A Washington Post investigation revealed a cryptography bombshell this week.
The CIA and West German intelligence owned a world-renowned encryption company and were able to read secret communications of its customers for decades.
The Washington Post acquired a complete first-hand account of the CIA project, which was carried out with German intelligence.
According to the article:
"The company, Crypto AG, got its first break with a contract to build code-making machines for U.S. troops during World War II. Flush with cash, it became a dominant maker of encryption devices for decades, navigating waves of technology from mechanical gears to electronic circuits and, finally, silicon chips and software.
The Swiss firm made millions of dollars selling equipment to more than 120 countries well into the 21st century. Its clients included Iran, military juntas in Latin America, nuclear rivals India and Pakistan, and even the Vatican.
But what none of its customers ever knew was that Crypto AG was secretly owned by the CIA in a highly classified partnership with West German intelligence. These spy agencies rigged the company's devices so they could easily break the codes that countries used to send encrypted messages."
And The Washington Post also quotes directly from the CIA and German intelligence reports it acquired:
"It was the intelligence coup of the century," the CIA report concludes. "Foreign governments were paying good money to the U.S. and West Germany for the privilege of having their most secret communications read by at least two (and possibly as many as five or six) foreign countries."
According to the report, intelligence agencies wrote about the success of this operation as recently as 2008.
Amazingly, most of the employees interviewed for the story say they had no idea that spy agencies owned the company.
The CIA's cryptography company: what is the fallout?
For U.S. and German interests, it was a brilliant move: own Crypto AG and the technology that makes things secret. Then you know how to unlock it all.
CNN military analyst Col. Cedric Leighton (USAF, Ret.) tells SecureWorld his work was probably more effective because of this CIA operation:
"Starting in the 1980s, I became part of the greater NSA community and most certainly, assuming the reporting is accurate, benefited from the CIA and Crypto AG connection. It wouldn't surprise me if some of the juiciest intelligence I saw during this period was sourced through this arrangement."
However, it also reveals how far any government might go if it benefits them. And this makes you wonder about other organizations.
Consider Kaspersky Lab, which the U.S. accused of being in bed with the Russian government and banned from government networks. Was it possibly acting like Crypto AG and a puppet of the Kremlin?
And then there is Chinese telecom giant Huawei. In an interview with Huawei USA Chief Security Officer Andy Purdy, he told SecureWorld that trust is tough to come by in this day and age.
"One frustrating thing is sometimes people hear that I'm a defender of Huawei and they have a tendency not to listen to what I'm actually saying. I would suggest I'm not a defender of Huawei. People say, well, do you trust China? And do you just trust Huawei? I don't trust anybody," Purdy says.
Listen to more in The SecureWorld Sessions podcast interview:
Is Huawei acting like Crypto AG? Perhaps it is a Chinese government puppet. We just don't know.
However, Col. Leighton says the CIA and Crypto AG setup may shed light on what is continuing to happen:
"Given reports such as this one, it's not illogical to assume that many countries are leveraging commercial companies with the same purpose in mind: to gather as much sensitive intelligence as possible without compromising the commercial viability of those companies.
In fact, using such global companies as a front for intelligence collection activities would be a spymaster's dream come true."
Is the CIA's Crypto AG still in business?
Crypto AG's assets were sold off in 2018 as the use of encryption machines was overwhelmingly replaced by digital encryption. The liquidation took place in Liechtenstein, known for a veil of secrecy around finance similar to Switzerland or the Cayman Islands.
One of the companies that acquired Crypto AG's assets is cybersecurity vendor CyOne, which lists "Cipher Security" among its offerings:
"Sensitive information securely on the way on the net: We encrypt with the highest cryptographic competence and unique security architecture."
Crypto AG's corporate headquarters was in Switzerland, and now the Swiss government says it will investigate.
Swiss broadcaster SRF put it like this:
"Should it come out that the Swiss intelligence service itself has been eavesdropping on other countries through the back doors of the Americans and Germans for decades—that would of course be fatal to Switzerland's reputation as a mediator of 'good services.' At the moment this is not up for discussion. It is now a question of whether the Federal Council knew that its intelligence agency had granted the Americans and the Germans behind Crypto AG. If that were the case, it would also be a bad scratch for Switzerland's reputation."
Which assets of Crypto AG did CyOne acquire? SecureWorld has reached out to CyOne for comment.
There is more to come on this story, we're sure.
And it's going to be a hot topic of discussion during networking breaks at our SecureWorld conferences across North America.