Engineer working on hardware chip on motherboard showing Crypto AG using encryption backdoor on cryptographic equipment for CIA to spy on foreign affairs

Crypto AG Shows That U.S. Concern Over Huawei Encryption Backdoors Comes From Long Experience Doing the Same Thing

The United States government has been dead set against the use of Huawei equipment in national infrastructure since early 2018, when AT&T was pressured into dropping a lucrative 5G contract with the Chinese company. Speculation about encryption backdoors for use by the Chinese government has driven most of this, coming to a head recently with direct accusations that Huawei hardware has law enforcement backdoors in addition to new charges of racketeering and theft of trade secrets.

Another news story that broke recently may shed some light on the depth and intensity of United States suspicions even in the face of what sometimes seems to be scanty evidence.

U.S.-controlled Crypto AG, which has sold cryptographic equipment to governments throughout the world, used similar backdoors to allow the CIA to spy on foreign affairs for decades.

Encryption backdoors in use since the 1960s

All of this is not to say that the U.S. does not have solid reasons to be wary of Huawei. As a company based in China, Huawei is required by law to comply with any demands the governing CCP makes of it; there is no room for something like Apple’s refusal to create an encryption backdoor for the US government. China and the US are racing to be the first into the lucrative 5G space, and Huawei has been caught with its hand in the industrial espionage cookie jar before.

The thing that is more nebulous is the accusations of hardware backdoors that lead back to China, which until recently had relied on a “trust us, we’re the government” approach from the US. While there may well be classified evidence that makes this more than a case of projection, US history would indicate that this abundance of government caution stems from the actions of its own intelligence agencies. No story is more illustrative than that of Crypto AG.

Founded in Switzerland in 1952, Crypto AG’s trade was in providing ciphering machines to U.S. forces during World War II. The firm became an international cryptography giant from there, providing technology to the governments of more than half the world’s nations over the decades.

Initially, Crypto AG was independent. But in the 1960s, control of the Swiss company was covertly taken by the CIA and West German intelligence. Business continued as normal and the rest of the world was unaware, but from about 1970 forward the equipment coming out of Crypto AG contained encryption backdoors.

The U.S. used this to spy on a broad range of foreign nations, and not just enemies and rivals. This equipment was in use in Spain, Italy, Turkey, Greece, Argentina, India, Pakistan, and the Vatican among other locations.

The full details of the relationship were confirmed by a recent Washington Post report, but there were strong indications and suspicions dating back to the 1970s. Communications between the NSA and the founder of Crypto AG hinted at the relationship, as did some careless statements made by President Reagan during the ’80s. This may be why primary rivals Russia and China were never customers of the company. However, in the early 1990s the CIA bought out West Germany and continued to produce this compromised equipment until the company was fully dissolved in 2018. News reports speculating about this connection appeared as early as 1995, but at that point the world of cryptography was transitioning to the internet and Crypto AG was becoming much less relevant.

The CIA and West German intelligence were at odds from the beginning, but managed to keep the program together for over two decades. The CIA was dismayed at the West German focus on using the encryption backdoors to make money rather than gather important intelligence; the West Germans were “aghast” at the willingness of the US to spy on everyone but its closest allies, according to internal reports unearthed by the Washington Post. The reports indicate that the United Kingdom, Sweden, Switzerland and Israel were aware of the encryption backdoor program and were given access to intelligence gathered from it.

The reports also indicate that Crypto AG used bribes to foreign leaders and smear campaigns against competitors to maintain its dominant market position.

Huawei’s place in the world

Though the US has virtually frozen the company out of the country at this point, not all of its allies have taken the same tack. The UK will allow Huawei components in non-sensitive parts of the country’s 5G network, and a vote on the company’s presence in Germany is forthcoming.

Australia has banned it, but New Zealand intends to incorporate some Huawei components into its network and Canada is still mulling the possibility.

Huawei, for its part, has staunchly maintained it does not include encryption backdoors for the Chinese government. And U.S. accusations of that nature have been vague thus far, not providing enough details for anyone else to independently verify them.

The dilemma for every other country in the world is that Huawei’s equipment tends to be the cheapest option among the major manufacturers, and is about as advanced as it gets in the 5G realm. There are fair reasons to wonder what kind of access the CCP will have bundled with it, but as of now the only evidence is the insistence of the same government that brought the world Crypto AG, NSA surveillance of allied leaders, demands for an encryption backdoor in all Apple devices, and multiple insecure backdoors in Cisco routers. Whether that helps or hurts their case is in the eye of the beholder.

What can the average end user do with all of these government backdoors in their hardware? Kevin Bocek, VP security strategy & threat intelligence at Venafi, provides some parting thoughts:

“Government mandated backdoors will allow cyber criminals to undermine all types of private, secure communications and weaken the power of encryption – ultimately, if we create this power for government, it will soon work its way into the wrong hands. We have already seen this with EternalBlue and the Ukranian power station hack. This is why the Crypto AG revelations should be a major concern for all of us.

“The only way organizations can be confident that their encryption does not possess any backdoors is by ensuring they have complete visibility and control over the encryption keys and certificates that act as machine identities. These security assets enable and secure machine to machine communications and are used in nearly every digital transaction.”