FILE – This April 13, 2016 file photo shows the seal of the Central Intelligence Agency at CIA … [+]
The Washington Post dropped a bombshell on Tuesday with its late-breaking story about a Swiss encryption company, Crypto AG, that was jointly-owned by the CIA and the BND, West Germany’s intelligence counterpart. The Post and German broadcaster ZDF obtained a detailed classified report about the Crypto program, which included substantial information about the company’s internal operations. They also interviewed people and reviewed additional documents. The Post said that, at the insistence of the source, they were reporting on excerpts of the material. It is a juicy story that raises some serious issues worth a Congressional investigation.
Over a span of five decades, the jointly owned company manufactured encryption equipment and sold it to governments in over 120 countries. The operation enabled the U.S. and Germany intelligence agencies to read encrypted messages from friends and foes around the globe, providing an enormous advantage in bilateral negotiations and discussions. The volume of communications flowing from this operation sometimes accounted for about 40% of the total number of messages the NSA decoded for intelligence purposes.
Beyond the strategic advantages of knowing the communications of friends and foes, the Post correctly noted that, “Its reach and duration help to explain an insatiable appetite for global surveillance that was exposed in 2013 by Edward Snowden.” The classified report called it the “intelligence coup of the century,” and noted that the communications of foreign governments who bought the technology were “read by at least two (and possibly as many as five or six) foreign countries.” This was likely due to the “Five Eyes” intelligence sharing arrangement that exists between the U.S., U.K., Canada, Australia, and New Zealand.
How It Was Possible: An Addiction and Two Friends
The operation was made possible by (1) the cooperation of Crypto’s founder, Boris Hagelin, (2) a long-time friend of Hagelin’s who shared his interest in cryptography, and (3) an American intelligence agency that was addicted to its global surveillance system.
It all begins with a government contract. Hagelin had fled from Russia to Sweden and ultimately ended up in the U.S. at the beginning of World War II. He brought the first Crypto machine with him, which was portable and required no electricity, making it very useful for military operations. Hagelin landed a contract with the Army to produce machines to support the war effort.
After the war, the Soviet Union, China, and North Korea were using unbreakable encryption systems. The U.S. became worried that other countries might start buying these systems, and it would lose access to their communications. By that time, Hagelin had moved Crypto to Switzerland, but kept in touch with his long-time friend, William Friedman, a well-regarded cryptologist and member of the U.S. intelligence community. On a visit to D.C., Friedman and Hagelin had dinner and sealed a deal that Crypto would only sell its strongest encryption equipment to countries approved by the U.S. and it would sell less sophisticated systems to other countries. For its part, the U.S. would pay Crypto for lost revenues.
This was the beginning of Crypto’s relationship with the CIA and a long slide of entanglement with the intelligence community. Crypto allowed intelligence personnel to become involved in the development of equipment and accepted “rigged algorithms” for the machines. The Post story notes that by this time Crypto had gone beyond just restricting equipment sales, it was “actively selling devices that were engineered to betray their buyers.” From 1970 on, the CIA and NSA, with their German counterpart, “controlled nearly every aspect of Crypto’s operations.”
The operation entered into a two-decade stretch of unprecedented access to foreign governments’ communications.
The U.S. became worried about Hagelin’s age and was alarmed when they learned the French and German intelligence agencies had offered to buy Crypto. Hagelin refused out of loyalty to the U.S. He agreed to sell Crypto to the CIA and BND in 1970. The Post story notes that, “The operation entered into a two-decade stretch of unprecedented access to foreign governments’ communications.”
The partnership continued until the Germans wanted out in 1993, and the CIA purchased their share for $17 million. According to the Post, after the Germans were bought out, the CIA “expanded its clandestine collection of companies in the encryption sector” and “secretly acquired a second firm and propped up a third” using funds from Crypto.
The CIA kept the company going until 2018, when it sold off its assets. The details of the purchase and sale, including the identities of the parties, were concealed by leveraging Liechtenstein’s protections for financial secrecy.
