The Central Intelligence Agency (CIA) and National Security Agency (NSA) spied on allies and enemies alike through a company they owned that made cryptography equipment, according to an explosive new report from the Washington Post and Germany’s ZDF news outlet.
The Swiss-based company, Crypto AG, which was founded in the 1940s as an independent firm during World War II, struck a shady deal with the CIA in 1951, subsequently became owned by the CIA in the 1970s, and was disbanded in 2018. And many former employees of the company, most of whom apparently had no idea that Crypto AG was secretly controlled by the CIA, are not happy with the revelation.
The Washington Post and ZDF learned about the program, codenamed both Rubicon and Thesaurus at various times, through a 2004 secret CIA history document produced by the agency itself and a 2008 oral history by German intelligence. But the news outlets never tell readers how they obtained these tightly guarded documents.
The CIA and NSA controlled Crypto AG jointly with Western Germany’s intelligence agency during the first Cold War.
“It was the intelligence coup of the century,” the CIA report reads, according to the Washington Post. “Foreign governments were paying good money to the U.S. and West Germany for the privilege of having their most secret communications read by at least two (and possibly as many as five or six) foreign countries.”
The “five or six foreign countries” likely refers to the Five Eyes intelligence-sharing agreement between the U.S., UK, Canada, Australia, and New Zealand, with the sixth country being Germany.
The spying program was wildly successful and accounted for roughly 40 percent of all intel interceptions of foreign governments by U.S. intelligence in the 1980s and a whopping 90 percent for West German intelligence (BND), according to a screenshot of the CIA history published by the Post.
The Americans eventually bought out the Germans, who left the spying arrangement in the early 1990s, to take sole ownership of Crypto AG, sometimes referred to by its company codename Minerva.
How did the cryptography technology work to deceive foreign governments? Crypto AG’s machines were made to look like they were producing randomly generated characters to encode messages, but they were anything but random. The NSA didn’t install backdoors, it just made the encryption weak enough that the agency could crack the messages.
The Soviet Union and China never purchased Crypto AG’s technology, but at least 62 other countries like Japan, Mexico, Egypt, South Korea, Iran, Saudi Arabia, Italy, Argentina, Indonesia, and Libya, all reportedly used the encryption devices and had their most sensitive government communications intercepted and deciphered by the CIA for over half a century. As just one example in the Post’s story, the Carter administration was spying on Egypt’s president Anwar Sadat during the Camp David Accords.
This, of course, leads to some uncomfortable questions about times when U.S. intelligence agencies may have learned about horrific human rights abuses and did nothing to stop them. Or, in the case of Central and South America, times when the CIA may have actively helped perpetrate crimes against humanity while learning about different plots around the world.
From the Washington Post:
The papers largely avoid more unsettling questions, including what the United States knew — and what it did or didn’t do — about countries that used Crypto machines while engaged in assassination plots, ethnic cleansing campaigns and human rights abuses.
The revelations in the documents may provide reason to revisit whether the United States was in position to intervene in, or at least expose, international atrocities, and whether it opted against doing so at times to preserve its access to valuable streams of intelligence.
The Washington Post even mentions an incident in 1977 when an engineer at Crypto AG, identified as Peter Frutiger, fixed the vulnerabilities of the company’s technology that it sold to Syria, leading the CIA to complain that they could no longer decode messages coming from Damascus. The engineer was quickly fired.
By the 1980s, some countries were becoming suspicious that their encryption devices were compromised, but the CIA devised a plan to fix all that. The agency recruited a highly respected academic, Kjell-Ove Widman of Sweden, to become a top adviser to the company who was dispatched anytime a country was ready to ditch Crypto AG. After Argentina became suspicious that their technology had been hacked during the Falklands War, Widman swooped in and insisted that their machines were “unbreakable.” In reality, U.S. intelligence was decoding Argentina’s messages without any problem and feeding them to British intelligence.
The new report is truly incredible and will obviously open up a lot more doors for historians about the role of organizations like the CIA and NSA in hundreds of events, both big and small, that took place during the late 20th and early 21st century.
And the report should also be an eye-opener for people in the encryption community who say that today’s tools like Signal and Tor are secure. Crypto-defenders insist that it doesn’t matter if something like Tor received money from the U.S. military, the math of the programs keeps everyone’s communications secure. But with a bombshell like today’s report, it’s hard to argue that any communications are completely safe.
You can read the full report over at the Washington Post. It’s definitely worth your time if you have any interest at all in the Cold War, espionage, or the history of cryptography.