Sputnik discussed the issue with Mark Gregory, associate professor in Network Engineering from RMIT University, Australia.
Sputnik: The US Central Intelligence Agency and the German Federal Intelligence Service (BND) have been monitoring the secret military and diplomatic correspondence of more than 100 countries through the Rubicon operation for more than 50 years via a Swiss message encryption company. Why do you think this crime has never been uncovered until now?
Mark Gregory: The history of the company Crypto AG is such that its relationship with the US and other intelligence agencies has been well-known for many decades; and it could be assumed that a cryptographic company that has links to the US and other Western intelligence agencies would be tied to them in some way.
In this particular instance, it’s now become evident that behind the scenes this agency or this company was owned by the two intelligence agencies. I don’t think that would be unexpected in these circumstances, given the relationship with this company.
The question of why this has never been uncovered until now really goes to the nature of how intelligence services work to protect that behind-the-scenes relationship with this company. It was very much kept in the dark, and that suited the purposes of the intelligence services.
Sputnik: The Swiss company’s devices were designed in such a way that the CIA and BND could wiretap using specially-created “holes” in the encryption security system, the investigation said. Could you explain in more detail how this worked?
Mark Gregory: What we’re talking about is a respectable company that the organisations that purchase their products would anticipate that this company would be independent and therefore there would be a degree of acceptance of the products that they are selling onto the marketplace.
Organisations and governments that purchase products from Crypto AG would not expect that this company would be putting back doors into the products so that the intelligence services would be able to use those back doors to essentially decrypt and access information that would otherwise be anticipated to be secure.
So, this is really at a number of levels. However, if you look at it from the perspective of the intelligence services, this approach has been serving them well for a very long period of time.
However, if you were an independent country or a company that was using the product being sold by Crypto AG, you were going to be very concerned with what’s happened. And it means that governments and organisations will have to go back for a long period of time trying to figure out what has been compromised through this company’s products and systems. I think the reason that it has become known now is that what we’re seeing is that there’s a lot more investigation that’s occurring today in the whole world of encryption, cryptography, and also in cyber-crime.
Therefore there are more researches and more people digging into the types of products and services that are on the market today. And we’ve seen these types of ideas of back doors being thrown around quite liberally, and especially in the telecommunications market where companies like Huawei and others have been unfairly identified as being companies that are risky in terms of cyber-crime of some type. What we really know, of course, is that all intelligence services are working very hard to get an advantage in this area.
Sputnik: About 120 countries used the services of Crypto AG, including nations in Europe, Africa, the Middle East, and Latin America. Switzerland's neutrality was an important factor contributing to high demand. How do you think this could affect Switzerland’s image? Is it a case that no one and nothing can guarantee privacy in our time?
Mark Gregory: I think that, for Switzerland, this has come at a very bad time, because the country is still trying to realign or readjust itself with changes to its banking system and the neutrality that it always brought into the banking environment; there have been major changes there with banks now sharing information about customers and accounts, again, due to crime.
And this news that we’ve heard, where intelligence services have been using a Swiss-based company to carry out this type of intelligence action, will really get to the core of the idea of Swiss neutrality. As for the Swiss government, they’re going to have to react very quickly to this problem and try and plug the hole and work to regain the confidence of people in the marketplace.
In some way, I think that it means that the Swiss government is going to have to inquire on all companies that work in some way in selling products and services to other countries to ensure that what they’re doing is in the national interest, as well as in the company’s interest. In this particular case, the country has been let down by the revelations that this company was actually been run by intelligence services.
Sputnik: What steps can we expect from Swiss authorities in the future?
Mark Gregory: I think that the Swiss government will have to essentially send the order to companies that may in some way have products or services that they’re selling that could be a similar front for foreign governments. And they would also need to put in place legislation or some type of regulation to ensure that companies are not misrepresenting themselves to clients in the way that this company has.
Because this is about national reputation, which, of course, is more important for Switzerland than the profits of one company; so they are going to take action very quickly to ensure that their reputation is protected. I think at this point there’ll be a lot of pushback on the Swiss because of this happening; and for the government, it will show that the government hasn’t really been taking enough action to ensure that what is being provided by Swiss companies is independent of foreign interference.
Sputnik: Should Swiss authorities coordinate future strategy with other countries that are also being watched?
Mark Gregory: I think that in this instance, the Swiss government has an obligation to step in and work with other countries and organisations that have products from Crypto AG, and to try and work towards resolving this situation. It may be that Switzerland doesn’t have a way to solve this technically, in terms of helping organisations and countries replace the equipment that came from this company.
But this means that the Swiss government is really going to have to put in place a diplomatic effort to work with companies and other countries to find an alternative solution. But as we know, in this particular area, there are not that many companies that you would call independent.
So, whether the products are coming from the US, or the products are coming from Europe, Russia or China, what we’re seeing is that fingers are being pointed in every direction about what can be trusted and what can’t be trusted. And I think that this really means that everyone is going to have to go back to the drawing board; and in some way, the kingdom has possibly inadvertently shown us the way forward.
And that is with the programme that was put in place, where the UK has been reviewing telecommunications equipment made available by Huawei. The UK has built up some level of confidence about the equipment coming from Huawei, and therefore the UK has made the decision to continue with Huawei equipment in their market.
So, it doesn’t matter whether the equipment is coming from the US, Europe, Russia, China or Australia, the equipment needs to be inspected; the software and the systems need to be inspected, and there needs to be independent analysis. So, in the telecommunications field, we call this security assurance. In the security field, what they’re talking about now is equipment systems assurance.