February 12, 2020

Swiss cryptographic firm was an American and German intelligence front

Crypto AG radio encryption devices

Any country that was using Crypto AG products to provide secure communications stopped using them today.

In what most intelligence and many national security professionals regard as a bombshell report, the Washington Post, the German television network ZDF, and the Swiss television channel SRF revealed that what appeared to be a Swiss commercial cryptographic company was actually jointly owned by the Central Intelligence Agency (CIA) and Germany's Foreign Intelligence Service (Bundesnachrichtendienst, BND) from 1970 until 2018. The reporting is based on a leaked CIA report. If true (and it seems to be), it is a major counterintelligence problem.

Crypto AG was a major supplier of communications encryption and cipher machines. The company AG was a common and respected name in the cryptographic community. For almost five decades, Crypto AG supplied cryptographic equipment to more than 120 countries, mostly in nations without the technological or financial resources to develop advanced secure communications capabilities of their own.

Unbeknownst to these countries, the cryptographic devices provided were modified to provide "back door" access for the American National Security Agency (NSA) to enable its analysts to read the "secure" communications from these countries. According to the reporting, almost 40 percent of the foreign communications processed by NSA in the 1980s had been derived from Crypto AG machines.

As a former signals intelligence officer with years of service at NSA and its field collection activities, that seems to be an inflated number, but any penetration of a foreign government's internal communications would be an intelligence coup.

As any intelligence officer will tell you, access to a foreign government's communications is a high priority collection requirement. Access to foreign government communications can be gained by acquiring that government's cryptographic codes and the machines used to transmit the communications - having that access is priceless. That is exactly what is being claimed here.

Intelligence derived from access to a foreign government's internal diplomatic and military communications is regarded as among the most useful and sensitive information that can be provided by an intelligence service. It is almost always highly classified and its distribution tightly restricted. That is because revelations such as this cause governments to immediately change their communications procedures, change codes, change machines, etc., denying continued exploitation to real or potential adversaries.

Was it useful to the United States intelligence community? In the words of former director of NSA and deputy director of CIA Admiral Bobby Inman, “It was a very valuable source of communications on significantly large parts of the world important to U.S. policymakers.”

So why did these countries buy cryptographic machines from Crypto AG?

Crypto AG was a Swiss company - many foreign governments believed that a major commercial company of an erstwhile fabled neutral country would be above the antagonism of foreign intrigue and would provide a reliable, secure cryptographic capability.

The assets and much of the intellectual property of the Swiss firm Crypto AG have been acquired by the Crypto International Group of Sweden. They deny any previous or current association with the CIA or BND.

Interestingly, both Russia and China believed that placing their most sensitive communications at the mercy of a company of a foreign, albeit neutral, country was a dangerous practice and thus elected to develop their own internal cryptographic systems.

Revelations such as this will cause many/most countries to reassess their cryptographic procedures. We have to assume that any country using Crypto AG (or now Crypto International Group) devices will at a minimum stop using their machines, or completely overhaul their "secure" communications protocols.

Neither of these are good for our ability to collect intelligence on these governments. Recall that in 1988, a former CIA official revealed that NSA had successfully accessed the phone calls of al-Qa'idah chief Usamah bin Ladin. That source of information dried up immediately after the revelation.

While this is a good story about a significant success by the intelligence community, the publicity inevitably leads to its demise. As I said, anyone who was using a Crypto AG products is not using it anymore - I wouldn't.