CIA-Controlled Encryption Company Eavesdropped on Dozens of Countries

The CIA collected intelligence from other countries for over half a century (Wikimedia Commons).

The CIA collected intelligence from other countries for over half a century (Wikimedia Commons).

In an operation that officers describe as “the intelligence coup of the century,” the Central Intelligence Agency (CIA) and its West German counterpart operated a global encryption company that eavesdropped on the secured communications of both allies and adversaries for more than 50 years. Known by the codename Rubicon, the project only came to light in a February 11 joint report between the Washington Post and ZDF, a German broadcaster. 

After the end of World War II, the Swedish-born Boris Hagelin founded Crypto-AG, an encryption machine manufacturer, in Switzerland. His models became secure over time. CIA documents unearthed by the Washington Post show that the “Dark Ages of American cryptology” concerned U.S. officials, who were unable to crack the advanced encryption of the Soviet Union and China. U.S. intelligence turned to Hagelin and established a partnership with Crypto-AG.

Under the terms of the deal, the National Security Agency would tweak the algorithm so that codebreaking would take just seconds, compared to the months it previously took. These compromised encryption machines were then sold to the majority of Crypto’s clientele, with secured machines sold only to a small list of countries approved by the U.S. government. As Hagelin aged, the CIA and the BND, West Germany’s intelligence service, bought the company and assumed direct control of it without the knowledge of Crypto’s 180 employees. This allowed the Germans and Americans to quietly eavesdrop on the secured communications of more than 120 countries, including Iran and Libya, for more than two decades.

Nevertheless, the partnership between the U.S. and West Germany was fraught. The West Germans disproved of selling vulnerable machines to allies, while the U.S. was reluctant to lose valuable information from NATO countries like Spain, Greece, and Turkey, all of whom bought compromised encryption machines from Crypto. 

The CIA received more than 19,000 Iranian cables from Crypto-AG machines during the hostage crisis and the Iran-Iraq War, but security was a perennial concern. In 1992, Iran, which had long been suspicious of Crypto-AG machines, arrested a company salesman named Hans Buehler. Although he knew nothing about the CIA’s involvement, the publicity brought renewed attention to the program.

As decades passed, it became increasingly difficult to conceal Crypto’s true ownership from the engineers and scientists who produced the machines. Many of them questioned why the algorithms given to them were so easily broken, and some began to suspect that the company worked with Western intelligence services. To appease employees and maintain secrecy, the CIA recruited Kjell-Ove Widman, a renowned mathematics professor specializing in cryptology. Widman was introduced to Richard Schroeder, the CIA officer who managed the Agency’s affairs with Crypto-AG, and became the “irreplaceable man” in the program. Schroeder retired from the CIA and is now a professor of science, technology, and international affairs (STIA) at Georgetown University. When reached by the Caravel, he declined to comment on the story, citing his secrecy obligation for any information not officially declassified by the CIA.

Although the intelligence from the program was invaluable, it raises questions about what the CIA knew about human rights abuses during the Cold War. The Washington Post reports that among the customers of Crypto-AG were South American dictatorships that participated in Operation Condor, an anti-communist program where thousands “disappeared.” Declassified files obtained by the National Security Archives show that the CIA would have been aware of the extent of human rights abuses, but the documents show no attempt by the CIA to expose or stop these violations. 

After the fall of the Soviet Union, the Germans exited the program in 1993, fearing public exposure. Although new technologies meant that Crypto was no longer profitable, intelligence continued to flow in, since many governments never updated the encryption machines they assumed were reliable. Finally, in 2017, Crypto-AG’s headquarters was sold and its assets were split up and liquidated a year later. According to SWI, Switzerland has opened a federal investigation into the company, and a parliamentary inquiry also appears likely. In the meantime, the Swiss government has suspended foreign sales of Crypto-AG machines.