#Cryptoleaks: what we know, open questions, and a path forward
What we know #
The three media outlets @srf¹ @zdf² and the @washingtonpost³ jointly reported that #CryptoAG from 1970 onwards was owned by the CIA and the German BND, and sold cryptographically weakened devices, based on the internal histories of the CIA and the BND of the operation.
Between the 1970s and 1990s, the partnership made up for over 40 per cent of NSA’s machine decryptions, and for 90 per cent of BND’s diplomatic product reports.
Who knew? #
The WashingtonPost claims “the documents show that at least four countries - Israel, Sweden, Switzerland, and the United Kingdom - were aware of the operation or were provided intelligence from it by the United States or West Germany.” SRF showed documents claiming that the secret was shared, over the years, with Denmark, France, the United Kingdom, Israel, Netherlands, Sweden, and (unidentified) others (1:20:30h in the Swiss documentary). Yugoslavia had spotted the weaknesses and demanded them to be fixed, according to a Crypto AG engineer, who knows that they were fixed. Notably, this led to discontent on the owners’ sides during the Yugoslav Wars. Austria too noticed the flaw in the devices and stopped using them in the late 1970s, according to a retired Austrian diplomat.
Switzerland #
SRF found an archival file detailing allegations by an ex-CryptoAG engineer from 1977, in which he claimed that CryptoAG is engaged in espionage and fraud by selling devices with manipulated key generators, which allowed the US and West Germany to decrypt the traffic. This is a very specific allegation by a qualified source, which, in my opinion, would have to be taken very seriously by any signals intelligence agency. We do not know, however, whether this message found itself to intelligence.
The Source & Documents #
According to the Swiss journalist Res Strehle, who had previously written a book about Crypto AG and claims to have access to the primary documents, the source seems to be in the orbit of the BND. This would line-up with the on-the-record interview that the ex-intel-coordinator of Germany, Bernd Schmidbauer, gave to the ZDF, in which he took credit for the operation. It would also explain the underlining in the original source documents displayed in the WashingtonPost article.
Note: the documents seem to be operational histories of the HUMINT part of the operation. There exists, presumably, an equally large and compelling story of the SIGINT aspects of this story. The operation to weaken the cypher machines is of no use if you cannot get access to the actual signals (worldwide?). Hence, we have only touched upon the enabling operation and not on the actual spread and use of the outcome.
Open Questions #
General Questions #
- When was which partner looped into the secret?
- Which countries found out by themselves and used that knowledge to decrypt traffic of third countries? Did the East German Stasi know? The Soviet Union/Russia? China? France seems to have had an interest dating back to the 1960s. When did they find out about the GER/US operation?
- How does the knowledge of this capability change our assessment of key international events post-1970?
- If this was such a successful operation, CIA&BND would likely have been interested in replicating it in other suppliers. The WashingtonPost speaks of the CIA acquiring a second firm and propping up a third. Which other suppliers were targeted? In which was the CIA successful?
Questions for Switzerland: #
- Was this operation blessed by Swiss official policy? If so, what did the Swiss get out of it?
- Did Swiss intelligence (independently) know the details since 1977? If so, did they use their knowledge?
- Were the oversight committees briefed on the operation? Did the Federal Council want to know the details about operations?
A path forward #
The operation dates back to the Cold War, where encryption was used in dedicated devices, mostly by governments (i.e. legitimate targets of espionage). Today, encryption is used as one of the foundations of cybersecurity. Thus, should we demand from intelligence agencies a commitment towards strong, open-standards, cryptography, including a commitment to not undermine key crypto-devices? How would we know that such a commitment is credible?
References #
¹ SRF:
https://srf.ch/news/schweiz/geheimdienst-affaere-weltweite-spionage-operation-mit-schweizer-firma-aufgedeckt
https://www.youtube.com/watch?v=VWImO1Qz4Zo
With access from Switzerland (geofenced): https://www.srf.ch/play/tv/rundschau/video/weltweite-spionage-operation-mit-schweizer-firma-aufgedeckt?id=2351eb00-7656-4515-b5f8-615a12083eeb
² ZDF:
https://zdf.de/nachrichten/politik/cryptoleaks-bnd-cia-operation-rubikon-100.html
³ Washington Post:
https://www.washingtonpost.com/graphics/2020/world/national-security/cia-crypto-encryption-machines-espionage/