Slayton: So, are there any other questions that you think I should have asked? Brand: I don’t know. Did you cover everything in your little questionnaire? Slayton: I think I did - I mean those little detail things that I think you addressed in passing, and that’s fine. I had come up with questions based on the written record, but you know better what’s most important from your own experience. 84 Brand: Let me give you my resume. Slayton: That would be great.