author photo
By Bruce Sussman
Wed | Feb 19, 2020 | 7:52 AM PST

America's cyber adversaries are having a field day right now, calling the United States hypocritical on cybersecurity.

This comes in the week following a cyber intelligence bombshell about Crypto AG, which was the world's leading cryptography company for decades, helping governments around the globe encrypt their communications.

Now we know that the Swiss company was owned by German intelligence and the U.S. CIA

China's state-run Xinhua News: U.S. is 'Empire of Hackers'

One of China's state-run publications recapped a long list of cyber sins linked to the United States, and featured a statement from Chinese Foreign Minister Geng Shuang. Here's an excerpt:

"It is a tawdry trick that the United States, on the one hand, has been collecting nearly 5 billion mobile phone call records across the globe every day, spying over German Chancellor Angela Merkel's cell phone for more than 10 years, controlling more than 3 million computers in China every year, and implanting Trojan Horse in more than 3,600 websites in China, and on the other hand, enjoys playing victim of cyber attack, just like a thief crying 'stop thief,'" said Geng.

The U.S. hypocrisy on the issue of cybersecurity could not be clearer, the spokesman said, stressing that the U.S. has no honor and credibility to speak of in front of other countries.

"Facts have proven once again that as the largest state actor of spying in cyberspace, the U.S. is worthy of the name of the ’empire of hackers.' The sky is the limit with the U.S. when it comes to spying," said Geng.

Russia Today: U.S. no longer credible on Huawei threat

And Russia's government-backed Russia Today (RT) also couldn't wait to cite the Crypto AG case as an example of American hypocrisy.

In an op-ed, RT brought up the Huawei ban, the Kaspersky ban, and more: 

"Not only should the Crypto revelations make us more aware of the CIA's very wide reach, they should also make us see the American objections to the involvement of firms from China and Russia with developing telecommunications infrastructure and new technology in a completely different light.

The Russian anti-virus firm Kaspersky, has seen its software banned from use on US government networks, while the Chinese giant Huawei has been hit with sanctions—and warnings given to other countries about letting it build their 5G networks.

Taking the moral high ground (as always), US officials have said that Huawei could covertly access mobile-phone networks through 'back doors.'

OMG! You mean like the US did with Crypto?

What seems to be the objection here is that China might end up doing what the US has been doing for years, namely spying on countries through 'back doors.' How dare they! The hypocrisy as I'm sure you'll agree is off the  scale."

It's worth noting that RT and Xinhua News both serve up a regular helping of articles and posts criticizing the United States on all kinds of issues.

U.S. military leader reacts to Crypto CIA ownership 

Meanwhile, in the United States, the idea that the CIA secretly owned a legitimate business and leveraged its capabilities is seen as evidence that the U.S. could be right to suspect some non-U.S. companies of spying.

"In recent years, we've spent some time questioning whether companies like Russia-based Kaspersky and China-based Huawei have ties to those countries' intelligence services.

 Given reports such as this one [Crypto AG], it's not illogical to assume that many countries are leveraging commercial companies with the same purpose in mind—to gather as much sensitive intelligence as possible without compromising the commercial viability of those companies.  

In fact, using such global companies as a front for intelligence collection activities would be a spymaster's dream come true."

That is CNN Military Analyst Col. Cedric Leighton (USAF, Ret.), who is also a keynote speaker at SecureWorld cybersecurity conferences.

Here is more of Col. Leighton's reaction to the CIA's ownership of Crytpo AG, in his own words:

"The story on Crypto AG is a great one by The Washington Post and ZDF German TV.  So, for me this brings out some conflicting thought currents.

Starting in the 1980s, I became part of the greater NSA community and most certainly (assuming the reporting is accurate) benefited from the CIA - Crypto AG connection. It wouldn't surprise me if some of the juiciest intelligence I saw during this period was sourced through this arrangement.  

In order to understand the background for such an intelligence move, we have to remember the world as it was during the late 1940s and 50s. We had just gone through World War II and the Cold War was upon us. The U.S. and its allies had to deal with such things as the Berlin Airlift and North Korea's invasion of South Korea, as well as the Soviet Union's development of their own nuclear weapons and space capabilities.

So, from an intelligence perspective, the relationship between the CIA and the BND [Bundesnachrichtendienst, German intelligence agency] on the one side and Crypto AG on the other was a godsend. In essence, it was necessary for our 'gentlemen' to be able to read 'other gentlemen's' mail. It gave the U.S. and key allies the ability to know what was happening in the highest councils of both friendly and unfriendly governments.  

That's what intelligence agencies do, and, much of the time, they're really not that successful at it. What is also striking is that this arrangement would never have happened were it not for the great personal relationship between two pioneers in the field of cryptography, William Friedman and Boris Hagelin.

Secrecy is a necessary component to intelligence arrangements—especially to such sensitive ones. Certainly from the U.S. perspective and, to a lesser extent, from the West German perspective, getting this 'front row seat' to watch another government's internal deliberations helped to get a much clearer intelligence picture than would have otherwise been possible.  

While Crypto AG's customers would clearly have felt betrayed, the U.S. and West German decision makers were willing to make that trade-off because the value of the intelligence from Operation Thesaurus, later Operation Rubicon, was truly great.

I view Operation Rubicon as an early effort to achieve competence in signals intelligence (SIGINT). Today, an analogous operation would be an example of competence in the development of a passive offensive cyber capability. But, for those whose communications were being exploited, it would be the exact opposite—an example of cyber incompetence for failing to detect such an exploit.  

A good evolving cyber strategy has to take both the offensive and the defensive aspects of cyber into account. But even back in the 1940s and 50s, the pioneer cryptanalysts who conceived both the business arrangement and the intelligence arrangement knew that the collection and exploitation of data and intelligence information dramatically enhanced the U.S.'s ability to project its national power.

Even back then, control and manipulation of data were essential elements of national power. That fact has become even more relevant today."

[RELATED: Listen to our podcast episode, Top Nation-State Cyber Threats to the United States]

Comments