‘The intelligence coup of the century’
For decades, the CIA read the encrypted communications
of allies and adversaries.
For more than half a century, governments all over the world trusted a single company to keep the communications of their spies, soldiers and diplomats secret.
The company, Crypto AG, got its first break with a contract to build code-making machines for U.S. troops during World War II. Flush with cash, it became a dominant maker of encryption devices for decades, navigating waves of technology from mechanical gears to electronic circuits and, finally, silicon chips and software.
The Swiss firm made millions of dollars selling equipment to more than 120 countries well into the 21st century. Its clients included Iran, military juntas in Latin America, nuclear rivals India and Pakistan, and even the Vatican.
But what none of its customers ever knew was that Crypto AG was secretly owned by the CIA in a highly classified partnership with West German intelligence. These spy agencies rigged the company’s devices so they could easily break the codes that countries used to send encrypted messages.
The decades-long arrangement, among the most closely guarded secrets of the Cold War, is laid bare in a classified, comprehensive CIA history of the operation obtained by The Washington Post and ZDF, a German public broadcaster, in a joint reporting project.
The account identifies the CIA officers who ran the program and the company executives entrusted to execute it. It traces the origin of the venture as well as the internal conflicts that nearly derailed it. It describes how the United States and its allies exploited other nations’ gullibility for years, taking their money and stealing their secrets.
The operation, known first by the code name “Thesaurus” and later “Rubicon,” ranks among the most audacious in CIA history.
“It was the intelligence coup of the century,” the CIA report concludes. “Foreign governments were paying good money to the U.S. and West Germany for the privilege of having their most secret communications read by at least two (and possibly as many as five or six) foreign countries.”
From 1970 on, the CIA and its code-breaking sibling, the National Security Agency, controlled nearly every aspect of Crypto’s operations — presiding with their German partners over hiring decisions, designing its technology, sabotaging its algorithms and directing its sales targets.
Then, the U.S. and West German spies sat back and listened.
The program had limits. America’s main adversaries, including the Soviet Union and China, were never Crypto customers. Their well-founded suspicions of the company’s ties to the West shielded them from exposure, although the CIA history suggests that U.S. spies learned a great deal by monitoring other countries’ interactions with Moscow and Beijing.
There were also security breaches that put Crypto under clouds of suspicion. Documents released in the 1970s showed extensive — and incriminating — correspondence between an NSA pioneer and Crypto’s founder. Foreign targets were tipped off by the careless statements of public officials including President Ronald Reagan. And the 1992 arrest of a Crypto salesman in Iran, who did not realize he was selling rigged equipment, triggered a devastating “storm of publicity,” according to the CIA history.
But the true extent of the company’s relationship with the CIA and its German counterpart was until now never revealed.
The German spy agency, the BND, came to believe the risk of exposure was too great and left the operation in the early 1990s. But the CIA bought the Germans’ stake and simply kept going, wringing Crypto for all its espionage worth until 2018, when the agency sold off the company’s assets, according to current and former officials.
The company’s importance to the global security market had fallen by then, squeezed by the spread of online encryption technology. Once the province of governments and major corporations, strong encryption is now as ubiquitous as apps on cellphones.
This story is based on the CIA history and a parallel BND account, also obtained by The Post and ZDF, and interviews with current and former Western intelligence officials as well as Crypto employees. Many spoke on the condition of anonymity, citing the sensitivity of the subject.
It is hard to overstate how extraordinary the CIA and BND histories are. Sensitive intelligence files are periodically declassified and released to the public. But it is exceedingly rare, if not unprecedented, to glimpse authoritative internal histories of an entire covert operation. The Post was able to read all of the documents, but the source of the material insisted that only excerpts be published.
The CIA and the BND declined to comment, though U.S. and German officials did not dispute the authenticity of the documents. The first is a 96-page account of the operation completed in 2004 by the CIA’s Center for the Study of Intelligence, an internal historical branch. The second is an oral history compiled by German intelligence officials in 2008.
