May 18, 2020

Maximator and other European SIGINT alliances

(Updated: July 22, 2020)

One of the topics covered by this weblog is international cooperation among signals intelligence agencies. The Snowden-revelations already provided many details about the various multilateral groups formed by the NSA's partners, like the SIGINT Seniors Europe (SSEUR or 14-Eyes) and the Afghanistan SIGINT Coalition (AFSC or 9-Eyes).

None of the NSA documents gave a hint that a few European countries also have their own secret alliance for cooperation in the fields of signals intelligence and crypto analysis. This alliance, which already exists since 1976, is codenamed Maximator and was unexpectedly revealed on April 7 in an academic article.

(This overview isn't meant to be complete, other multilateral cooperations between European agencies may exist or have existed)

The countries participating in the Maximator alliance
(click to enlarge)

The Maximator alliance

An interesting aspect to start with is that the existence of the Maximator alliance was revealed in an article by prof. dr. Bart Jacobs in Intelligence and National Security, which is an academic journal about intelligence and national security. Usually, this kind of revelations are published by major newspapers, but they didn't even pick up this story. So far only a Dutch investigative radio program, a Dutch regional newspaper and a German tech website have reported about Maximator.
Update: Meanwhile, The Register and The Economist have also reported about Maximator.
Professor Bart Jacobs is one of the leading Dutch experts on computer security and teaches at Radboud University in Nijmegen. He is also a member of the knowledge network (Dutch: kenniskring) of the CTIVD, the oversight committee for the Dutch secret services, and a member of the independent commission that is currently conducting an evaluation of the new Dutch intelligence law. Both assignments require a security clearance, which makes this revelation even more remarkable.

The secret purchase of Crypto AG

The revelation of Maximator came forth from another big scoop: the fact that in 1970, the CIA and the German foreign intelligence service BND had secretly purchased the Swiss manufacturer of encryption equipment Crypto AG, which was codenamed operation RUBICON. This was revealed on February 11, 2020, as a result of a cooperation between The Washington Post, the German broadcaster ZDF, the Swiss broadcaster SRF and the Dutch radio program Argos.

The CIA and the BND didn't install rude "backdoors" in the Crypto AG equipment, but only manipulated the cryptographic algorithms which "streamlined the code-breaking process, at times reducing to seconds a task that might otherwise have taken months." This made it very difficult to detect the manipulation. In this way, Crypto AG produced secure encryption devices that would be sold to a select number of friendly governments, and weakened systems for the rest of the world (including some European countries like Spain, Italy and Greece):

The countries that bought and used manipulated Crypto AG devices
(graphic: The Washington Post - click to enlarge)

It appeared that not only American and German intelligence benefited from the manipulated crypto devices: a few other countries (France, Sweden, the Netherlands, Denmark, the United Kingdom, Israel among others) were also informed about the weaknesses. An internal BND report from November 2012 titled "Einführung: Die Operation THESAURUS/RUBICON" calls them the cognoscenti, the ones with inside knowledge.

One of the experts consulted for the reporting about Crypto AG was Bart Jacobs, who in February of this year studied the CIA and BND documents about operation RUBICON. After reading the references to the involvement of the Netherlands he started to investigate more closely. Jacobs asked people from the intelligence community who then told him about the Maximator alliance and even provided him with some documents.

The "cognoscenti" mentioned in a BND report as shown
on Dutch television on February 13, 2020
(click to enlarge)

Start and growth of the Maximator alliance

The Maximator alliance was established in 1976 at the initiative of Denmark and at that time included only Sweden and Germany. The Netherlands was invited to join in 1977 and did so in 1978. Between these four countries there were already various bilateral cooperations and they also benefited from information about the manipulated Crypto AG algorithms.

According to Jacobs, the idea behind the alliance was to combine forces and divide tasks in order to reduce costs, especially those of the investments required by the upcoming satellite interception. Exchanging methods and jointly working on technical challenges would also make the partners more effective.

