Code Warriors
Page 5
Still, the progress made by Op-20-G’s cryptanalysts back at Nebraska Avenue on the traffic was encouraging on technical grounds if nothing else; their first break into one of the Soviet military systems came just a few months later in October 1943, and every month some two thousand new messages were intercepted and added to the growing trove of Russian traffic available for study, soon to be beefed up by the assignment of additional monitoring stations—Station H at Wahiawa on the island of Oahu in Hawaii, Station W at Winter Harbor on Maine’s Schoodic Peninsula, and Station AX at Adak in the western Aleutian Islands—to the job of pulling in these far-off signals from the airwaves.32
But it was the diplomatic traffic that clearly offered far richer intelligence pickings. The Japanese military attaché cables—an entire special cipher subsystem, known to Arlington Hall as JAT, had been set up by the Japanese exclusively for the purpose of exchanging cryptologic intelligence—had identified several different Soviet diplomatic systems and confirmed that they were all some form of enciphered code. The basic principle of operation was well understood; nearly all of the Japanese army and navy systems that Arlington Hall and Nebraska Avenue had been attacking for years worked the same way. A codebook assigned words numerical values; in the case of the Soviet codes these were typically four digits long, 0000 to 9999, allowing for ten thousand different words. To each of the code groups in a message to be transmitted, a second set of digits, drawn in sequence from a book or pad containing random numerical groups of “additive” (or “additive key”) was then added.*4 That second step obscured the actual meaning of the message under an additional layer of concealment intended to baffle any would-be codebreaker; it ensured that even when the same word was repeated, it would appear in the enciphered transmission as an entirely different four-digit number each time it occurred in the same or subsequent messages. The recipient of the message reversed the process, subtracting the additive key to obtain the original code groups and then looking up their meanings in the codebook.
The vulnerability of an enciphered code was that in any heavily used system it was inevitable that some messages would eventually be enciphered using overlapping sequences of additive drawn from the same pages of the key book. From such an overlap (a “depth,” in cryptanalysts’ jargon) it was possible for a codebreaker to begin the long, laborious process of “stripping” the additive from the enciphered messages to reveal their underlying code groups and then start to figure out their individual meanings. There was usually an “indicator” buried within the message that told the intended recipient from what starting point in the key book the sequence of additives used for enciphering that particular message had been drawn; breaking the indicator system was one way to identify overlapping messages directly. The JAT cables offered a few clues about how the Soviet indicator systems worked, but none were enough to be of much help.
The other way to find two overlapping messages was sheer brute force. One indication that two messages were in depth was if they contained some of the same numerical groups, indicating that the same word had been enciphered with the same key in each. A single repetition of a particular numerical group could easily be the product of chance, but a “double hit”—the same pair of groups appearing in two different messages in the same relative positions—was much more likely to be the product of the two messages actually being in depth. (See appendix A for a further explanation of the process.) If the Soviet messages really had been enciphered using one-time pads, any such brute-force search for depths would be a guaranteed exercise in futility. In a one-time-pad system, each sequence of additive key is used to encipher a single message, then the sheet is torn off and destroyed and never used again. It imposed huge logistical burdens to produce and distribute the key pads required to sustain such a system, but it undeniably offered unbreakable security.
In October 1943, however, Richard Hallock decided it was worth trying a long shot. He had the first and last five groups of ten thousand of the messages punched onto IBM cards: the opening and closing of any message were the parts most likely to contain stereotyped phrasing, and thus repetitions of their underlying code groups—words such as TO MOSCOW, FROM NEW YORK, REFERENCE YOUR NUMBER, PART 2 OF 2.
The results were unmistakable. Seven pairs of messages contained double hits, meaning they were almost certainly in depth, enciphered using the same sequence of additive key. At least a few of the one-time-pad pages had clearly been used a second time, an astonishing and monumental security blunder.33
From that meager start, the Russian section over the following months was able to begin stripping the additives from paired messages in depth and to recover and identify a few of the frequently used code groups in the message openings, particularly the stereotyped beginnings of multipart messages. More massive IBM runs produced a bank of “hypothetical additive”: the idea was to subtract, in turn, each of these frequently used code groups from the beginning of every message to calculate the resulting additive key that would have been used to encipher it, then see if any portion of that hypothetical key, when added back to any of the frequent code groups, matched the openings of other messages, indicating possible further one-time-key reuses. The largest set of messages were being sent by Soviet purchasing commissions operating in the United States under Lend-Lease; these “trade” messages, employing the code system Arlington Hall designated ZET, made up about half of all the traffic. The other four systems the American codebreakers identified appeared to be diplomatic traffic from embassies and consulates, and in July 1944, Cecil Phillips was placed in charge of those systems. A few months later, in February 1945, he was looking at one batch of messages from New York to Moscow in the system known as ZDJ. He soon found something odd about the first cipher group of each message. The numbers were not random; when he counted up the frequency of each digit he found that the digit 6 appeared about 20 percent of the time, rather than the 10 percent that would be expected. Phillips took the results to Genevieve Feinstein; she glanced at them, and said at once, “That looks like clear key.” She had noticed the same off-kilter bias in the hypothetical additive bank generated from the ZET trade messages. (The uneven distribution was probably the result of a temporary glitch in the machine the Soviets used to generate random numbers for the pads.) Checking the numbers against the hypothetical additives revealed repeated matches between the groups Phillips had spotted and the additive groups located at the very first position of each key page used to encipher the trade traffic.34
The nineteen-year-old Phillips had just stumbled on two stunning discoveries. One was that the Soviets were using the first key group of the one-time-pad page as the indicator to tell the recipient of a ZDJ message which page had been used. That offered a huge shortcut to finding a matching message in depth. The other was that some of the one-time-pad pages used in the trade messages had been reused in the four diplomatic systems as well. There was thus a slim but real chance that all could be cracked open.
