Zug, Switzerland -- For four decades, the Swiss flag that flies in front of Crypto AG has lured customers from around the world to this company in the lake district south of Zurich.
Countries shopping for equipment to encode their most sensitive diplomatic and military communications value Switzerland's reputation for business secrecy and political neutrality. Some 120 nations have bought their encryption machines here.
But behind that flag, America's National Security Agency hid what may be the intelligence sting of the century. For years, NSA secretly rigged Crypto AG machines so that U.S. eavesdroppers could easily break their codes, according to former company employees whose story is supported by company documents.
The value to NSA of such an intelligence windfall is hard to exaggerate. For NSA effortlessly to read coded messages between top officials of many countries is the equivalent of recruiting reliable spies in key government posts around the world, receiving minute-by-minute reports from them and never risking that they will be unmasked.
NSA appears to have pulled off an international sleight of hand as brazen and brilliant as the original Trojan horse by winning the covert cooperation of the Swiss firm. Wary of encryption companies in NATO countries, the suspicious governments of such prime U.S. targets as Iran, Iraq, Libya and Yugoslavia bought equipment from Crypto AG (or Crypto Inc.). They never )) imagined that when they coded their messages with the Swiss (( machines, they may have been sending an easily unscrambled copy directly to NSA headquarters at Fort Meade.
Many details of the arrange ments between Crypto and NSA are not known, including when the rigging began, whether it has ended and which machines were involved. The whole story will be told only when secret U.S. documents are declassified, probably well into the next century.
Crypto rejects the rigging allegations as an invention by disgruntled former employees and denies that its machines were ever designed or altered according to the suggestions of American spies. After reports of cooperation with Western intelligence surfaced in the Swiss press last year, the company wrote to its customers that "manipulation of Crypto AG equipment is absolutely excluded."
But a different tale is told by an accumulation of evidence, including a document obtained by The Sun showing that an NSA cryptographer attended a meeting with Crypto personnel to discuss the design of new machines.
The extraordinary story of Crypto AG is only one example of NSA's 40-year campaign to bypass, break or steal the foreign codes that are the main obstacle to the agency's eavesdropping.
The contest between code-makers and code-breakers dates back many centuries. But NSA has taken the game to unprecedented levels of effort, expenditure and deception.
The agency has amassed the world's largest concentration of supercomputers to produce the number-crunching power necessary to break foreign codes. It has dispatched FBI agents on break-in missions to snatch code books from foreign facilities in the United States, and CIA agents to recruit foreign communications clerks and buy their code secrets, according to veteran intelligence officials.
The agency has imposed secrecy orders on U.S. scientists to prevent them from publishing code-making breakthroughs that might be exploited abroad. It has designed the so-called Clipper chip, an encryption device that would scramble telephone calls to foil eavesdroppers - except FBI and NSA agents with a warrant, who could obtain the secret numeric "keys" to unlock the code.
And NSA has pressured American encryption companies to rig their own machines to permit U.S. eavesdropping, as Crypto is alleged to have done, in return for the export licenses the agency controls.
Today, NSA's need for rigged machines and pilfered code books is greater than ever. An era of inexpensive, virtually unbreakable encryption appears to be imminent. The ancient art of using codes to keep secrets is spreading beyond governments to banks, multinational corporations, drug cartels and terrorist groups.
"The window that the U.S. has had to read the communications of other countries is closing," says Stephen T. Walker, a software engineer who began his career at NSA and whose company sells encryption programs. "The advent of electronic communications opened that window. In World War II, it was incredibly valuable. But technology is closing that window," he says.
In an ironic turnabout, technologies NSA practically invented, in codes, computers and communications, now threaten its mission.
Fiber-optic cable is rapidly replacing microwave transmission as the favored route for telephone traffic. While a microwave dish or satellite can easily pluck messages from the air, tapping fiber usually requires physical placement of a bug. That's impractical on the scale of NSA's global net.
