[Photo: National Security Agency, Ft. Meade, MD via Wikimedia]

The Geostrategic and Historic Implications of Crypto

If you haven’t already, you should read the superb WaPo story on Crypto, the Swiss encryption company that German and US intelligence agencies secretly owned, allowing them to degrade the encryption used by governments all over the world. The story relies on classified CIA and BND histories obtained by the paper and a German partner.

The decades-long arrangement, among the most closely guarded secrets of the Cold War, is laid bare in a classified, comprehensive CIA history of the operation obtained by The Washington Post and ZDF, a German public broadcaster, in a joint reporting project.

[snip]

The Post was able to read all of the documents, but the source of the material insisted that only excerpts be published.

The CIA and the BND declined to comment, though U.S. and German officials did not dispute the authenticity of the documents. The first is a 96-page account of the operation completed in 2004 by the CIA’s Center for the Study of Intelligence, an internal historical branch. The second is an oral history compiled by German intelligence officials in 2008.

From the 1970s until the early 2000s, the company ensured its encryption had weaknesses that knowing intelligence partners — largely the NSA — exploited. CIA retained control of the company until 2018.

The WaPo correctly puts Crypto in a lineage that includes later spying and politicized fights over which corporations run the global telecommunications system. But it curiously suggests that the US “developed an insatiable appetite for global surveillance” from the project, as if that’s a uniquely American hunger.

Even so, the Crypto operation is relevant to modern espionage. Its reach and duration helps to explain how the United States developed an insatiable appetite for global surveillance that was exposed in 2013 by Edward Snowden. There are also echoes of Crypto in the suspicions swirling around modern companies with alleged links to foreign governments, including the Russian anti-virus firm Kaspersky, a texting app tied to the United Arab Emirates and the Chinese telecommunications giant Huawei.

Any nation-state or powerful non-state actor is going to want access to as much information as it can obtain. Russia, the Gulf states, and China, as well as the unmentioned Israel, are no different.

The story is better understood, in my opinion, as a lesson in how the US, Cold War partner Germany, and several key individuals and companies who could be motivated by Cold War ideology accomplished its spying. It absolutely provides important background to current US efforts to prevent rivals from achieving hegemony over communication structures. But if you didn’t know the US is so worried about Huawei’s dominance because it gives China a way to supplant the US spying footprint, you’re not paying attention.

Some particular features:

  • Crytpo was a Swiss company. That gave it some plausible deniability.
  • The operation struggled to find cryptologists who were good, but not too good. People who could identify weaknesses in the algorithms Crypto used either had to be fired or bought off.
  • The entire scheme worked off a corruption of market forces. The predecessor to Crypto sold shitty encryption to disfavored countries, but the US made up for the lost profits. Then, as integrated circuits presented a challenge for the business, the US leveraged that to get ongoing cooperation. Then CIA and BND bought out the company via a shell company set up in Lichtenstein. To sustain its customer base, Crypto would smear competitors and bribe customers with gifts and prostitutes.
  • The US leveraged its power in the US-German partnership at the core of the operation, forcing the Germans to sell degraded products to allied governments.
  • The ideology of the Cold War proved a powerful motive for some of the key participants, leading them to work for what ultimately was the CIA for no additional funds.

Those features are worth noting as you consider where this capability moved to as Crypto became less valuable:

  • AT&T and other US backbone providers
  • Silicon Valley companies compelled under Section 702 of FISA
  • Various products supported by CIA’s investment arm, In-Q-Tel
  • SWIFT

702 is the big outlier — in that the US government leveraged existing market dominance and actually didn’t hide what was going on to those who paid attention. But that’s changing. The US government is increasingly demanding that its 702 partners — notably both Apple and Facebook — make choices dictated not by a market interest in security but by their demands.

The WaPo story cites some “successes:” nearly complete visibility on Iran, a critical advantage for the UK in the Falklands war, and visibility on Manuel Noriega as he started to outgrow his client role. One wonders what would have happened if the US or its allies had lost visibility on all those key strategic points.