The former Dutch satellite intercept station at Zoutkamp, operational since 1983.
In 2008 it was closed after a new facility had been built in nearby Burum.
(screenshot from regional television - click for the video)

The idea to cooperate might have came up from lower level SIGINT employees with close personal ties and a shared high level of technical and cryptanalytical skills. It's not known whether or since when the responsible ministers knew about the alliance; Jacobs estimates that in total only up to 100 people may have known about it.

In 1983, France requested to join the alliance, which was supported especially by Germany and as a result France was invited in 1984 and joined in 1985. Other countries, like Norway, Spain and Italy, also asked to join, but this was rejected. One of the main reasons was that "within the Maximator alliance they were considered as lacking relevant expertise and/or experience."

Belgium was not invited to join Maximator for the same reason, but this country was also not fully trusted when it came to discipline in communications security: at least once it compromised its own communications via a basic mistake in key management.

Codenames within the Maximator alliance

Initially, the alliance between the first three members, Denmark, Sweden and Germany, was codenamed Ostsee (German for Baltic See), which in 1977 was changed to Alpenjäger (Alpine hunter). In 1979 the group got its final designation: Maximator.

This name was derived from the Bavarian beer brand Maximator. After a meeting at the former BND headquarters in Pullach near the Bavarian capital Munich in the late Summer of 1979, representatives of the alliance members went for a drink at a nearby Biergarten where they where served this beer, the name of which they took as their new codename.

The Maximator beer from the Augustiner brewery in Munich
(click to enlarge)

Each of the participants in the Maximator alliance also had a codename, which seem to be chosen randomly:

Member since 1976
Codename: Concilium
Participating organization: Forsvarets Efterretningstjeneste (FE)

Member since 1976
Codename: Thymian
Participating organization: Försvarets radioanstalt (FRA)

Member since 1976
Codename: Novalis
Participating organizations:
- for signals interception: Bundesnachrichtendienst (BND)
- for cryptanalysis (until 1991): Zentralstelle für das Chiffrierwesen (ZfCh)

Member since 1978
Codename: Edison
Participating organizations: Wiskundig Centrum (WKC), since 1982: Technisch InformatieVerwerkingsCentrum (TIVC), since 1996: Strategisch Verbindingsinlichtingen Centrum (SVIC), since 2014: Joint Sigint Cyber Unit (JSCU)

Member since 1985
Codename: Marathon
Participating organization: Direction Générale de la Sécurité Extérieure (DGSE)

The two components of the alliance

According to the article by professor Jacobs, the Maximator alliance was about cooperation in both signals analysis and crypto analysis:

- Signals analysis:

This was about coordinating interception mechanisms and efforts, as well as exchanging intercepted, but still encrypted messages. The focus was on intercepting and decrypting diplomatic communications, either from HF radio transmissions or SHF satellite links. These signals interception issues were discussed in multilateral meetings attended by representatives of all five Maximator members. Jacobs' article includes the covers of some of the booklets of these meetings:

Booklets from the meetings of the Maximator alliance
(source: Bart Jacobs, Maximator - click to enlarge)

- Cryptanalysis:

This involved the exchange of algorithms used in various (deliberately weakened) encryption devices used by target countries. However, it was left up to each of the individual participants to find out how to exploit the weaknesses in these algorithms and subsequently decrypt the messages. According to Jacobs, this is common practice in the intelligence community in order to prevent being fed cooked-up information. Succesful exploitations, also called "solutions", were not exchanged.

In the first few decades of the Maximator alliance, these cryptanalysis issues were discussed only bilaterally, but later on this also happened multilaterally. For this purpose, there were bilateral communication links between the Maximator partners which were secured by dedicated crypto systems as shown in this diagram from 1990 (a direct connection between the Netherlands (E) and France (M) was established later):

Sketch of the communication lines between the Maximator partners in 1990
(flags added for clarity). The triangles seem to indicate how information
(especially intercepts) can flow from one party to another.
(source: Bart Jacobs, Maximator - click to enlarge)

A parallel alliance: the Ring of Five

While the Maximator alliance was focused on diplomatic communications, there "seems to be (or, has been) a parallel alliance for intercepting (metadata of) military communications" according to Jacobs.