"When you take something off microwave relay and put it on fiber-optic, basically it's lost [to NSA]," says intelligence expert Jeffrey T. Richelson.
And the communications boom itself threatens to overwhelm NSA's eavesdroppers, who face a problem comparable to performing a chemical analysis of certain interesting drops of water in the Niagara River as it roars over the falls. Increasingly, the challenge for NSA is merely to isolate terrorists' telephonic plotting from Aunt Olga's birthday calls and faxed orders for olive oil.
"It's going to be a lot tougher for NSA in the future," says retired Adm. Tom Brooks, an NSA veteran, former director of naval intelligence and now an AT&T; Corp. executive. "They're going to have to work a lot harder to do what they've done in the past."
Yet codes have always been the eavesdroppers' most daunting obstacle. Despite its mathematical brain trust and formidable supercomputers, former intelligence officials say, NSA rarely managed to break the most secure codes of the Soviet Union - a country, after all, known for its mathematicians and chess masters.
Against lesser opponents, the cryptanalysts at Fort Meade are like a baseball team with good years and bad, runs of incredible luck against particular opponents and endless strings of losses against others.
One NSA analyst recalls that in 1981 the number of translators working on Turkey suddenly shrank from about 25 people to 10. "I said, 'What the hell's going on?' They said, 'We can't break the new Turkish code,' " he says.
NSA's spectacular success in breaking codes used by the Sandinista government in Nicaragua suddenly ended, a former diplomat says, when a shipment of first-class Soviet encryption equipment reached Managua, the capital.
When the code-breakers are stumped, NSA draws on the entire arsenal of U.S. espionage.
Sometimes a bug planted in just the right place can help. In a celebrated NSA operation code-named Ivy Bells, divers placed a tap on a Soviet communications cable on the ocean floor north of Japan. Believing the line secure, the Soviets used weak encryption or none at all. NSA gleaned invaluable weapons data until the operation was betrayed to the KGB by NSA analyst Ronald W. Pelton in 1981.
American spies are always on the lookout to steal or purchase cipher manuals and machines. When foreign code clerks can't be bribed, NSA hopes they're lazy, forgetting to switch a machine to encryption mode or weakening the code by failing to change the numeric "keys" for months on end.
Yet these piecemeal tactics cannot compare with the Crypto case. The customers might see it as consumer fraud on a global scale. But from Washington, it must have seemed an ingenious spying scheme whose benefits could accrue to the United States for decades.
The 'Boris project'
The story begins with Boris C. W. Hagelin, a Russian-born Swede who devised a compact encryption device and sold 140,000 of them to the U.S. Army during World War II, becoming the first cryptography millionaire, according to historian David Kahn. Mr. Hagelin also cemented his friendship with another Russian-born cryptographic genius, William F. Friedman, then the leading cryptographer for the U.S. military, later a special assistant to the director of NSA.
After the war, Mr. Hagelin's Swiss factory fed the growing global market created by Cold War mistrust and the parade of newly independent countries. Crypto became one of the world's largest suppliers of encryption equipment to governments without the expertise to build their own machines.
In 1957, NSA called Mr. Friedman out of retirement for a secret mission that involved visiting Mr. Hagelin, author Ronald Clark wrote in his 1977 biography of Mr. Friedman. NSA urged Mr. Clark not to write about Mr. Friedman's 1957 trip and two others, suggesting that such revelations could hurt the agency's ability to read foreign secrets, the author wrote.
Writer James Bamford added more clues in his 1982 book on NSA, "The Puzzle Palace." Discovering in Mr. Friedman's letters references to a mysterious "Boris project," Mr. Bamford concluded that Mr. Friedman had extracted from Boris Hagelin an agreement to cooperate with American eavesdroppers.
These hints lay unexamined and apparently had no effect on Crypto's business until 1992, when the arrest and imprisonment in Iran of a salesman for Crypto prompted further inquiries.