WaPo focuses its challenge to this spying, however, on what the US had to have known about but overlooked: assassination, ethnic cleansing, and atrocities.

The papers largely avoid more unsettling questions, including what the United States knew — and what it did or didn’t do — about countries that used Crypto machines while engaged in assassination plots, ethnic cleansing campaigns and human rights abuses.

The revelations in the documents may provide reason to revisit whether the United States was in position to intervene in, or at least expose, international atrocities, and whether it opted against doing so at times to preserve its access to valuable streams of intelligence.

Nor do the files deal with obvious ethical dilemmas at the core of the operation: the deception and exploitation of adversaries, allies and hundreds of unwitting Crypto employees. Many traveled the world selling or servicing rigged systems with no clue that they were doing so at risk to their own safety.

I’m actually more interested in the latter case, though (though after all, the US was overlooking atrocities in Iran, Panama, and Argentina, in any case).

These atrocities were known in real time, but ideology — largely, the same Cold War ideology that convinced some of the engineers to play along quietly — served to downplay them. The ideology that excuses much of our current spying, terrorism, likewise leads many to excuse Americans and allies overlooking atrocities by our allies (but that, too, is evident without proving they’re reading the SIGINT proving it).

But the solutions to this problem have as much to do with fixing ideology and market forces behind the power structures of the world as it does with protecting the encryption that people around the world can access.

image_print
35 replies
  1. Philip Webster says:

    Fascinating account. Additionally Dag Hammershold’s apparent murder when his DC-3 was brought down (he was using one of the rigged Cryptyo boxes) and the founder’s son’s (Bo) death was suspicious as well even with his father seeming to know about it: “let the CIA take care of it”.
    https://undocs.org/A/70/132 UN report with “probative values” given…am only about 1/2 way through it.
    Amazing shitfuckery…to mimic some great Australian videos:
    https://www.youtube.com/channel/UCKRw8GAAtm27q4R3Q0kst_g

    • Ludwig De Braeckeleer says:

      Very true. A decade ago, I argued that Crypto AG had rigged the equipment used by diplomats around the world allowing US Intelligence Agencies to decode in real-time their messages. It was obvious. Why did it take so long to MSM to catch up? Why now?

      Here is a recent post regarding the suspicious death of Boris ‘Bo’ Hagelin Junior.
      Crypto AG — Was Boris Hagelin Jr. Murdered by the CIA?
      https://gosint.wordpress.com/2020/02/15/crypto-ag-was-boris-hagelin-jr-murdered-by-the-cia/

      Regards, L
      PS: Did you notice that the WP completely ignores the story of the CX-52 sold to the UN? And yet, the story is in the report seen by the WP and ZDF… It is of course crucial to the ongoing UN investigation Re Hammarskjold.

  2. earlofhuntingdon says:

    The appetite for global surveillance Shirley predates this project. This project would be an expression of it, not its cause.

    The WaPo should know that, which suggests it is trying to avoid a broader discussion. A flip side of surveillance is manipulation of those surveilled through their media. The CIA once bragged that it could do that as easily as playing a giant Wurlitzer organ.

    • JAFive says:

      I don’t think that’s right. According to the WaPo story, the Crypto operation started up right after WWII. That’s the era when the US started to display an interest in global surveillance.

      I think we can state with a fair degree of confidence that, as of 1929, with the closing of the Ciper Bureau (“gentleman do not read each other’s mail”) the U.S. government was not displaying any such appetite. Up to WWII, code breaking was a sporadic, targeted activity. That’s not to say that the Crypto operation caused the change but it basically coincided with it.

      Certainly, it will take time to revise our historiography in view of these developments. As a working hypothesis, though, it seems completely plausible that this operation *was* a causal factor in shifting attitudes.

