Nato’s tiny ally, Luxembourg, stands accused of long-standing security failures, as the West continues an unprecedented crackdown on Russian espionage in Europe.
It wouldn’t be the first time if the Grand Duchy looked like a weak link in EU and Nato intelligence-sharing.
In a case at the end of the Cold War that made international headlines, Luxembourg’s ambassador to Nato, Guy De Muyser, was stripped of his security clearance when America’s Central Intelligence Agency (CIA) was informed by a Russian defector that he was leaking Western secrets to the Soviet Union.
But De Muyser, who is now 97, remained Luxembourg’s ambassador to Belgium and retired with a string of medals, including France’s Légion d’honneur.
“I was good friends with him,” recalls Jamie Shea, a retired British Nato official, speaking to EUobserver.
And Shea’s recollections made Luxembourg’s intelligence service, the Service de renseignement de l’État (SRE), look silly.
“He [De Muyser] was dismissed [from his Nato post] because of multiple undisclosed trips to Moscow. It was the CIA that tipped off the Luxembourg intelligence about these trips,” Shea said.
“They [the SRE] didn’t seem to know themselves,” he said.
That was back in 1990, but according to some SRE insiders, the Grand Duchy is still letting down Western allies by not doing proper vetting of officials before giving them clearance to handle classified EU and Nato files.
And two recent career moves by elite Luxembourgish officials posed the question if they were the right men for the job.
Luxembourg’s former ambassador to Russia, Jean-Claude Knebeler, left to work for the Kremlin-owned Gazprombank in 2020.
Luxembourg’s former defence minister, Etienne Schneider, also took a job in 2020 with Russian investment firm Sistema, which is now under US sanctions over Kremlin ties.
Knebeler and Schneider haven’t been accused of leaking anything.
Gazprombank and Sistema didn’t reply when EUobserver tried to reach them via their employers.
Meanwhile, Nato has five types of security classification: RESTRICTED, CONFIDENTIAL, SECRET, COSMIC TOP SECRET, and COSMIC TOP SECRET ATOMAL.
COSMIC stands for “Control of Secret Material in an International Command”. ATOMAL is whatever nuclear weapons information the UK and US shares with Nato.
And both Knebeler and Schneider would have had SRE clearance to handle SECRET-level documents in their pre-Kremlin jobs.
Luxembourg declined to say when their security clearances were revoked.
But whether they did anything wrong or not, the optics alone were bad enough to damage trust among Nato friends.
“It’s a known modus operandi of Russian special services to use state firms to corrupt Western officials,” said a Western intelligence contact, speaking on the condition of anonymity.
“What’s the difference how they [Knebeler and Schneider] share their knowledge? I’d do it orally — that way there’s no trace of what was mentioned,” the contact said.
The Luxembourg problem first arose in 2016, when government reforms saw the its national vetting agency lose access to police records, making it impossible to see if candidates met legal criteria.
The SRE’s internal trade union wrote to Nato HQ in Brussels in 2018 to warn them, in correspondence later made public by Luxembourg’s parliament.
Nato replied saying Luxembourg had to meet “minimum standards ” enshrined in EU accords, such as the the 1997 Agreement of the Parties of the North Atlantic Treaty for the Security of Information.
“The actions taken [by Luxembourg] do not support the spirit of the policy”, a Nato official said.
Nato’s Office of Security (NOS) conducted an inspection in Luxembourg in 2019.
But the Nato official also noted that vetting was part of “national prerogatives that fall outside of the remit of the NOS”.
And some four years later — on 3 June 2022 — nothing had changed, when the SRE trade union wrote to Latvia’s intelligence service, the Constitution Protection Bureau (SAB), to say Luxembourg was still dropping the ball.
The SRE reacted by giving a “dishonourable discharge” to the trade union chief, Philippe Schaack, on grounds he had leaked its secrets to an unauthorised party (SAB).
“My only objective was to fix long-standing and officially acknowledged shortcomings in the national vetting procedures,” Schaack, who is fighting the decision in a Luxembourg tribunal, told EUobserver.
“As a fellow Nato ally, Latvia can hardly be seen as an unauthorised party with respect to common Nato security procedures,” he added.
“It was easier to make them [the SRE trade union] shut up by trying to discredit them than to fix the problem, which has persisted for seven years now and counting”, a Belgian intelligence contact told EUobserver.
The SRE and Luxembourg have a chequered record aside from any De Muyser-type scenarios.
Luxembourg is a financial centre with a reputation for Russian money-laundering, as exposed in the 2014 LuxLeaks scandal.
Its SRE has just 80 or so staff, according to a database leak reported in 2020.
Luxembourg’s ex-prime minister and ex-European Commission president Jean-Claude Juncker resigned in 2013 in an imbroglio involving SRE illegal wire-tapping and corrupt pay-offs.
And the SRE’s former chief of operations, Frank Schneider, is currently an international fugitive, after snapping off his ankle bracelet while under house arrest in France in June, pending extradition to the US for his alleged role in a $4bn [€3.68bn] crypto-currency Ponzi scheme.
The Grand Duchy declined to comment on vetting, on the Gazprombank and Sistema cases, or the Ponzi affair.
“The problems that have arisen from the conduct of the SREL, the SRE’s predecessor, have been fully addressed in 2016 when a clear, detailed legal framework, appropriate comprehensive procedures and supervision mechanisms were put in place,” the office of Luxembourg prime minister Xavier Bettel told EUobserver.