The salesman, Hans Buehler, was on his 25th trip to Iran on behalf of Crypto when Iranian intelligence agents grabbed him, accused him of spying for the United States and Germany, held him in solitary confinement and interrogated him
"I was questioned for five hours a day for nine months," Mr. Buehler says. "I was never beaten, but I was strapped to wooden benches and told I would be beaten. I was told Crypto was a spy center."
After nine months, Crypto paid $1 million to win Mr. Buehler's freedom. But a few weeks after Mr. Buehler's triumphant return to Switzerland, Crypto abruptly dismissed him and demanded that he repay the $1 million.
Mr. Buehler was baffled and bitter, he says. In 13 years with the company, he had no inkling that it had cooperated with foreign spies and assumed the Iranians' charges were groundless. But what he learned after he was fired persuaded him otherwise.
He spoke with several former Crypto employees who recounted their belief that the company had long cooperated with U.S. and German intelligence. Some of those same employees spoke with several Swiss journalists and with The Sun.
One former engineer says he first heard that the machines were being "adjusted" from Boris Hagelin Jr., son of the company's founder and sales manager for North and South America. When they were stranded in Buenos Aires, Argentina, for a few days in 1970, the younger Mr. Hagelin complained to the engineer about being forced by his father to rig the machines, the engineer says.
Back in Switzerland, the engineer confronted the elder Mr. Hagelin. The old man, he says, confirmed the deception and justified it with a theory of political paternalism.
"He said different countries need different levels of security," recalls the engineer, who asked not to be identified. While the United States and other leading Western countries required completely secure communications, Mr. Hagelin explained, such security would not be appropriate for the Third World countries that were Crypto's customers.
Mr. Hagelin never explicitly named NSA, the engineer says: "He said we have to do it. ... But who is the 'we'? He never exactly defined it."
According to this engineer and several others, the alterations in the designs of various machines were detectable, if at all, only to an expert in cryptologic mathematics.
Sometimes the mathematical formulas that determined the strength of the encryption contained certain flaws making the codes rapidly breakable by a cryptanalyst who knew the technical details.
In other cases, the designs included a "trapdoor" - allowing an insider to derive the numerical "key" to the encrypted text from certain clues hidden in the text itself.
For a company such as Crypto to rig an encryption machine so that it hides the key in the encrypted text is like the manufacturer of an armored truck hiding a key to the strongbox in an out-of-sight spot under the hood. The driver, the guards and bank officials don't know about the key, so they assume their cash is safe. But robbers in league with the manufacturer can at any time lift the hood, snatch the key and help themselves to the loot.
On numerous occasions, this engineer says, he was given schematic diagrams for the algorithms, the crucial mathematical formulas that control the encryption. Though the designs were handed over to him by superiors at Crypto, it became clear to him that they were developed outside the company - by the mysterious U.S. and German visitors who occasionally came to the plant.
One of those visitors, the engineer says, was an NSA cryptographer named Nora L. Mackebee. A confidential corporate memorandum of a 1975 meeting, obtained by The Sun, lists "Nora Mackabee" as a participant in the discussion of design details for a new Crypto machine.
Bob Newman, a Motorola engineer, says he attended a number of meetings with Ms. Mackebee and Crypto officials in the 1970s, when Motorola was helping the Swiss firm with the transition from mechanical to electronic machines. He remembers Ms. Mackebee as one of several "consultants" helping Crypto with its designs and says he had no idea they might be U.S. intelligence agents.
"The consultants knew the senior people at Crypto AG," Mr. Newman recalls. They knew the Zug area and even advised Motorola employees on travel arrangements to Switzerland, he says.
In the late 1970s, the mystery visits appear to have stopped. But some former employees allege that the machine-rigging continued, possibly with the cooperation of West German intelligence.
When the senior Mr. Hagelin retired in 1970, he arranged for the German electronics giant Siemens AG to take "managerial control" of Crypto, appointing its chief executives. The company says the Siemens connection provided sophisticated management and technical expertise. But Siemens' defense electronics division has close ties to German intelligence, and the arrangement may have guaranteed that NSA's rigging would not be ended by new management.
