REQUEST A TRIAL
back to blog

US Government Signal Security Breach

US Government Signal Security Breach

The news that a journalist was mistakenly included in US government discussions about sensitive military operations, reminds us once again that consumer apps for instant messaging are not suitable for sensitive communications.

There’s more to security than end-to-end encryption

Mass adoption apps are simply not secure enough. While they all claim end-to-end encryption that protects data in transit, that doesn’t mitigate the issues that led to the breach.  As we’ve discussed many times before, there is much more to secure communication than encryption.

The particular danger of consumer apps is that there is no central management of users. Anyone can join, anyone can pretend to be whoever they want to be, and that’s before we consider the implications of imposter-based attacks and AI-generated deepfakes that are now frighteningly realistic. Remember the incident last year when the then Foreign Secretary took a call from someone pretending to be former Ukrainian President Petro Proshenko, with whom Mr Cameron had multiple dealings, including face-to-face, during his tenure as Prime Minister.  (Fortunately, when Mr Cameron smelt a rat he ended the conversation, with no sensitive information exchanged.)

For handling sensitive, higher assurance conversations and information, instant messaging apps need to be Secure by Design and Secure by Default. For example, the use of crypto protocols such as identity-based encryption will ensure someone is who they say they are, and so prevent imposter-based attacks. Without built-in security features, with default settings to control users and data, instant messaging apps are prone to human error as well as deliberate mis-use,

Central control of users

While the productivity benefits of using instant messaging are tempting, at higher assurance levels the risk of information being leaked, or stolen, are all too apparent, and clearly unacceptable.

An enterprise level communications platform provides robust security features including the central management of users, which is one of the biggest differentiators between a free-to-use consumer app and an enterprise product that is designed for purpose.

A truly secure communications platform offers a controlled environment in which all users are centrally managed and enrolled.  Users join by invitation only, which they receive from an administrator.  Once their device is enrolled, the user authenticates to the communications app which can include biometric readers. Only once securely provisioned, with a proven identity, can the user use the service.  And when they leave the organisation, or if they or their device is compromised, their account can be remotely wiped, ensuring sensitive information is removed.

Ideally, users should be cryptographically segregated into groups, which can be based on division/department, location, project, or seniority/rank, and (by default) can only contact others within the same group. An administrator defines which groups can communicate with which other groups on an “as needed” basis.

Managing users by groups (or communities) ensures that there is clear segregation of community-related data. This enables organisations to maintain strong internal data segmentation where sensitive data is protected from accidental leakage to other parts of the organisation. Typically, the user has access to the minimum set of contacts and data, by default; this approach – the opposite of consumer apps – ensures that data and communication are controlled and managed appropriately.

 

NCSC provides plenty of guidance

More food for thought.  The National Cyber Security Centre (NCSC) has published 7 Principles of Secure Communication, which are:

      •  Protect Data in transit
      •  Protect network nodes with access to sensitive data
      •  Protect user access to the service
      •  Ensure secure audit of communications is provided
      •  Allow administrators to securely manage users and systems
      •  Use metadata only for its necessary purpose
      •  Assess supply chain for trust and resilience

 

Consumer apps meet 2 or 3 of these at best. Dedicated, Secure by Design, communications platforms that meet all 7 principles, have been available for years… so why are organisations still exchanging sensitive data over consumer messaging apps?

UK leading the way

Thankfully there are some within the UK Government and defence organisations that are making real headway in securing their communications. However, the rate of adoption needs to be faster and broader if we, in the UK, are to show leadership in this field, and so avoid a similar embarrassment and breach of national security as the US.

In a hyper-connected world, it is still, frequently, human error that creates vulnerabilities… make sure it’s not you!

For more details about what you should be looking for when Securing Communications Channels download our Buyer’s Guide.

  • US Government Signal Security Breach
  • US Government Signal Security Breach
  • US Government Signal Security Breach
  • US Government Signal Security Breach
  • US Government Signal Security Breach
  • US Government Signal Security Breach
  • US Government Signal Security Breach
  • US Government Signal Security Breach
Armour Comms
GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.