The US Central Intelligence Agency (CIA) and Germany's Federal Intelligence Service (BND) had covertly run Crypto AG, a Swiss company that made and sold encryption equipment to over 120 countries for decades, making it possible for American and German spies to crack other nations' top secrets, The Washington Post, German public broadcaster ZDF and Switzerland's SRF revealed this week.
Switzerland's Neutrality Was Seen as 'Plus' for the Company
For the countries which used Crypto AG's services, including nations in Europe, Africa, the Middle East, Latin America and even the Vatican, Switzerland's neutrality was an important factor. Nevertheless, Washington's major Cold War rival – the USSR – was never one of the company's customers.
"The location of the company was probably considered by some 'a plus' for the company to be trusted. For those, there will probably be a re-thinking of this bias, but maybe not enough to change the decision that they took", says Mauro Conti, full professor in computer science, and head of SPRITZ Security and Privacy Research Group.
According to Conti, "rooting the security of an organisation on 'a single' company/device, might also be a bad practice that could and should have been avoided".
"Keeping information, as well as operations like this, secret is always a 'battle of wits' between entities that have two opposite goals,", the professor elaborates. "If it has been uncovered for a long time, it just means that who was running it, did it quite well, and/or that those who were supposed to find this out, did not put in enough effort, including working on the wrong assumptions."
According to reports, the earliest mentions of the clandestine operation in the press go back to 1992 and 1995. On 10 December 1995, The Baltimore Sun broke the news that the US National Security Agency (NSA) "secretly rigged Crypto AG machines" so that American spies could easily decrypt their codes, citing former company employees and documents. However, the story was resolutely denied by the US and German intelligence services.
Responding to the question as to why it has been found out now, Conti noted laconically that "the battle of wits and capabilities to support them just turned in favour of the other player".
'Hundred-Percent Privacy is No Longer Possible'
Mauro Conti notes that while it's hard for him to explain the specific technical details of the "holes" in the Swiss company's devices which helped the CIA and BND to intercept information, modern surveillance capabilities are even more vast.
"There are a lot of ways to add 'backdoors' and 'covert channels' to systems," he explains. "If well-designed, these are very difficult to be detected even when devices are carefully inspected. Just to cite an example, in recent activities of my research group, we showed the possibility of building a covert channel on a smartphone by using energy consumption modulation – a 'channel' that is far underestimated (and hence not inspected) to be used to 'send out' information in a 'stealthy' way".
Operation Rubicon, which was large in scale, predated the sophisticated data-intercepting activities exposed by former CIA subcontractor Edward Snowden, who leaked highly classified information about the NSA's programme, code-named Prism, in 2013. Reportedly launched in 2007, Prism allowed the US intelligence community to collect large amounts of data on Americans and foreign citizens. Four years later, WikiLeaks released a series of documents titled Vault 7 which shed light on the CIA's activities and cutting-edge capabilities in performing electronic surveillance and cyber-warfare.
One has to wonder whether there's anything that can guarantee privacy in our time. The professor's answer is "no, as scary as it might sound" if one means a100-percent guarantee.
"It is not just matter of our times, but definitely the digital era definitely helps a lot to expose information, as well as to retrieve it", Conti underscores. "In addition, underestimating the problem does not help."
How It All Began: Russian-Born Émigré & American Cryptologist
While, according to the report, the beginning of the CIA-BND secret collaboration, code-named Operation Rubicon, dates back to the 1970s, Crypto AG's links to the CIA can be found even deeper in history.
The company's founder, Boris Hagelin, was born in Russia and fled to Sweden after the 1917 Revolution. In the 1930s, he made friends with William F. Friedman, the leading US cryptanalyst. In 1940 Hagelin moved to the US and started selling portable encryption machines to the US military. After the Second World War, Hagelin returned to Europe and established his business in Switzerland. In 1951 he and William Friedman, who was at the time head of the cryptographic division of the US Armed Forces Security Agency (AFSA) struck an agreement that Hagelin would sell his devices only to countries approved by the US. In 1970 Crypto was bought out by the West Germany and American intelligence services.
Presumably, at least four countries, namely Israel, Britain, Sweden and Switzerland knew about the clandestine operation or even had access to intercepted information.
In the early 1990s, BND sold its share in the company to the CIA. In 2018 Crypto AG was liquidated while two other separate entities emerged – Crypto International and CyOne Security AG.
As Reuters revealed on 11 February, the Swiss authorities launched an investigation into Crypto AG's activities last month. Crypto International and CyOne Security AG denied any connection to the CIA or the BND, or any relation to their predecessor firm's history.
