News broke on February 11th that stunned the world. Crypto AG, a company trusted by government agencies and other public sector entities worldwide for nearly a century was owned by the Central Intelligence Agency. The CIA used Crypto AG to acquire highly sensitive and often classified data on foreign governments across continents.
The company’s origins date back to 1920, so a hundred years ago! As AB Cryptoteknik, it started in Stockholm, Sweden by making cryptograph machines, back when cryptography was all mechanical. By 1952, the company had moved to Switzerland for tax reasons and restarted as Crypto AG. The company started working with digital cryptography as soon as the technology became available. By the 1960s, they had large European corporate clients like Siemens, Ericsson, and Kongsberg. In June 1970, Crypto AG was secretly purchased by the CIA and West Germany’s BND intelligence agency, well into the Cold War.
Operation Theasurus commenced shortly thereafter, to be renamed Rubicon in the 80s. By the early 90s, BND considered their role in Crypto AG and Rubicon to be too risky, so they backed out, making the CIA the sole owner of the company. Through the first dozen or so years of the 21st century, Crypto AG sold cryptographic equipment and services to a whopping 120 countries, including India, Pakistan, and Iran. But to the possible frustration of the CIA’s espionnage objectives, China and the former Soviet Union were never clients.
A CIA report about the matter said, “It was the intelligence coup of the century. Foreign governments were paying good money to the US and West Germany for the privilege of having their most secret communications read by at least two (and possibly as many as five or six) foreign countries.”
Rubicon was effectively one giant backdoor for American intelligence. The CIA is of course an entity of the United States. And the United States is a member of the Five Eyes intelligence alliance, with the other “four eyes” being Canada, the UK, Australia, and New Zealand. So those are likely the other countries Crypto AG shared intelligence with.
By 2018, Crypto AG was liquidated and its assets were sold to other companies.
The Crypto AG scandal involves intelligence agencies and many public sector entities. But even if you’re in a private sector company of any size, the news should concern you.
Backdoors are a huge concern to everyone’s information security, private sector companies included. They’re deliberate vulnerabilities, designed so that other entities can access data without a user’s knowledge. They can be in hardware, software, and networking devices. They can exist everywhere from video game consoles to mobile devices, to servers to telecommunications infrastructure. Many government agencies have argued that they consider backdoors necessary for intelligence and law enforcement in order to protect their citizens and investigate crime. Here’s one of many examples. In 2014, former FBI Director James Comey said in a speech at the Brookings Institution:
“Encryption isn’t just a technical feature; it’s a marketing pitch. But it will have very serious consequences for law enforcement and national security agencies at all levels. Sophisticated criminals will come to count on these means of evading detection. It’s the equivalent of a closet that can’t be opened. A safe that can’t be cracked. And my question is, at what cost...
We’re seeing more and more cases where we believe significant evidence is on that phone or a laptop, but we can’t crack the password. If this becomes the norm, I would suggest to you that homicide cases could be stalled, suspects could walk free, and child exploitation might not be discovered or prosecuted. Justice may be denied, because of a locked phone or an encrypted hard drive.”
But even if backdoors may make life easier for the cops, they threaten everyone’s security. Any backdoor weaken encryption as a whole. Bruce Schneier knows this well. As he has written on his blog:
“Strong encryption means unbreakable encryption. Any weakness in encryption will be exploited—by hackers, by criminals and by foreign governments. Many of the hacks that make the news can be attributed to weak or—even worse—nonexistent encryption.
The FBI wants the ability to bypass encryption in the course of criminal investigations. This is known as a ‘backdoor,’ because it's a way at the encrypted information that bypasses the normal encryption mechanisms. I am sympathetic to such claims, but as a technologist I can tell you that there is no way to give the FBI that capability without weakening the encryption against all adversaries. This is crucial to understand. I can't build an access technology that only works with proper legal authorization, or only for people with a particular citizenship or the proper morality. The technology just doesn't work that way.
If a backdoor exists, then anyone can exploit it. All it takes is knowledge of the backdoor and the capability to exploit it. And while it might temporarily be a secret, it's a fragile secret. Backdoors are how everyone attacks computer systems.”
Here’s one of many ways that backdoors have threatened cybersecurity already. The National Security Agency knew about the EternalBlue exploit for years, but inevitably it became public knowledge and posted on WikiLeaks. WannaCry and other catastrophic malware exploited the notorious Windows SMB vulnerability, costing companies countless millions in lost data, lost productivity, and ransom payment attempts.
Kevin Bocek, VP Security Strategy & Threat Intelligence for Venafi has advice for organizations which may be concerned about government backdoors in their encryption equipment:
“The only way organisations can be confident that their encryption is fit for purpose and does not possess any backdoors is by ensuring they have complete visibility and control over every single machine identity in use across their network and that they disable any that are not in use or not needed. (By machine identity, I mean the encryption keys and certificate that enable and secure private machine to machine communications.) Once all the identities have been discovered, they need to automate the process so that whenever a new identity is created then you know about it—this will stop third parties inserting their own backdoors without your knowledge. This enables organisations to spot signs of possible identity misuse, and quickly act to revoke and replace compromised identities.”
Organizations across industries of all sizes must watch out for backdoors and do their best to encrypt their data properly.