News analysis

How a Swiss firm played its part in a global spy game

For years, the US and Germany used Crypto project to eavesdrop on foreign governments

It's a story right out of a James Bond movie script, only it happens to be true. Over many decades, a Swiss company supplied the world with encryption machines, allowing governments and corporations to communicate securely.

The company, which traded under the Crypto brand name, was a leader in its field. Its products were used by no fewer than 120 governments, including those of India, Pakistan, Malaysia and Japan.

Only, Crypto was not a regular company: It was secretly owned by the United States' Central Intelligence Agency (CIA) and by Germany's Federal Intelligence Agency, BDN.

According to a classified history of the operation by the CIA, the machines it produced had a "backdoor" flaw, a vulnerability which allowed the CIA and BDN to crack the codes which foreign governments used once they bought the machines.

One of the modern world's most amazing intelligence coups, the operation, now over, also holds some important lessons for today's telecommunications market.

First, it's worth noting that the Crypto project - code-named "Thesaurus" and later "Rubicon" - did not start as a spying ruse. Instead, it was a US attempt to prevent sophisticated encryption technology from falling into the hands of rivals.

Mr Boris Hagelin, Crypto's founder, was a resourceful Swedish entrepreneur who supplied communication machinery to the US Army during World War II.

After the war, the Americans struck a bargain with him: He was to supply truly "safe" encryption machines to the handful of governments which the US considered trustworthy, and "doctored" machines to the rest.

True, Washington's ultimate intention was to retain its global eavesdropping capability. But the impetus for the operation was initially defensive - to prevent leading technology from falling into the hands of rivals.

Why did the security agencies of so many governments around the world - agencies that are paid to detect foreign spying schemes and are always suspicious of foreigners - entrust their secret communications to machines manufactured by a relatively obscure Swiss private company?

Because they viewed the machines merely as platforms.

They believed the key to secret communication was the encryption method and its code, which each government devised for itself, in the same way that many governments and corporations today believe computers or phone equipment are just office commodities of no significance, on which one builds the specific software and security protocols they need.

Crypto machines were also sold to all Asean countries, except Singapore, Cambodia and Laos.

What many governments did not appreciate was that knowledge of how the encryption machine works, coupled with backdoor flaws deliberately inserted, meant that their communication ciphers could be cracked, regardless of how sophisticated they may have been.

Commercial dominance in this sector also worked in Crypto's favour: Its products were so widespread that, even if doubts started creeping in about their reliability, bureaucratic inertia and the costs involved in replacing them usually made it difficult to ditch the devices.

When then US President Ronald Reagan claimed during the mid-1980s to have information which "is direct, it is precise, it is irrefutable" that Libyan security agents were behind the killing of American soldiers in the bombing of a discotheque, Iran's intelligence agencies began to suspect that their communication systems, installed by the same Swiss company that supplied Libya's machines, were compromised. But it took the Iranians six more years before they finally retired their Swiss products.

None of this suggests that the Americans could see and read everything. Many governments run a number of communication systems in parallel, so it's possible that Crypto's machines were not used for the most secret messages of foreign governments.

The Soviet Union and its European allies as well as China never bought Crypto's products, so their communications had to be cracked differently. At least 10 different US-friendly governments knew about the operation and were immune to the penetration.

Technological advances ultimately eliminated Crypto's usefulness, and the original enterprise was formally wound up a few years ago. The Swiss government has ordered an investigation.

Join ST's Telegram channel and get the latest breaking news delivered to you.

A version of this article appeared in the print edition of The Sunday Times on February 16, 2020, with the headline How a Swiss firm played its part in a global spy game. Subscribe