      Intuitively, the logic checks out. It did not make sense in the 1950s to divert substantial resources from breaking the Soviet and Chinese codes towards efforts directed at minor players. From the reporting, this created an opportunity to go after most of the world at low marginal cost. If the Vatican had developed its own code, would anyone have thought it was a good idea to divert resources to break it that could have been used the Eastern bloc? I doubt it.

      I also completely buy, as a working hypothesis, the “addiction” angle in the WaPo story. Yes everyone wants information, but we know that the US puts unusual weight on SIGINT. It’s imminently plausible that the substantial low hanging SIGINT fruit opened up by this initiative explains that tendency perhaps in conjunction with the existing narrative about resources and comparative advantage. And once you put all your eggs in the SIGINT basket, you stop taking the risks to develop human sources and so forth that would be more typical of others espionage efforts.

    • earlofhuntingdon says:

      The interest in cryptography remained hot after its explosion during WWII. Bletchley Park, Turing, Enigma, American code-breaking, the advent of computers, and so on. WWII efforts established that code-breaking was possible and practical.

      After the war, technology improved greatly and rapidly, thanks in part to the USG’s massive post-war funding of STE. Electronics were developed and their use exploded. Undersea cables, then satellites mutliplied access to information, as did the explosion in the use of computers and data storage devices.

      The Russians were a prime target during the war and remained so afterwards. Then the Chinese and Koreans. Western Europe was always a focus, as was Latin America. De-colonizing Africa became one later.

      Interest in South Asia, Indochina, and the Pacific (eg, Indonesia) was more idiosyncratic. It became more programmatic when the US assumed France’s role in Indochina and the Brits receded from East Asia. In many of these countries, sigint remained less useful than humint for decades.

      The CIA, starting in 1947, was fundamentally a humint-focused organization. The NSA was not organized until 1952. The CIA’s early efforts against the Russians were costly and ineffective. Human assets were quickly rounded up and disposed of.

      It had no effectivef assets in China or North Korea, fewer in de-colonializing Africa. Western Europe and Latin America were easier to penetrate with humint, and only WE had substantial signint traffic.

      Sigint resources, notably at several bases on Airstrip One, in Australia, and Japan became substitutes for ineffective humint ops. As technology improved and attempts at humint remained problematic, sigint’s reletaive importance grew.

      Resources initially followed need. But as you say, bureaucracies need to justify their existence and their budgets. There’s also a build it and they will come mentality in security and defense work as much as in baseball. All of which convinces me that the appetite for intelligence preceded its gathering. Sigint’s prominence came later.

      • JAFive says:

        There’s no doubt that there was a large “appetite” during WWII to scoop up information on the Axis and the Soviets. But there’s always the appetite during wartime or with respect to likely adversaries. There was quite a bit of activity during WWI which basically died out over the next decade.

        Given the successes during WW2 and the geopolitical context, I think that it’s very clear that the United States was going to target the Soviets, that there was an “appetite” for anything that could be useful in that context, and so on. But was there really an existing and substantial appetite for intercepting and decrypting the communications of friendly countries?

        I’m not claiming that all of this immediately rewrites our understanding but resources were, as always, scarce. Crypto made it easy to go after friendly countries and minor international actors. It’s just hard to imagine that the cost-benefit analysis would have justified devoting substantial resources to breaking the codes for Ireland or Uruguay or the Vatican or whoever but if all of that falls into your lap at minimal marginal cost, then why not take it? And once you’re getting it, you come to depend on it.

        I’m not claiming to know the answer and I think it will take a while for the history to be written, but what’s the appetite in 1950 for material on basically friendly minor powers? And even for the cases where there’s clearly some level of interest, what was the realistic willingness to pay? They were hardly bothering to send diplomats or spies to many of these places. The diplomatics list for 1951 includes just seven accredited to Jordan (who knows maybe one of them was a spy but I doubt it). Are you really bothering to spy on a country like that unless it’s basically free? I doubt it.

        I approach this as someone who’s always been puzzled by the way US intelligence unfolded in the early Cold War, so I’m probably predisposed to take something “new” as an answer. Nonetheless, I think the WaPo hypothesis that this changed the course of events through a shift in the cost-benefit calculus followed by path dependence is quite plausible.