—
Even by the standards of the extremely tight security that surrounded everything having to do with codes and codebreaking, the secrecy of the Russian problem was exceptional. The WAVES who reported for duty at Nebraska Avenue would vividly remember for the rest of their lives the introductory lecture they were given their first day. Ushered into what had been the chapel of the girls’ school (it was now the Navy Chapel), they were addressed by a deadly serious officer who informed them that if they ever let slip a single word about their work, ever, they would be shot.35 It was hyperbolic, but in the context of the times none of the young women were prepared to doubt that he meant it. The Russian sections of the Army and Navy codebreaking units were secrets wrapped within that secret. At Arlington Hall the project was referred to only as the “Special Problems Section” or by its designation B-III-b-9 on the organizational chart, which indicated only that it had something to do with Frank Rowlett’s General Cryptanalytic Branch, responsible for every code other than Japanese military. The Navy at first called
its Russian section Op-20-GZ, then it became the “Foreign Language Research Section,” or Op-20-GV; shortly after that the name was changed yet again, to Op-20-3-G-10, and the staff were issued new red badges bearing nothing but the number 10, which meant nothing to anybody.*5 Less than two weeks after the surrender of Nazi Germany on May 17, 1945, the U.S. Navy commander in chief, Fleet Admiral Ernest J. King, ordered an increased emphasis on the project, but suggested it ought to be moved out of Nebraska Avenue altogether for security reasons.36
It was obviously a matter of extreme political sensitivity to be spying on an ally, and at one point in 1944, Carter Clarke apparently decided that even the White House need not be kept apprised of Arlington Hall’s efforts.37 It was likewise too sensitive a matter to share with the British, despite the unprecedented collaboration that had been forged between the two nations’ spy agencies since the start of the war. In the summer of 1940, in the dark days of Britain’s lonely struggle against Nazi Germany after the collapse of France, and desperate to find some way to budge America off its isolationist neutrality, Prime Minister Winston Churchill had launched a multifront diplomatic and charm offensive with the aim, as he later candidly told the House of Commons, to get the two nations “somewhat mixed up together.” A delegation of top U.S. Army and Navy officials, invited to London in August 1940, was showered with British intelligence about Germany and Japan, technical details of weapons systems, and, a few weeks later, an even more astonishing offer to exchange cryptographic information with the Americans. William Friedman, instinctively an anglophile, and keenly aware how far the U.S. Army’s codebreakers lagged in their efforts against Axis military systems—in fact, Friedman’s group had virtually no German, Italian, or Japanese army messages even to work on at that point, having been unable to pick up that traffic from the Army’s intercept stations, and it had barely begun to tackle the mathematical conundrums of crypt-analyzing the Enigma—leapt at the offer. Within six months the codebreakers of the U.S. Army and Navy and the British Government Code and Cypher School (GC&CS) were considerably more than “somewhat” mixed up together. The Americans matter-of-factly handed over to their now-astonished new colleagues the complete solution to the Japanese Purple machine, including a cryptanalytically reconstructed copy of the machine they had built, and the British, albeit a bit more warily at first, began to share their Enigma work and results along with more complete exchanges of raw traffic from a great variety of targets.38
Although they still hoped to use their considerable head start on the all-important Enigma problem to keep control over that crucial success, the British must have known in their hearts that the Americans would not be content to remain the junior partner indefinitely; by 1942 it was already apparent that Britain needed both American manpower and America’s formidable industrial capacity and precision engineering know-how to keep up with the demand for additional Engima-cracking bombes, and the men and women to operate them. A formal agreement in May 1943 between the U.S. Army and GC&CS provided for complete cooperation on all work against Axis military and air force code systems; under the agreement a large contingent of Americans joined the Enigma project at Bletchley Park, and the U.S. Army set up its own intercept station in England, at Bexley in Kent. A separate, less formal understanding reached with the U.S. Navy the previous October established full collaboration on the German U-boat Enigma problem, with the full-scale production of more than one hundred U.S.-made bombes to take over most of the work.39
But the BRUSA agreement, as the Army-GC&CS deal was known, said nothing about sharing work on diplomatic ciphers or neutral countries, and each side still held back on cryptologic matters that touched interests too close to home. Following America’s entry into the war, Churchill told FDR that he had ordered GC&CS not to try to decode any American messages, and he briefly considered proposing a more explicit “gentleman’s agreement” that each “would refrain from trying to penetrate each other’s cyphers.” But the chief of the British Secret Intelligence Service, Stewart Menzies, talked him out of it, noting that no such agreement could have much practical force; whatever the leaders might agree, “the temptation to have a peep would be more than some experts could resist.” The two countries also adopted a joint, extremely secure cipher system for exchanging secret intelligence between Washington and London. But the British quietly developed their own private cipher machine as well, called Rockex, which employed a one-time paper tape enciphering device and which they used to keep sensitive messages from the prying eyes of their ally: the British had learned that if they wanted to influence joint military plans, the only hope was to get to the lower-level U.S. staff officers who were drawing up the American proposals at their early stages, and many Rockex messages were instructions to the British military mission in Washington on what ideas they ought to try to plant in the minds of their American counterparts.40
