A Snapshot Analysis of the Crypto AG revelations

A Snapshot Analysis of the Crypto AG revelations
Photo by freestocks on Unsplash

A Snapshot Analysis of the Crypto AG revelations

By Dr Robert S. Dewar, Head of Cyber Security at the GCSP and Michelle Torlen, Stockholm University

The world is currently gripped by a global pandemic, a reminder that no matter how digital technology develops, nature will always be a greater force. However, our everyday lives must continue. We must try to keep calm and carry on with our work in whatever way we can.

Swiss news media is now rightly focused on the spread of coronavirus. However, the revelations in the Washington Post and from the German public broadcaster ZDF about the Swiss cyber security firm, Crypto AG, represent one of the most significant socio-technical stories of recent months.

We must always be wary of basing policy analysis purely on news reports. No doubt in the future more scholarly investigations will examine the wider impact of the reported events when more information is revealed. We can provide a steppingstone for that analysis here.

There are three levels to the reports’ allegations. First, according to these reports, the US and German intelligence services have secretly accessed other states’ encrypted communications for decades. This was achieved through the US Central Intelligence Agency’s (CIA) covert ownership of Crypto AG in a classified partnership with the German Federal Intelligence Service (BND). It has been alleged that software engineers at Crypto AG, originally founded by Swedish national Boris Hagelin, deliberately inserted flaws into its encryption software to allow them access to systems where the software was installed.

Second, while the insertion of backdoors into a private corporation’s products is revelatory, the reports further claim that the CIA and BND managed almost every aspect of the firm’s commercial activity – including designing the technology, amending its proprietary algorithms and developing sales targets. Operating as a private-sector commercial entity, Crypto AG was also able to make millions of dollars throughout this process by selling its devices to more than 120 countries. Through an ingenious system of shells and “bearer” shares that required no names in the documents, the true owners of Crypto AG have remained hidden for decades. This hidden ownership and extensive involvement in the company’s operations allowed the CIA and the BND to eavesdrop on the communications of soldiers, spies and diplomats from multiple countries.

Third, Crypto AG also allegedly sold correctly functioning encryption tools to states allied with the US and Germany, while ensuring that corrupted devices – those enabling covert surveillance – were distributed to states of special interest.  

What is concerning is the fact that a private company in one country was able to operate globally while being owned and operated by the intelligence services of another. There are numerous discussions at the highest levels of international diplomacy about the reliance on digital connectivity, with that connectivity in turn being dependent on an infrastructure that is – in the main – owned and operated by the private sector. There are calls for private-sector entities providing digital services to be held more accountable for their actions. The Crypto AG revelations have turned this argument on its head. This is a situation where a private company was controlled and owned by state actors and used as a tool for espionage.

Furthermore, as exemplified by the political discussions around Huawei, there is currently a vigorous ongoing debate about the merits of using private companies to build and deploy parts of critical national information infrastructure, such as 5G networks, amid concerns regarding the political neutrality of those companies. The Crypto AG example shows that such concerns are not new: state actors have used companies as proxies for decades and have been much more directly involved in, not just the technology manufactured by the companies, but in their commercial operations in order to maximise their information-gathering capabilities and potential.

There are two consequences of the Crypto AG reports. The first is that this will be a wake-up call for states all over the world. One expected outcome of this revelation could be even greater scrutiny of the security implications of future collaborations between private companies and states in the encryption and cyber security sectors. States should be better prepared to avoid similar scenarios in the future. As a result, states may demand more information about an encryption company’s true ownership and conduct greater due diligence in the future.  

The second consequence is more of a lesson to be learned: the challenges and issues in international cyber security are not new. For years, states have been leveraging whatever resources and means are available to achieve national security objectives. This demonstrates once again that the challenges of cyber security – from personal privacy to criminal activity to state-sanctioned proxy conflicts – are nothing new.




[1] Isaac Taylor (2018) Privatising war: assessing the decision to hire private military contractors, Critical Review of International Social and Political Philosophy, 21:2, 148-168, DOI: https://doi.org/10.1080/13698230.2015.1083257