        • earlofhuntingdon says:

          “[W]as there really an existing and substantial appetite for intercepting and decrypting the communications of friendly countries?”

          The CIA was very active in assuring that the left was unable to take power or hold onto it, for example, in France, Italy, Greece, the UK, Australia, Germany. So, yes, there was.

        • earlofhuntingdon says:

          Japan, too, of course, South Korea, Indonesia, the Philippines, all of the Caribbean, and Central and South America, Egypt, South Asia.

        • JAFive says:

          Sure, there was a global dimension to the Cold War and a lot of interest in the domestic politics of any number of friendly countries. How much help is reading the diplomatic correspondence of those governments for containing left wing movements though?

          My point isn’t that there was no interest in any of this. If information is free, you’ll take a lot of it. My point is on the cost-benefit frontier. Is it worth it to break the Italian codes if it’s going to require massive resources that could instead go towards the Soviet target? Bring the price low enough and there’s demand on pretty much any demand curve.

          So, if you get a breakthrough that massively reduces the cost of reading other country’s encrypted communications, you’re going to read a lot more encrypted communications. And then you’re going to stop being able to imagine a world where you can’t depend on them, and you’re going to lean on that capability instead of building other ones and the future looks different than it was expensive initially.

          No way to test this, of course, but I imagine that if you had walked into Henry Stimson’s office in 1945 and told him he could read all the Irish diplomatic traffic for the cost of the change in his pocket, he’d have said no just like he did in 1929 and the same goes for the others. What would they have wanted that for? You just didn’t have the same intelligence orientation then.

        • earlofhuntingdon says:

          Your preferred era seems to be between WWI and WWII. The developments discussed here are post-WWII.

          Expectations changed considerably. That was owing to many factors: the never again refrain concerning the Holocaust; the unceasing growth in DoD budgets; its reach within the wider society; and the difficulty of creating and maintaining human sources in cultures vastly different than the US, Britain, France, or Germany.

          Most of all, the Manhattan Project changed expectations about the scope of resources government could command when it declared its existence on the line.

          Not least, it began the era of the security clearance. It was bolstered by the whoopie that came from large spending in a congressional district, which the DoD turned into a manipulative art form.

        • earlofhuntingdon says:

          More specifically, the “global dimension” was the heart of the Cold War, not an aspect of it.

          Sigint would not have been limited to “reading diplomatic cables.” For example, all of Western Union’s international traffic was included.

          To your other point, sigint collection is massively expensive. Think of the cost of designing, building, testing, launching, and maintaining a single satellite.

          Sending SEALs down to tap underwater cables, as was done in the 1950s to the 1970s, involved training and equipping them, surveying cable routes, tasking a submarine to deliver them to the chosen sites, developing and using the tapping equipment, and the costs when things went belly up.

          Until relatively recently, data storage costs were high, too, as were the costs of the machinery intended to access it rapidly.

          To your point about the disutility of breaking the Italian codes, the whole framework of the Cold War – and the rationale for its massive cost – was that a Soviet or fellow traveler lay under every, rock, bed, and crevice. Otherwise, who would care about Indonesian commies or Cuban cigars – except perhaps the Western companies that sought to monopolize the resources of those countries for themselves.

        • earlofhuntingdon says:

          “The diplomatics list for 1951 includes just seven accredited to Jordan (who knows maybe one of them was a spy but I doubt it).”

          Why would you doubt it? The Brits did a lot for a while with one man in parts of the Middle East. The 1953 coup in Iran was managed on a shoestring, with very few players.

          One should also consider sharing and cooperation agreements (notably with Israel), project specific intrusions, and the use of unacknowledged, non-official cover agents.

          Owing to de-colonization, large discoveries of oil, and the dependence of world shipping on access to Suez, the CIA’s coverage in the ME expanded.