As the end of the war drew near, the marking “N.B.” began appearing with increasing frequency next to certain paragraphs of memoranda and reports from Op-20-G and Arlington Hall. The letters stood not for “nota bene” but “No British,” and the restriction was most frequently appended when the subject of reading the coded traffic of neutrals or allies—Russian, Free French, Dutch, Latin American—was discussed, or when details about new developments in U.S. electromechanical codebreaking machines were mentioned, particularly the devices known as “statistical bombes,” which might make even the most secure U.S. cipher machines vulnerable to decryption. The British for their part began to be suspicious, as Arlington Hall’s liaison man in London reported, that the Americans were “utilizing the war to exploit British cryptographic knowledge” in matters unrelated to actually winning the war, in particular involving countries that fell within the British Empire’s traditional sphere of influence in the Near East and elsewhere. (The suspicions were well founded: the informal Army-Navy committee that coordinated U.S. signals intelligence policy urged in February 1945 that “advantage should be taken of the present opportunity to obtain all possible information from the British.”)41 The working relationships between the two countries’ signals intelligence operations had grown extraordinarily close, on both a professional and personal level: many lifelong friendships and more than one marriage between American and British codebreakers were made at Bletchley Park.42 But by the spring of 1945 it was far from clear what, if any, collaboration would continue after the war. Significantly, although the British, like the Americans, resumed work on Soviet codes in the summer of 1943, neither had yet revealed the fact to the other.
The greatest doubts came from Op-20-G. The U.S. Navy had never been fully sold on the idea of getting too close to the British, and now with the end of the war in sight many American naval officers began to suggest that continuing the wartime arrangements, especially if that meant working together to break the Soviets’ messages, would be a mistake. Some of this reflected the remarkably resilient anglophobia in a service that had never quite been able to forget if not the War of 1812 then at least the infuriating condescension with which the Royal Navy had welcomed its American counterpart when they were fighting as allies in World War I; some was the U.S. Navy’s customary view that it did not share its secrets with anyone, starting with the U.S. Army, civilians of any nationality, or politicians up to and including the president of the United States.
But even the cooler heads in the Navy—and there were few cooler than that of Captain Joseph N. Wenger, the chief of Op-20-G and one of the Navy’s most experienced cryptanalysts from the prewar era—argued that the interests of Britain and America were bound to diverge in the postwar world. Wenger, a 1923 graduate of the Naval Academy, had been a steady force pushing the Navy to take cryptanalysis and signals intelligence seriously. As radio intelligence officer for the U.S. Asiatic Fleet during Japan’s prewar naval exercises in the Pacific, he had intensively studied Japanese call signs and communications procedures and shown that even without reading the contents of messages it was possible to derive consi
derable information about an enemy’s force structure, movements, and intentions, the process that would come to be known as traffic analysis. He subsequently pressed for the establishment of permanent intercept stations around the Pacific, and at times almost single-handedly prodded Op-20-G into the era of modern cryptanalysis, pioneering the use of IBM punch card equipment and leading the push for the United States to build its own bombes to attack the naval Enigma problem.43
Wenger praised the professional and personal ties and goodwill that had grown up between the two allies’ codebreakers during the war—the British government would award him the CBE in acknowledgment of his wartime contributions and close collaboration with his counterparts at GC&CS—but he was not about to let warm feelings get in the way of cold judgment. “The fact that we are military allies in war does not necessarily mean that we shall be commercial or political allies in peace,” Wenger warned in May 1945. Should that not be the case, he said, continuing to work on intimate terms with the British on signals intelligence “might deprive us of a vital advantage we might otherwise enjoy.” The British did have some advantages to offer when it came to attacking the Russian codes. Their intercept sites were better located, they could tap British-owned cables that carried some of the traffic, and they were in a better position to “gain physical possession” of codebooks and other materials owing to their “worldwide intelligence organization” that was “unhampered by doubts as to the proprieties of methods used.” But, overall, Wenger confidently asserted, the U.S. codebreakers had surpassed their British counterparts in technical proficiency: they no longer needed the help. Wenger proposed that any future exchanges with the British should be on a strict “barter basis.”44