During the COVID-19 Pandemic, due to the social distancing requirements recommended by public health officials, many businesses and government employees have had to work from home.
In order to maintain productivity, they’ve looked to various collaboration tools to conduct video and audio conferences, webinars and other communications to do business. Platforms like Zoom, Slack, Microsoft Teams and others have now crept into the American lexicon. However, some platforms have been revealed to have a number of security vulnerabilities, such as eavesdropping and theft of intellectual property by our adversaries.
This threat has become so pronounced that even the National Security Agency (NSA) has gotten into the act, with the recent release of guidelines for U.S. Government personnel on selecting and safely using collaboration services for telework.
These guidelines include:
- Does the service implement end-to-end encryption?
- Are strong, well-known, testable encryption standards used?
- Is multi-factor authentication (MFA) used to validate users’ identities?
- Can users see and control who connects to collaboration sessions?
- Do users have the ability to securely delete data from the service and its repositories as needed?
- Has the collaboration service’s source code been shared publicly (e.g. open source)?
- Has the service and/or app been reviewed or certified for use by a security-focused nationally recognized or government body?
- Is the service developed and/or hosted under the jurisdiction of a government with laws that could jeopardize USG official use?
Although the agency recommends that workers use services such as Defense Collaboration Services and Intelink Services, which were specifically designed for secure government communications, this is not an option for when government employees interact with external partners. As such, these personnel turn to communications platforms that may or may not be secure.
Let’s look at the current landscape, the security issues, how American companies have stepped up, and what the U.S. Government must do now to ensure security going forward.
Zoom — The University of Toronto’s Citizen Lab has found security flaws in the Zoom App and documented its ties to China. My big concern is that, according to TechNode,“its product development is largely based in China.” As such, this brings into play Chinese laws requiring encryption technology developed in China to be shared with the Chinese government.
The U.S. Department of Defense has now banned service members, contractors and civilians, from using Zoom in any official capacity. In an attempt to counter adverse publicity over security, Zoom just added former National Security Adviser, H.R. McMaster, to its Board. Hiring General McMaster, though, still won’t change the fact that it has 700 employees, data servers, product development and encryption keys in China.
Google Meet — This was just announced by Google and allows for voice and video communications. It’s basically a “re-branding” of “Google Hangouts Meet”
The service is free for now, but things start to change on Sept. 30, 2020.
It has a relatively simple browser-based encryption and doesn’t implement “end-to-end encryption” as recommended by the NSA guidelines.
Office @ Hand —This is an AT&T product that has been offered during the pandemic at no cost for 60 days to schools, healthcare providers and nonprofits.
BlueJeans — Verizon just announced the strategic acquisition of BlueJeans, a well-known Zoom competitor, in order to get into the game. Widely considered more secure than Zoom, joining isn’t free. BlueJeans was one of the platforms recommended for “the level of encryption of conversation” recently by global bank, Standard Chartered PLC to its employees.
Microsoft Teams — Released by the tech giant in 2017, it has picked up in use and popularity during the pandemic. There is one drawback. The NSA guidelines stress the need for open-source applications to ensure accountability and best practices.
The code for Microsoft Teams is not shared. But, the NSA did note providers Mattermost, Signal and Wickr do publicly share their source code.
HighSide — This is an example of less-established players entering the game, but who pride themselves on the security of their platforms. Formerly of the George W. Bush Institute, Amanda Schnetzer is the COO of Pointe Bello, a Texas-based strategic intelligence firm, who among other things monitor actions of U.S. adversaries like China.
She says, “We feel confident using HighSide from the perspective of business infrastructure and customer assurance particularly as the COVID-19 period has spiked the need for online collaboration and emphasized the mission-critical nature of doing so securely.”
The recent NSA guidelines are great,but should be viewed as pass/fail standards.
While most government personnel are still working from home amid the Coronavirus pandemic, the only way to ensure that platforms on which key data are shared and key decisions are made is to compare each platform side-by-side against the NSA guidelines.
If a given platform doesn’t comply with even one of the standards, Government employees should not be permitted to use it when conducting their business from home.
We are at cyber war, and have been for a long time.
The pandemic and its resulting hasty shift to teleworking has exacerbated cybersecurity issues within government agencies, as employees value ease-of-use over security when choosing their collaboration tool.
The NSA has taken a critical first step in identifying what a collaboration platform should guarantee for its government customers.
Only by enforcing the guidelines can we avoid the multitude of cyber security threats posed by insecure platforms currently in use by government employees.
Van Hipp is Chairman of American Defense International, Inc. He is the former Deputy Assistant Secretary of the U.S. Army and author of “The New Terrorism: How to Fight It and Defeat It.” He is the 2018 recipient of the Queen Elizabeth II September 11 Garden Leadership Award for National Security. Read Van Hipp’s Reports – More Here.
Posts by Van Hipp
- Does Remote Collaboration Exacerbate Foreign Eavesdropping?
- There Should Be Zero Distancing From Chloroquine Treatment
- View More Posts by Van Hipp