German and US Intelligence Reportedly Used Company’s Equipment to Spy on 100 Countries
A CX52 cipher machine made by Swiss firm Crypto AG, which the CIA and German intelligence controlled (Source: National Security Archives)
Intelligence agencies in the United States and West Germany secretly owned a controlling stake in Swiss firm Crypto AG for decades and used their access to the company’s encrypted communications equipment to spy on over 100 countries, including friends and foes alike, according to reports in the Washington Post and German TV station ZDF.
Starting in the 1970s and continuing through the 1990s, the U.S. Central Intelligence Agency and the German BND intelligence service secretly controlled the majority of the Swiss firm Crypto AG, giving the two agencies access to the company’s communication equipment, which was used around the world for top-secret government messages, according to the reports. As a result, the intelligence agencies could easily break the codes that countries used to send encrypted messages.
“Let’s spell out the significance of [this]: We’re looking one of the most momentous and simply mind-boggling revelations in intelligence history here, not just in the past century – ever,” says Thomas Rid, a professor of strategic studies at Johns Hopkins University, via Twitter.
This decades-long operation was deemed “Operation Rubicon,” and the CIA documents that the Washington Post and the German TV station obtained show that other countries, including the U.K., Canada, Australia and New Zealand – known collectively as the Five Eyes – may have benefited from this relationship as well.
The CIA’s code name for Crypto AG was “Minerva,” a reference to the Roman goddess of wisdom, according to the Washington Post.
The publishing of the news reports on Tuesday created an immediate backlash in Switzerland, where government officials told Reuters that they have opened an investigation into Crypto AG, which was liquidated in 2018 and broken up into two firms.
One reason for this sale might have been to allow the CIA to sell its shares and cover up its relationship with Crypto AG, according to Reuters.
The CIA and German officials declined to comment on the reports, but did not dispute the authenticity of the documents, according to the Post.
Breaking Encryption Across the Globe
At the heart of the operation were portable encrypted communication devices that Crypto AG first started producing and selling to clients around the world in the 1930s, according to the news reports. In the 1950s, U.S. cryptographers working with the U.S. National Security Agency began to take a greater interest in the company and had developed a “gentlemen’s agreement” with Boris Hagelin, an inventor and one of the company’s founders, to access some of the company’s equipment, the news outlets report.
In a declassified memo published by the National Security Archives, an independent, not-for-profit research organization, American cryptologist William Friedman wrote to the NSA about Crypto AG in March 1955 and described its encrypted communication technology to the U.S. government.
At one point, Hagelin told Friedman that he would hold up production of a new cipher machine until the NSA could fully examine it and get an early production model, according to the memo.
“I told him that I thought this might be advisable, and that in any case we would want one of these models just as soon as possible,” Friedman wrote in the memo.
In 1970s, the CIA and West German intelligence took a major financial stake in the company, giving both agencies greater access to the equipment and allowing their encryption specialists to rig “the company’s devices so they could easily break the codes that countries used to send encrypted messages,” according to the Washington Post.
How an Crypto AG CX52 cipher machines works
At one point, the U.S. and West Germany had such control over the company that the governments controlled who worked there and even oversaw sales material and tactics, according to the news reports from the Post and the German TV station.
After the CIA and West German intelligence took control, employees began to notice a change. A former Crypto AG worker told Switzerland’s SRF television station that he would find two sets of encryption algorithms within the company’s devices. The first couldn’t be cracked, but the other could and acted as a backdoor into the gear.
Crypto AG Clients
Over the decades, countries that bought Crypto AG equipment included Iran, Egypt, Pakistan, Saudi Arabia and Italy, as well as dozens of countries in Latin America, according to the Post.
Many of the Latin American countries that used Crypto AG communication equipment were part of Operation Condor, a group of military dictatorships backed, in part, by the U.S. during the 1970s to fight Soviet expansion in South America.
In a 1977 CIA memo published by the National Security Archives, U.S. officials noted that several of the Operation Condor countries received CX52 encrypted communication machines from Crypto AG, but they didn’t know that the NSA has already secretly tested these devices prior to sale.
The Post notes that neither the Soviet Union nor China used Crypto AG technology.
The fact that so many countries, including U.S. allies, relied on Crypto AG equipment shows that they lacked the know-how to create their own secure technologies, which gave the CIA a huge advantage, Matt Blaze, a professor in the department of computer science at Georgetown University, noted on Twitter.
“The inescapable conclusion from this (and related revelations) is that if your country doesn’t have independent cryptologic, electronic, manufacturing and communications capabilities (and almost no one does), you’re pretty much screwed for diplomatic and military comsec,” Blaze adds.
The fact that Crypto AG sold rigged encryption hardware to western adversaries has been reported before, but it was far more pervasive than I ever imagined. https://t.co/stJZ0t49kY
— matt blaze (@mattblaze) February 11, 2020
End of the Relationship
The Washington Post and the German TV station report that at the end of the Cold War, in 1995, the CIA bought out the German BND intelligence service’s share in Crypto AG for about $17 million, and the U.S. continued to control the company until 2018, when it was liquidated and sold.
Since 1995, the CIA’s hidden role with Crypto AG has been rumored, but it was never fully explained until media reports surfaced this week. The Baltimore Sun wrote some stories about the Swiss company and the CIA in 1995, but those did not establish a definitive connection.
Fights Over Encryption
The news reports about the relationship between the CIA and Crypto AG come at a time when the U.S. government is not only warning about possible cyber espionage by other countries, but also pushing for domestic law enforcement agencies to have access to encrypted communications.
Over the last several months, the Trump administration has warned that countries that choose to use Huawei equipment in their 5G network rollouts are prone to having their telecommunications traffic intercepted by the Chinese government, which could endanger the sharing of classified communication between the U.S. and its allies (see: Britain’s 5G Lesson: Choose or Choice Will Be Made for You).
Meanwhile, U.S. Attorney General William Barr has argued that law enforcement needs backdoor access to encrypted devices and services developed by companies such as Apple and Facebook so it can investigate crimes (see: Attorney General Barr Argues for Access to Encrypted Content).
Attorney Chris Pierson, CEO of cybersecurity firm Blackcloak, says that intelligence agencies, whether in the U.S. or elsewhere, are always looking for new ways to obtain information, whether it’s breaking the mechanisms of encryption or the secure avenues of transit, infiltrating hardware or software or by recruiting people to tell their secrets.
“While many are focused on backdoors to software encryption today, this story is a reminder that all avenues for interception are important to risk rate and control against,” Pierson tells ISMG. “Ensuring the security and privacy of the device, network, chips, software and whole infrastructure stack is needed to ensure items meant to be protected are safe and secure.”