Juerg Spoerndli, 46, an engineer who left Crypto last year, says that when he designed machines in the late 1970s, he was "ordered to change algorithms under mysterious circumstances" to weaken the machines.
After hearing from older engineers about the visits in earlier years from mysterious Americans, Mr. Spoerndli concluded that NSA was ordering the design changes through German intermediaries. He had mixed feelings about the arrangement.
"I was idealistic," Mr. Spoerndli says. "But I adapted quickly. ... The new aim was to help Big Brother U.S.A. look over these
countries' shoulders. We'd say, 'It's better to let the U.S.A. see what these dictators are doing.' "
Privately, he resented the arrangement. "It's still an imperialistic approach to the world. I don't think it's the way business should be done," Mr. Spoerndli says.
Ruedi Hug, a former Crypto technician who also gradually came to the conclusion that the machines were rigged, says he was offended as a Swiss patriot.
"I feel betrayed," says Mr. Hug, now an insurance agent and local politician. "They always told us, 'We are the best. Our equipment is not breakable, blah, blah, blah. ... Switzerland is a neutral country.' "
After 1979, the cryptologic design of Crypto machines was taken over by a Swedish mathematician, Kjell Ove Widman, the company's "scientific adviser." By contrast with the looser collaborative arran-gements of earlier years, Dr. Widman had total authority over Crypto algorithms.
A longtime colleague alleges that Dr. Widman often traveled to Germany, returning with instructions regarding the cryptologic elements of new machines.
"On some occasions, he said that only if he got the algorithm approved could we use it," the colleague recalls. The clear implication, the colleague says, was that outsiders were setting limits on the strength of the encryption Crypto sold.
Dr. Widman, who left Crypto last year to become director of a mathematical research institute in Stockholm, Sweden, denies that he made any such comments. His work was never subject to any outside control or pressure, he says.
PRECISELY WHY Boris Hagelin might have risked his company's future to cooperate with NSA remains a mystery. His motive may have been Cold War loyalty to the United States, which had made him wealthy, or a secret financial deal.
Since its founding, Crypto's ownership has been hidden behind a shadowy foundation in Liechtenstein created by Mr. Hagelin, apparently as a tax-avoidance plan, says Josef Schnetzer, the company's senior vice president.
In the statement sent to customers last year, Crypto denied that intelligence agencies had ever rigged its machines.
"The belief, commonly held by outsiders, that the customer buys a black box, the functioning of which he does not know, has no connection to reality," the company statement said. "No discerning customer would accept such a procedure and no manufacturer trying to cheat or manipulate the equipment would survive in this extremely demanding market."
A former Crypto engineer calls this assertion "ridiculous." Several cryptology experts interviewed by The Sun also say equipment can be rigged so that no customer could tell.
"It's certainly technologically feasible," says Alan T. Sherman, a professor of computer science at the University of Maryland Baltimore County and a specialist in cryptology. At the request of The Sun, Dr. Sherman reviewed technical details of the allegations made by the former Crypto engineers. He found them credible, he says.
In answer to charges of machine-rigging, Crypto filed suit last year against Mr. Buehler, its fired salesman. The suit was settled last month, days before former Crypto engineers were to testify that they believed the machines were altered. The parties agreed not to disclose the settlement.
Meanwhile, though the company has hastened to reassure its customers, business has declined and employees have been laid off.
Ms. Mackebee, the NSA cryptographer who attended Crypto design meetings, retired from the agency a few years ago to the Howard County horse farm she owns with her husband, Lester, another NSA veteran. Asked about her work with Crypto , Ms. Mackebee, 55, was silent for a time and then said, "I can't say anything about that."
Engineers 'turning white'
If crypto AG was offered a deal by NSA in return for rigging its products, it would not be alone. The approach to American firms usually comes during discussions with NSA's export licensing office.