Why Congress Should Review The Intelligence Community
This story adds an important dimension to other articles that discuss the U.S. intelligence community’s involvement in encryption technologies, including its failed attempt to get “Clipper chips” installed in technology products so law enforcement would gain access to encrypted communications. It also validates many of the rumors and stories that have been bandied about for decades regarding the U.S. intelligence community’s involvement in encryption companies.
In September 2013, documents released by Edward Snowden revealed that the NSA created an algorithm for random number generation that would enable it to crack encryption products and got it inserted in a NIST security standard, which was approved for worldwide use in 2006. In December 2013, Reuters reported that the NSA paid encryption company RSA $10 million to make the algorithm the default method for number generation in one of RSA’s widely used encryption products, Bsafe. Some people believed the company was duped, and the NSA did not reveal the capabilities of the formula to the company. RSA, which was a subsidiary of EMC Corporation, urged customers to stop using the algorithm.
This episode was cited as an example of NSA’s desire to erode security products. It also created harmful press for RSA, EMC, and NIST and raised concerns about how many other products NSA might have tampered with. In sum, it weakened the public’s trust in the encryption community and it tarnished one of America’s leading technology companies. An article in The Verge noted, “If NSA standards can’t be trusted, many of the tools of modern cryptography will have to be rewritten.”
The U.S. technology sector is a driver of our economy and is critical to our national security. When our technologies can’t be trusted, our companies will fare no better in the global market than Huawei and Kaspersky does in the U.S. In September 2019, all federal agencies were prohibited from using cybersecurity products made by the Russia-based Kaspersky Labs. Yesterday, the Wall Street Journal reported that Huawei has back doors to access mobile phone networks without the knowledge of the carrier. In 2012, the U.S. Government banned American carriers from using Huawei networking equipment, but has granted several reprieves to allow carriers to come up with other options. President Trump issued an Executive Order banning Huawei products from U.S. communication networks and has pressured other countries to do the same.
The CIA, NSA, and other entities of the intelligence community have serious and important missions and much of the Crypto story involved legitimate intelligence activities. Countries spy on each other, intelligence information is shared between countries, and it is a dirty business. There are limits, however, to intelligence operations and espionage, primarily set forth in Title 50 of the U.S. Code and through Congressional oversight and the budget process. This is where the Crypto AG operation hits a foul.
The revenues from the sales of the Crypto encryption equipment were split between the U.S. and Germany, providing the CIA with millions of dollars of funds that were outside of the U.S. Government budget process and Congressional oversight. Intelligence budgets are murky at best. When these agencies have access to millions of dollars that no one knows about, there is no accountability. The Crypto funds could have been used to fund intelligence operations that Congress, and even perhaps the Executive branch, were unaware of or would have disapproved of.
The intelligence agencies have deep tentacles into the financial, technology, communications, and other sectors because they need to work with them to conduct their operations. It is one thing for intelligence agencies to work with companies and quite another for them to buy companies and have an untaxed, unaccounted for revenue stream that can be used for any purpose.
The Post story also reveals the moral and ethical issues associated with an intelligence agency owning a company and none of the employees, except maybe the CEO or chairman, know it. Depending on breaches or circumstances, the lives of these people could be at risk. The Post story reveals how some Crypto employees felt very betrayed when they learned the CIA and BND owned the company they worked for and how others were put at risk doing their work.
The revelations in the Post story deserve more scrutiny than some closed-door intelligence committee hearings. Since 9/11, there has been a steady stream of headlines about issues or concerns with intelligence activities. As we approach the 20-year anniversary of these attacks, it is time to take a full review of our intelligence agencies and their operations. In a 2014 article, I called for an investigation into the NSA and its intelligence activities and in a 2012 article (before Snowden), I discussed the NSA’s aggressive data collection activities and called for full review of privacy laws and intelligence community practices. That same call is repeated here.