It's possible that this other alliance still exists, because in a report from May 2016, the Dutch oversight committee CTIVD says that the military intelligence service MIVD participates in five alliances in which unevaluated (meta)data are exchanged. Three of these alliances also include the civilian intelligence and security service AIVD.

Jacobs suggests that the parallel alliance may be identical with a group that was created in the early 1980s and was described in 2010 by Richard Aldrich as a "mini-UKUSA-alliance called "The Ring of Five", consisting of the sigint agencies of Germany, the Netherlands, France, Belgium and Denmark - although this did not prevent them from intercepting and reading each other's communications traffic".*

These groups are not identical but are easily confused because the military alliance partly used the communications network of the Maximator group (shown in the diagram from 1990). The latter includes Sweden but not Belgium, while the Ring of Five includes Belgium but not Sweden:

On July 1, 2020, the German newspaper Frankfurter Rundschau published a handwritten note from a BND employee which confirms the existence and the members of this Ring or Club of Five, see: A unique note from the BND about European SIGINT alliances.

Other alliances: NSA's European partners

Not mentioned in professor Jacobs' piece are some similar groups of European countries under guidance of the NSA. One of them was already mentioned in the contribution of Dutch intelligence historian Cees Wiebes to the book Secrets of Signals Intelligence during the Cold War and Beyond from 2001. Many new details emerged from the Snowden documents published from 2013 to 2019.

Since the 1950s, the members of both the Maximator alliance and the Ring of Five are so-called third party partners of the NSA, which means there's a formal bilateral relationship based upon a Memorandum of Understanding (MoU). Although this can lead to very close cooperation, it does not prevent spying on each other.

SIGINT Seniors Europe

The first multilateral group of European third party partners is that of the SIGINT Seniors Europe (SSEUR), which was founded in 1982 for sharing information on the Soviet Union's military. This group started with nine members and after 2001 grew to 14 nations, hence it is also known as the 14-Eyes. Besides the Five Eyes, the SSEUR now includes the (signals) intelligence agencies of nine European countries (see the map below).

The SSEUR is chaired by the director of the NSA and there's an SSEUR Executive Board (SSEB) that governs the day-to-day operations and oversees various subordinate groups. There's also an annual SSEUR Principals Conference in which the heads of the 14 agencies come together to discuss issues of common concern.

In 2013, GCHQ was encouraged to host a permanent joint SSEUR collaboration center where analysts from partner nations could be co-located (similar to the collaboration center of the Counter Terrorism Group (CTG) which is hosted by the Dutch AIVD).

SSEUR Counter Terrorism coalition

In December 2001, a subordinate group of the SSEUR was created called the SIGINT Seniors Europe Counter Terrorism coalition (SISECT), in which the domestic security services from the SSEUR member countries partcipate, except for those from Australia and New Zealand. This counter-terrorism group consists of many subgroups focusing on specific terrorist groups or technologies used by terrorists. SISECT also organizes a semi-annual conference and its communications facilities seem to be hosted by Norway.

Afghanistan SIGINT Coalition

In 2009, the Five Eyes plus Denmark, France, the Netherlands and Norway established the Afghanistan SIGINT Coalition (AFSC), which was initially known as the 9-Eyes. In 2010, this group was joined by Sweden and Germany and later on, Belgium, Italy and Spain also joined, after which it had the same 14 members as the SSEUR. Their military SIGINT units in Afghanistan collected GSM metadata which were fed into the NSA's Real Time Regional Gateway (RT-RG) data analysis platform. The AFSC seems to have been dissolved by the end of 2014.

SIGINT Support to Cyber Defense

The latest initiative involving the NSA's European third party partners is probably a working group of the SSEUR aimed at using signal intelligence as an early-warning against cyber attacks, a method known as SIGINT Support to Cyber Defense (SSCD). Except for Germany it's not known which the participating countries are. The earliest reference to this SSCD group is from July 2013 in a German document published by Wikileaks.