"It is not unheard of for NSA to offer preferential export treatment to a company if it builds a back door into its equipment," says one person with long experience in the field. "I've seen it. I've been in the room."
NSA's pitch varies. "Generally with high-level executives it's an appeal to patriotism - how important it is for us to listen to the world," this source says. "With the midlevel commercial types, it's, 'Do this and we'll give you preferential export treatment.' To the real technical people, it's, 'Why don't you do this?' And you don't realize what's being suggested until you see the engineers are turning white."
In addition to the carrot of export approval, NSA also can brandish a stick, this source says. "There's the threat: You'll never get another export approval if you don't start to play ball."
While this source says he has never seen a company executive explicitly agree to such a deal, he and other industry insiders say they believe some U.S. machines approved for export do contain NSA trap doors.
What is certain is that NSA for decades has meticulously scrutinized developments in the encryption field in the United States.
In 1978, when George I. Davida, a University of Wisconsin computer scientist, tried to patent an encryption device he invented, NSA slapped a secrecy order on the device. Under the Invention Secrecy Act of 1951, the government can clamp a lid on any invention deemed to be potentially damaging to national security.
Dr. Davida fought back, and NSA backed down. But the resulting talks between NSA officials and academic experts led to an agreement under which most, though not all, encryption scientists agree to permit NSA to review their research before publication.
Meanwhile, export controls have discouraged software giant Microsoft Corp. from building strong encryption into its best-selling Windows programs, so that encrypting computer messages remains complicated and most U.S. businesses don't bother. As a result, says Stephen Walker, whose Maryland company writes encryption software, U.S. firms are preyed on by foreign spies.
"I don't want [NSA] not to be able to listen to Iraqi terrorists," Mr. Walker says. "But you're hamstringing U.S. industry in the hope of hamstringing some Iraqi terrorist who, if he's smart, can get around it anyway."
THE SMART TERRORIST can, for instance, download from the Internet a program with the folksy name Pretty Good Privacy, or PGP. The work of Phil Zimmermann, a bearded computer consultant and peace activist who works from his cluttered home in Boulder, Colo., PGP is used to scramble electronic mail to keep messages private on the Internet.
Despite its humble origins, PGP may be too tough even for NSA to break. Its release on the Internet prompted a long-running Justice Department investigation of Mr. Zimmermann for "exporting" the encryption program without NSA's approval.
Mr. Zimmermann's many defenders in the computer world - one of whom dubbed NSA "the occupation army of cyberspace" - say trying to stop software such as PGP at the U.S. border is folly when a Baltimore teen-ager's electronic mail may circle the planet on its way to a friend across town. They say PGP is just the beginning of an era in which cheap, powerful encryption automatically protects all electronic communications - not just government secrets but lovers' whispers, consumers' credit-card orders and corporations' marketing plans, too.
NSA and FBI officials warn that unbreakable encryption could be a terrifying tool for criminals and terrorists. They cite a California case in which police could not inspect a child molester's computer files because they were sealed with PGP.
Mr. Zimmermann says that's regrettable, but counters: "A pedophile can drive up the street and pull little girls into his car. Should we ban cars?" Chinese dissidents, Latvian nationalists and even the Dalai Lama use PGP, he adds.
The prospect that NSA might lose its ability to eavesdrop on the world does not appear to trouble Mr. Zimmermann. Until the invention of the telephone, he says, conversations could be protected merely by walking away from the ears of others.
"I think it's an accident of technology that we lost the ability to have private conversations," he says. Encryption such as PGP merely ends the historical fluke of electronic eavesdropping, he argues - and tough luck for the spies.
Yet the obituary for NSA may be premature.
Once, says Louis W. Tordella, the gray eminence who was the agency's deputy director for 16 years, the Pentagon's research chief solemnly informed him that encryption was improving so fast that NSA "would be out of business in five years."
That was in 1961.
"Could technology put NSA out of business?" he asks. "Absolutely. Will it put NSA out of business? That remains to be seen."