Documents Reveal CIA Part-Owned Crypto Company for Decades and Enabled Easier Decryption

[Guest_Jim_*]

The Washington Post and German public broadcaster ZDF have gotten documents covering the history of a decades-long and far reaching CIA and BND, the West German intelligence agency, operation that had them own the company Crypto AG. Exactly as the name suggests, this Swiss company created encryption equipment and had over 100 countries as customers, and the equipment was designed to be vulnerable to the intelligence agencies. While the devices did not have back doors to allow direct access to them or a means to provide the cryptographic keys they used, the algorithms that generated the keys were created by the NSA specifically so they could be more easily broken. Other means would still have been necessary to intercept the encrypted communications, but once in hand, the message could be decrypted in potentially seconds as opposed to months.

Originally the CIA's involvement with Crypto AG was meant as a denial operation, to keep the encryption technologies away from unfriendly countries starting in 1960. At the time the devices the company made were mechanical, but once integrated circuits were developed and showing potential for encryption, the purpose changed with the idea to make the vulnerable algorithms. The first all-electronic model from Crypto AG was rolled out in 1967 with its internals completely designed by the NSA. With countries eager to secure their communications, the CIA actually provided funds to the company to support marketing efforts so the countries would turn to this company. Two models of the company's equipment were produced, with one being secure and it would be sold to friendly governments while other nations would receive the rigged systems.

It was in 1970 when the CIA and the BND officially formed a partnership to purchase Crypto AG, which was done in such a way as to hide the identities of the owners. After the purchase, a new board of directors was set up for the company, with only one aware of the CIA involvement. Though the agencies did find it necessary to bring in outside firms to assist at time with running the company and fixing its products, the company did manage to turn a profit which was then split between the CIA and BND and used to fund other projects and operations.

According to the documents, the vulnerable Crypto AG machines enabled the US to monitor communications of the Egyptian President in 1978 while peace negotiations were going on at Camp David. The next year when the US Embassy was stormed by Iranian militants, the NSA was able to report the reactions of the Ayatollah Khomeini to the latest back-channel messages sent by President Carter through Algeria, when trying to negotiate the release of 52 American hostages. Information collected on Argentina was also shared with Britain during the brief war between the two over the Falkland Islands, but the documents did not identify the kind of information shared. In the 1980s customers of Crypto AG grew to include Saudi Arabia, Iran, Italy, Indonesia, Iraq, Libya, Jordan, and South Korea, and with the use smear campaigns against rival companies and bribes by the agencies, its market position was protected. It was also in the 1980s that the operation name changed from Thesaurus to Rubicon.

While there were efforts to keep Crypto AG machines in use, there were also some slips that risked exposing the program. After the 1986 bombing of a West Berlin disco, President Reagan referenced communications from Libya's embassy, making it clear messages between it and Tripoli had been compromised. Not only did Libya notice this, but so did Iran, though it did not act on its suspicions for six years.

While there were some at Crypto AG aware of the intelligence agency relationships, there was effort to keep the employees from knowing, which proved difficult at times as the engineers and designers could find the vulnerabilities and would sometimes question the algorithms being provided by an external entity. In 1977 an engineer was even fired after the NSA noticed communication from Syria became unreadable and it turned out the engineer had visited the country in response to complaints about the products. Without authority from the company, the engineer fixed the vulnerabilities, but the CIA would have preferred he be kept quiet on the company's payroll instead. The next year US officials were alarmed when a gifted electrical engineer, Mengia Caflisch, was hired because the NSA believed she was "too bright to remain unwitting," which proved correct as she actually developed an algorithm so strong the NSA worried it would be unreadable. Some machines were even produced before executives learned of the development and stopped it, and the 50 secure machines went to banks so foreign governments would not receive them.

To reduce the possibility of issues after this, the CIA and BND sought someone who could make the algorithms more advanced and the vulnerabilities less detectable. This worked to address the employee concerns and in 1982 the hire, Kjell-Ove Widman, was sent to Argentina to address the countries concerns its messages had been cracked and shared with the British. He was able to convince them an outdated device was to blame, and not the Crypto AG product.

In 1992 the operation faced its first major crisis when a salesman was arrested by Iran, which was suspicious of the company at this time. The salesman did not know about the relationship with the CIA and BND or about the weaknesses in the algorithm, but after he was released following a payment of $1 million, provided by BND, he was traumatized and suspected Iran knew more about his employer than he did. This publicity of this incident made it necessary for the chief executive to dispute claims he knew were true, but old records were discovered exposing some aspects of the Crypto AG's relationships. This led to at least six countries to cancel or suspend their contracts, but also to German officials wanting to pull out from the partnership, for fear of political and economic fallout if it were exposed. In 1993 the CIA bought out the BND portion of the company and the Germans lost access to the intelligence gathered. The CIA also expanded its collection of encryption companies at this time, owning a second and supporting a third.

It was also in the 1990s when the operation started to decline as the company was no longer profitable and would have gone out of business if the US government had not propped it up. Even with the company failing as encryption has moved away from hardware to software, many countries continued to use the products they had, so the operations continued to produce valuable intelligence. Still, the company has since fallen with its assets being sold off, though the transactions did seem to be designed to hide the CIA. One of the companies that purchased a portion of the business, CyOne, also brought in some Crypto AG employees, including some that were likely aware of the CIA operation, but has the Swiss government as its only customer. The Swiss were always sold secure the versions of the Crypto AG devices. Another company that purchased Crypto AG's international accounts and business assets was apparently never informed of its history during negotiations for the acquisition, and is now investigating its products to remove any vulnerabilities.

This is definitely an interesting story and potentially worth your time reading the original Washington Post source linked below. It will also be interesting to see what fallout there will be following these revelations.

Source: The Washington Post

Back to original news post