“The SRE is a respected member of the international security community and thus actively participates in the related intelligence-sharing fora”, they added.
Nato declined to comment.
But the NOS conducted a Luxembourg inspection in 2019 and gave it a broad all-clear, Nato sources told EUobserver.
Some experts said it was hard to believe the NOS would turn a blind eye if the SRE trade-union was right.
Edward Arnold, a security specialist at the Royal United Services Institute (RUSI) think-tank in London, was a British military officer serving at Nato in Belgium when Russia first invaded Ukraine in 2014.
“Nato definitely cares about this stuff [proper vetting and counter-intelligence], even if it’s not resourced at the level that you’d like”, he said.
The Luxembourg problem looked like a “molehill” rather than a “mountain”, a senior EU official added.
But two Western intelligence contacts painted a different picture.
“It seems like Nato doesn’t really care about the security of its SECRET files, only from COSMIC TOP SECRET and ATOMAL CTSA — that’s huge, it’s reckless,” one of the sources said.
“This isn’t just a Luxembourg cock-up — it’s a Nato cock-up,” he added.
The second contact said: “Russian special services exploit the fact that international structures, like the EU and Nato, are fundamentally dysfunctional when it comes to countering intelligence threats.”
“They only seem to take action in major cases, usually for PR reasons,” they added.
And the Luxembourg alert is not the first one of its kind.
The Club de Berne, a Western intelligence-sharing club outside EU or Nato institutions, highlighted security failures in Vienna in 2019 in a report leaked to Austrian newspaper Expressen.
Belgium is the current presidency of the Club de Berne and is also partly responsible for EU and Nato security as their HQs’ host state.
Its intelligence service, the VSSE, is well aware of Luxembourg’s alleged shortcomings.
But it said: “The VSSE would like to stress that our service retains full confidence in the SRE”.
It also voiced “full confidence” in Austria’s intelligence services.
“The VSSE as a [Club de Berne] president has no authority on the functioning of individual services, who solely report to their national hierarchies,” it added, even though its club did use its soft power to press for Austrian improvements.
Latvia, whom the Luxembourg trade union warned, didn’t defend the SRE, however.
“It is not our duty and responsibility to evaluate the work of other services and express opinions”, the SAB told EUobserver.
“For sure, sure security vetting of personnel with regard to Nato trust and intelligence-sharing is highly important,” it added.
“A working and trusting relationship in the sphere of intelligence gathering and sharing is a critical part of successful actions against crime and international terrorism,” the Austrian internal ministry also said, after conducting internal reforms under Club-de-Berne pressure.
The alleged Luxembourg vetting problem comes amid an unprecedented Western crackdown on Russian espionage in Europe.
The SRE wrote to Latvia in 2022 — just four months after Nato states began expelling hundreds of Russian diplomats on grounds they were spies working under cover.
Luxembourg’s neighbour, Belgium, expelled 40 Russians — almost half of all the Russian diplomats in the country — in the largest counter-espionage clear-out in its history.
Brussels used to be the “spy capital” of Europe, according to former VSSE chief Alan Winants.
The Russian acting-ambassador to the EU, Kirill Logvinov, is still in place, even through the VSSE warned the EU foreign service last year that he works for Russia’s foreign-intelligence service, the SVR.
“Belgium has taken this action in an effort to reduce the risk of Russian spying on and from its territory. However, the VSSE is aware this does not stop such activities,” the VSSE told EUobserver.
“The VSSE will continue to monitor the situation and advise its political authorities on the course of action to take,” the Club-de-Berne presidency holder and EU and Nato security provider said.
Brussels will, this week, become a “spy capital” in a different way when Nato’s Civilian Intelligence Committee and Military Intelligence Committee meet at Nato HQ.
The twice-yearly event brings together 75 intelligence-service directors from Nato’s 30 member states to discuss information-sharing.
But if that type of event makes Brussels a target for hostile foreign powers, then nearby Luxembourg is also at risk.
Luxembourg is a short drive from the Belgium, France, Germany, and the Netherlands, all of which are in Europe’s free-movement ‘Schengen Zone’, which means no border controls.
“A Russian operative based in Luxembourg could easily drive across the border to meet his contact or handler and be back before anyone knows he’s gone,” a third Western intelligence source said.
But Luxembourg expelled just one Russian diplomat in 2022 — Dmitry Alexandrovich Solomasov, a 35-year old “cipher clerk” at the Russian embassy, who was suspected of being an officer in Russia’s SVR foreign intelligence agency, according to EUobserver’s sources.
That still left eight Russian diplomats in place, Luxembourg’s foreign ministry said, as well as 11 other Russian officials and spouses named in Luxembourg’s book of “corps diplomatique” in October 2023.
Luxembourg declined to confirm or deny if Solomasov was the Russian it expelled.
Its muted response was down to fears that Russia would shut down Luxembourg’s embassy in Moscow if it went too far, a Luxembourgish source told EUobserver.
Recalling the Cold War-era De Muyser case, Shea, the retired Nato official, said: “This was long ago and I can’t say if it points to endemic problems in Luxembourg intelligence services”.
But for some of the Grand Duchy’s larger Western friends, the Solomasov case also showed that Luxembourg still isn’t taking the Russian threat seriously.
“He [Solomasov] was a cipher clerk, which is kind of funny, because it means the SRE didn’t want to exclude any active Russian field officers. It means that the SRE’s counterintelligence unit is doing little to fight Russian spy activity,” one of the Western intelligence contacts said.