Security Through Obscurity
by Ed Sawicki May 15, 2003 (updated December 2019)
The 1986 bombing of Libya by the United States teaches an important lesson about Security Through Obscurity. The U.S. raid was in response to the bombing of the La Belle discotheque in West Berlin that targeted and killed two U.S. soldiers. The U.S. National Security Agency (NSA) learned that Libya was responsible for the bombing by eavesdropping on the encrypted radio communications between Tripoli and the Libyan embassy in West Berlin. President Ronald Regan had the proof he needed to order the attack.
The Libyans didn't know that Crypto AG, the Swiss firm they purchased encryption equipment from, had links to the German and U.S. intelligence organizations — the Bundesnachrichtendienst (BND) and the National Security Agency (NSA). Crypto AG embedded the decryption key in the cipher text allowing the BND and NSA to monitor the encrypted communication in real-time.
The Libyans learned the lesson of Security through Obscurity the hard way. They thought their communications channels were secure because the encryption equipment came from a manufacturer - and that manufacturer was in a neutral country. However, the algorithms and ciphers in these black boxes were never subjected to public review. Independent cryptographers were not able to verify that communications were secure.
Libya was not the only country that made poor decisions when purchasing crypto equipment. Iran was also using Crypro AG equipment and discovered that their diplomatic communications were being monitored by Western powers because of statements made by Reagan. Iran arrested the local Crypto AG salesman and released him when the company paid a one-million dollar ransom.
Far better security can be achieved using open source software that has already been scrutinized by an army of cryptographers. Anyone who believes that open source cryptographic software is less secure because the code is open to examination by anyone is seriously mistaken - as were the Libyans and Iranians.
Sources
NSA, Crypto AG, and the Iraq-Iran Conflict
Wikipedia West Berlin discotheque bombing
Wikipedia 1986 United States bombing of Libya
Wikipedia Crypto AG
Wikipedia C-52 (cipher machine)