The SIGDASYS system

The SSEUR maintain a database and communications system called SIGDASYS (for Signals Intelligence Data System). It was proposed by the BND to push SIGINT to front-line NATO commanders and became operational in 1986.*

The system also acted as a back-up in case one of the countries lost its own SIGINT capacity. Later it was used for exchanging military SIGINT and other information on a quid pro quo basis. SIGDASYS helped to decrease the enormous overlap in targeting and played an important role during the 1990-1991 Gulf War (there was a seperate framework for the exchange of acoustic signals).*

Since 9/11, the system is also used for the exchange of data for SISECT's counter-terrorism mission, including call chaining diagrams, voice clips and textual materials for translation. In 2013, the NSA proposed to replace the "dated and functionally limited (but sovereign) SIGDASYS infrastructure" by an SSEUR Community of Interest (CoI) within the more advanced Global Collaboration Environment (GCE) hosted by the US.

In 2005, the SSEUR set up a dedicated tactical communications platform codenamed CENTER ICE to support the military operations of its members in Afghanistan.

Slide from an NSA presentation about the Afghanistan SIGINT Coalition (June 2009)
Published by The Intercept in May 2019
(click to enlarge)

Some final thoughts

One final question is about why the existence of the Maximator alliance has been leaked. Already the fact that apparently people from inside the Dutch intelligence community were willing to talk is highly surprising, because signal intelligence and crypto analysis are seen as the most secret parts of this business, with international cooperation on these topics being even more sensitive.

Jacobs assumes that his sources may have talked about the alliance because it all happened long ago - in the United States there's automatic declassification, which means documents from the intelligence agencies have to be declassified after 25 years, unless a specific exemption applies. In the Netherlands there's no such rule, so classified information only becomes public through a specific request for information (which is rarely very successful) or by leaking.

The claim that it's long ago could be valid when the Maximator alliance was something from the past and had been dissolved without implications for current operations and relations (it's not done to unilaterally disclose things about international cooperations), but even then (former) intelligence employees would be very reluctant to provide information. And in this case Jacobs clearly says that the alliance is still functional today.

Another option is that over the years the purpose and/or the activities of the Maximator group have changed, similar to how the SIGINT Seniors Europe moved their focus from the Soviet Union to counter-terrorism. An indication could be that in 1993, Germany retreated from its involvement in Crypto AG because spying on its European partners didn't fell comfortable anymore. After this, the BND lost its ability to exploit the Crypto AG algorithms, but Sweden apparently not.

It's not clear whether the other Maximator members continued to benefit from the weaknesses in Crypto AG's hardware encryption devices, but if so, this knowledge became largely obsolete after the year 2000, when more and more target countries shifted to software-based encryption based on public standards. Crypto AG wasn't very useful anymore and so the CIA eventually sold the company in 2018.

Links & sources
- Crypto Museum: MAXIMATOR - European signals intelligence alliance
- Frankfurter Rundschau: Exklusiv-Recherche: BND spionierte jahrzehntelang am Parlament vorbei (July 2020)
- De Gelderlander: Het geheime afluistergenootschap van Maximator bleef vijftig jaar onder de radar (April 2020)
- Geheimdienst-Kooperation "Maximator": Die Five Eyes Europas? (April 2020)
- Argos: De afluistervrienden van Nederland (April 2020)
- Bart Jacobs: Maximator: European signals intelligence cooperation, from a Dutch perspective (April 2020)
- The Washington Post: ‘The intelligence coup of the century’ (February 2020)
- The Intercept: The powerful global spy alliance you never knew existed (March 2018)
- Waarom de Russen het Marineterrein in Amsterdam in de gaten hielden (January 2018)
- Cees Wiebes, "Dutch Sigint during the Cold War, 1945-94", in: Matthew M. Aid & Cees Wiebes, "Secrets of Signals Intelligence during the Cold War and Beyond", London, 2001, p. 276-277.

No comments: