The Swiss parliamentary oversight report on #CryptoAG just dropped. 64 pages (still need to read). It makes it clear, plain and simple, that CH knew and profited of the access to Crypto AG. Will update below with insights...
parlament.ch/press-releases…
#cryptoleaks
parlament.ch/press-releases…
#cryptoleaks
It's a big report - the summary clarifies that the executive (the federal council) did not know about it. The knowledge always stopped with the intel service director or below.
Oversight criticizes leadership issues that this was the case. Fed. council should have been briefed.
Oversight criticizes leadership issues that this was the case. Fed. council should have been briefed.
The oversight committee received the MINERVA report from its intelligence service (NDB). NDB authenticated the report but criticized its accuracy with regard to the activities in Switzerland.
(side note: the press conference is ongoing. The head of the oversight committee says there was an "intelligence service within an intelligence service". politically pretty explosive, as some of these career officials are still serving today)
Swiss intel knew of the Crypto AG since "fall 1993": it knew the owners, it knew that there were "weak" devices, and decided it wants to be able to break the weak devices in the future. To ensure this capability, it cooperated with the US intel services.
To access the encrypted streams, it used its own interception system "Onyx".
The head of the reformed service (from 2010 onwards), when offered options on what to do about CryptoAG going forward in 2017, refused that it is his responsibility to do anything about it. His deputy supported such a position.
The current head of the intelligence service differed with that assessment (in mid-2019). On 19. August 2019 the defence minister was briefed (for the first time).
The Swiss intel service acquired the MINERVA report in October 2019 and intensified the exchange with the American and "further involved foreign services" to anticipate the consequences of the media reporting.
Interesting domestic politics issue: the oversight body criticised, that in the 1990s, the foreign intel service chose not to inform the domestic intel service about the CryptoAG secret, without raising the issue onto the political level.
the oversight committee knows of concrete cases, where the decryption capabilities were of great use to the Swiss government and the army.
Side-note: see reporting in @tagesanzeiger last weekend that points to the Libya crisis as an example
tagesanzeiger.ch/schweiz-machte…
Side-note: see reporting in @tagesanzeiger last weekend that points to the Libya crisis as an example
tagesanzeiger.ch/schweiz-machte…
the oversight committee also mentions a third Swiss company (not CryptoAG) that sent insecure devices to the federal government and two large companies (btw 2002-2008), which brought the issue of cryptography (but not CryptoAG) to the attention of the defence minister.
This concludes the summary of the historical part of the report (up to p.30). I will read the second part of the report tomorrow (containing the "foundational questions for the future" & a manoeuvre critique of handling the affair in 2019/2020)
from Part II: the most interesting is the oversight committee's recommendation for the federal government to exclusively source "encryption solutions" from domestic suppliers, as well as to further strengthen the army's cryptographic and cryptanalytic capabilities.
Particularly, it emphasises that the defence department should ensure that the cryptanalytic capabilities keep pace with the needs of communications intelligence, including those sourced in "cables" (i.e. internet comms).
Finally, there are a number of important recommendations with regard to intelligence policy and governance, including the use of the security committee of the federal council (note no mention of the cybersecurity committee) and the inclusion of the head of the army in those,
Also: the committee would like the service to have an index and overview of its past operations and sources, as well as the available archival material pertaining to them.
I would have added:
The service (&its clients) seems to lack an understanding of its history. I would have suggested to let someone undertake that task, with access to the archives (exceptions by the fed council)
cc @AlfredHeer @mayagraf_bl @yferi @MullerAltermatt @WernerSalzmann
The service (&its clients) seems to lack an understanding of its history. I would have suggested to let someone undertake that task, with access to the archives (exceptions by the fed council)
cc @AlfredHeer @mayagraf_bl @yferi @MullerAltermatt @WernerSalzmann
• • •
Missing some Tweet in this thread? You can try to
force a refresh