The overlapping accounts expose frictions between the two partners over money, control and ethical limits, with the West Germans frequently aghast at the enthusiasm with which U.S. spies often targeted allies.
But both sides describe the operation as successful beyond their wildest projections. At times, including in the 1980s, Crypto accounted for roughly 40 percent of the diplomatic cables and other transmissions by foreign governments that cryptanalysts at the NSA decoded and mined for intelligence, according to the documents.
All the while, Crypto generated millions of dollars in profits that the CIA and BND split and plowed into other operations.
Crypto’s products are still in use in more than a dozen countries around the world, and its orange-and-white sign still looms atop the company’s longtime headquarters building near Zug, Switzerland. But the company was dismembered in 2018, liquidated by shareholders whose identities have been permanently shielded by the byzantine laws of Liechtenstein, a tiny European nation with a Cayman Islands-like reputation for financial secrecy.
Two companies purchased most of Crypto’s assets. The first, CyOne Security, was created as part of a management buyout and now sells security systems exclusively to the Swiss government. The other, Crypto International, took over the former company’s brand and international business.
Each insisted that it has no ongoing connection to any intelligence service, but only one claimed to be unaware of CIA ownership. Their statements were in response to questions from The Post, ZDF and Swiss broadcaster SRF, which also had access to the documents.
CyOne has more substantial links to the now-dissolved Crypto, including that the new company’s chief executive held the same position at Crypto for nearly two decades of CIA ownership.
A CyOne spokesman declined to address any aspect of Crypto AG’s history but said the new firm has “no ties to any foreign intelligence services.”
Andreas Linde, the chairman of the company that now holds the rights to Crypto’s international products and business, said he had no knowledge of the company’s relationship to the CIA and BND before being confronted with the facts in this article.
“We at Crypto International have never had any relationship with the CIA or BND — and please quote me,” he said in an interview. “If what you are saying is true, then absolutely I feel betrayed, and my family feels betrayed, and I feel there will be a lot of employees who will feel betrayed as well as customers.”
The Swiss government announced on Tuesday that it was launching an investigation of Crypto AG’s ties to the CIA and BND. Earlier this month, Swiss officials revoked Crypto International’s export license.
The timing of the Swiss moves was curious. The CIA and BND documents indicate that Swiss officials must have known for decades about Crypto’s ties to the U.S. and German spy services, but intervened only after learning that news organizations were about to expose the arrangement.
The histories, which do not address when or whether the CIA ended its involvement, carry the inevitable biases of documents written from the perspectives of the operation’s architects. They depict Rubicon as a triumph of espionage, one that helped the United States prevail in the Cold War, keep tabs on dozens of authoritarian regimes and protect the interests of the United States and its allies.
The papers largely avoid more unsettling questions, including what the United States knew — and what it did or didn’t do — about countries that used Crypto machines while engaged in assassination plots, ethnic cleansing campaigns and human rights abuses.
The revelations in the documents may provide reason to revisit whether the United States was in position to intervene in, or at least expose, international atrocities, and whether it opted against doing so at times to preserve its access to valuable streams of intelligence.
Nor do the files deal with obvious ethical issues at the core of the operation: the deception and exploitation of adversaries, allies and hundreds of unwitting Crypto employees. Many traveled the world selling or servicing rigged systems with no clue that they were doing so at risk to their own safety.
In recent interviews, deceived employees — even ones who came to suspect during their time at Crypto that the company was cooperating with Western intelligence — said the revelations in the documents have deepened a sense of betrayal, of themselves and customers.
“You think you do good work and you make something secure,” said Juerg Spoerndli, an electrical engineer who spent 16 years at Crypto. “And then you realize that you cheated these clients.”
Those who ran the clandestine program remain unapologetic.
“Do I have any qualms? Zero,” said Bobby Ray Inman, who served as director of the NSA and deputy director of the CIA in the late 1970s and early 1980s. “It was a very valuable source of communications on significantly large parts of the world important to U.S. policymakers.”