          There was also the US’s interest in keeping the Ruskies from sponsoring or building pipelines to the Med. Same goes with the US interest in preventing them from providing material financial and other aid. The US was well aware of how much control could follow from such assistance.

          In short, containing Russia globally was a frequent rationale for intense US intervention across the globe.

  3. earlofhuntingdon says:

    The “papers” put the CIA in a curiously passive role: it collects data, then has an ethical dilemma about what to do when it sees nefarious things about to happen.

    That framing fits neatly into the myth of America as a beneficent force, a good faith actor in foreign affairs. A fixed ideology, perhaps, or how else to shave in the morning? As it happens, the CIA was often very much involved in those nefarious goings on from the get go.

  4. Philip Webster says:

    Yes, and the Germans were our partners until we screwed them too.

    Its a wonderful life what with all the shitfuckery going on with Barr and the DOJ.

    Cannot believe it. Believe it.

    When someone is honestly 55% right, that’s good and there is no use wrangling. And if some is 60% right, it’s wonderful, it;s great luck and let him thank God. But what’s to be said about 75% right? Wise people say this is suspicious. Well, and what about 100% right? Whoever says he’s 100% right is a fanatic, a thug, and the worst kind of rascal. saith An Old Jew from Galica

    (From the front page of The Captive Mind by Czeslaw Milosz

    • earlofhuntingdon says:

      German police and security services in the early period of this project had their share of former Nazis. I wonder how that affects the character of their cooperation with the Americans.

      • Philip Webster says:

        Maybe had something to do with it but whatever those alleged Nazis did did not stop them from getting fuked over by the good old USA.

        Or, from that perspective: what does it say about the Americans?

        • earlofhuntingdon says:

          Paperclip would suggest the US was happy to work with them, for their skills and their historical anti-Russian vehemence.

  5. P J Evans says:

    I remember, when taking a course in cryptanalysis in college (an elective in CS), wondering if the DES algorithm had a weakness known to the three-letter agencies that were pushing it. It didn’t make sense for them to be encouraging the use of something that they couldn’t break.

    • Subtropolis says:

      Thank you! I’d thought I was losing my mind when I saw this story. I was certain that the Crypto AG scheme had come out some 5-10 years ago.

      Obviously, there is much more information now. But the basic facts — I couldn’t believe that this was just some déja vu thing.

  6. Hika says:

    I’m not sure anyone should be at all surprised by the Crypto story. Very much in the “of course they would” category. Mildly interesting that West Germany were the partners in this.
    The curious thing to me is the convenient timing of this “leak” as it provides a reminder about the dangers of having spies messing about in your communications infrastructure. The UK has just decided to allow Huawei to provide some of its 5G infrastructure. Some American companies were miffed to miss out, but they weren’t ready to get the work done anywhere near as soon as Huawei. Of course the Brits know the Chinese will put spyware into the back end of the system. The game will be to find it and find how it works and then spy on the Chinese spying on the UK, and to the extent possible stop them finding out stuff they shouldn’t know and feed them stuff that just ain’t so. Regardless of the new tech involved, the game remains the same.
    The problem with having this sort of thing is that you end up with everyone being an ersatz Cassandra, knowing all the impending horrors of the world and, rather than being unable to warn others, being unwilling to warn others because they prefer to feel the importance of knowing what is going on than to take meaningful action to better people’s lives. A more generous interpretation might be to consider that they want to protect sources and methods because whatever the current impending horror, the next one might be worse and we’ll want to know about it then, so we’ll sit on our hands this time. That raises the question of just how big and bad a thing needs to be for security services to decide that sources/methods must be sacrificed because the current horror is too much to bear.

    • earlofhuntingdon says:

      Cynicism is a tool to understand a harsh world, not a reason to stop trying to understand it.

      As you say, collecting information can become the purpose, rather than a tool for doing something. John le Carre observes a similar dynamic in investigations of money laundering and organized crime, which make governments go round as well as mobsters.

      Endless data collection – tracking who is going up the ladder and who down – becomes the goal, rather than stopping someone from doing what they’re doing. Intervening upsets too many applecarts.

      • BobCon says:

        I’m curious how much of the Bush torture program was driven by institutional pressures to collect standard information, rather than any alleged need to stop imminent threats

        Groups like Al Qaeda and the Taliban were obviously not going to have as much data to hoover up electronically, and I wonder how much the US intelligence apparatus tried to compensate by using torture to fill in gaps in things like organization charts — despite the fact that these things were irrelevant when it came to a loose network of Sunni clans in Iraq.

      • earlofhuntingdon says:

        My view at the time was that Dick Cheney – whom one could charitably describe as following the daily toil of government more closely than GW – wanted to take the gloves off and demonstrate that his government could be as cruel and vicious as any in the world, so don’t fuck with it. I suspect that a few of his followers enjoyed the feeling of payback.

        I don’t think reliable intel gathering was ever as important as they made out. Under torture, we will all say WTF we think our tormentors want to hear. It doesn’t make the information reliable or come in a form that makes it actionable.

        • Hika says:

          Yep. The point of torture is torture.
          It may give you whatever the h3ll information you want to hear, but you could just as easily write up what it was you wanted and say you got it from an informant and just skip the depraved cruelty shtick, but of course then you disappoint those on your team who like the depraved cruelty.

  7. earlofhuntingdon says:

    Trump has found a new slogan, borrowed from Jair Bolsanaro’s beef with the Pope. Pope Francis chided his government for abusing the Amazon instead of protecting it. Bolsanaro’s responded, rejecting the Pope’s priorities: “The pope may be Argentine, but God is Brazilian.”

    Trump’s version substitutes Trump for Brazilian.

  8. TomA says:

    As a practical matter, EC privacy became extinct nearly two decades ago and that genie is not going back into the lamp. The investment, infrastructure, personnel, and bureaucracies are too numerous, entrenched, and incorporated into too many other downstream activities for this to ever be reigned in or mitigated in any meaningful way. Pretending that new laws or procedures will cure abuses is just a distraction to mask ongoing surveillance and only serves to create further disillusionment. The only effective solution to this problem is to begin teaching others about this reality and thereby create a market for new products which offer real defenses against unrestrained privacy intrusion and exploitation.

  9. Janson says:

    Small detail, but Crypto was a Swedish company hiding from taxes in Switzerland. And when crypto needed a new chief scientist/Cia sympathizer, a new swede was brought in 30 years later. While Sweden is not a most friendly rated country (nationals don’t easily get sensitive US jobs like say polish or Lithuanians) Sweden and swedes often seemed tangled up in Cia plots (and then called Swiss).

  10. thomasa says:

    “Of course the Brits know the Chinese will put spyware into the back end of the system. The game will be to find it and find how it works and then spy on the Chinese spying on the UK, and to the extent possible stop them finding out stuff they shouldn’t know and feed them stuff that just ain’t so.”

    Good luck with that. reverse engineering old-time algorhythmic software is frustrating, time consuming and difficult, as in chasing down endless numbers of variables with no documentation. Doing the same with object-oriented software, that has been used for the past 20 years, it runs into mathematical limits. It gets to be a statistical game, i.e., what are the odds of a particular subset of all possible objects being used. When asked to design an automated test system for O.O. that would test every instantiation of all possible objects I ran the numbers om my calculator only to discover that it doesn’t go that high. Ah, but hopefully there some known combinations of objects to look out for. As I say, good luck.

  11. Philip Webster says:

    Just stumbled on this for those interested in a start date:
    July 1916
    Legacy
    The Black Tom explosion resulted in the establishment of domestic intelligence agencies for the United States.[43] The then Police Commissioner of New York, Arthur Woods, argued, “The lessons to America are clear as day. We must not again be caught napping with no adequate national intelligence organization. The several federal bureaus should be welded into one and that one should be eternally and comprehensively vigilant.” [44]

Comments are closed.