A recent Military Times article reported on the use of secure communications products, including WickrME and Signal, on government cell phones. The article cites the government’s transparency concerns related to encrypted communications. Unfortunately, the use of encryption services is often misunderstood, and the Military Times article only scratches the surface of the most common misconceptions. Hopefully this post will help clarify many of these issues.
Seeking Safety in Zero Trust Products
The 82nd Airborne is not the only organization that has turned to consumer products for enhanced security. Everyone, public and private, is scrambling to fill security gaps in their communication and collaboration strategies. Enterprise solutions like Microsoft Teams and Slack were not built on a zero trust platform. Moreover, applications like Zoom and WeChat are developed in China. THESE ARE NOT BAD PRODUCT DECISIONS MADE by Microsoft, Slack, Zoom, and WeChat. Microsoft and Slack are in the business of allowing access to customer data while generating revenue from the data. They never promised to be zero trust. Companies like WeChat and Zoom scale by using inexpensive labor to build fun products. Being secure is not their business.
Discerning users were left to find a solution that worked for them and was secure. However, the most secure products are built for zero trust. This means that the service provider never has access to customer data and communications. Zero trust platforms ensure that the user cannot be attacked and risk having their data exposed. Nor can they mine the data and generate revenue from customer information.
Security-conscious organizations have been forced to adopt consumer products such as Signal and WhatsApp as a stop gap. This is the very definition of shadow IT ― fast and free solutions where there is no comparable corporate solution.
Safety Concerns with Consumer Grade Messaging
Consumer products have been adopted within large organizations because they are often more secure than legacy software products from the likes of Microsoft, Google, Slack, IBM, Blackberry, and others. The result is huge amounts of data and IP leaking outside the control of IT organizations and onto consumer products.
A significant amount of this sensitive data has found its way onto WhatsApp. However, WhatsApp is not built for serious security and privacy. It is built to be fun ― but fun can be dangerous.
For example, WhatsApp made the decision to have phones automatically download and play video files. This is what happened to Jeff Bezos. The only reasonable way he could have avoided this attack was to not use WhatsApp in the first place. However, experts assured Mr. Bezos that WhatsApp was a more secure option than email and SMS. It was reasonable for a CEO to follow the advice of experts. The unfortunate result, however, was that the contents of his phone were accessed by corporate and personal adversaries. This could include sensitive photos, pictures taken of whiteboard notes from an Amazon strategy session, or numerous compromising situations.
To be clear… THESE ARE NOT BAD PRODUCT DECISIONS MADE by WhatsApp and Facebook! WhatsApp and Facebook are in the business of engineering products that are fun and can sell advertising. They are NOT in the business of protecting national security or corporate intellectual property.
However, because of its widespread use and lack of security focus, WhatsApp presents the greatest threat to sensitive communications and data. Any troops, elected officials, or corporate executives using fun consumer products like WhatsApp are exposing the content of their phones to targeted attacks.
Moving from Shadow IT to Enterprise Software
The Military Times article is correct in its assertion that there can be concerns around compliance and control when using consumer products. Enterprise-level security and compliance requires controls that are NEVER found in consumer applications. In fact, this is the very definition of what separates consumer and enterprise products!
We at Wickr are flattered that our consumer product, WickrMe, is recommended by DoD leadership. We have mathematical certainty that WickrMe protects data and communications better than other consumer products when used downrange on hostile networks. That said, there can be transparency concerns with the use of encrypted consumer messaging apps. This is precisely why Wickr has an enterprise product, WickrPro.
WickrPro provides zero trust communications and the ability to manage users so that data is protected in concert with regulations. The constant is that the same technology is used to guarantee there is nothing to attack on the server side. Like consumer products, there is no possibility for man-in-the-middle attacks.
Policy Compliance + E2E Encryption
There is no “one set policy” that governs use across all cases. Consumer products like WickrMe and Signal with app deletion functions are compliant with public policy if set correctly. The end user is trusted to enforce deletion in concert with the standards of their organization, project, or mission.
WickrPro (SaaS) and WickrENT (Enterprise self-hosted), on the other hand, are enterprise products that are deployed and managed to ensure all information retention policies and security configuration policies are enforced. WickrPro and WickrENT use the same cryptography as WickrME to protect data and communications while also ensuring that electronic communications or text messages that must be retained as part of the public record are securely retained. Or, in the words of a customer: “It is rare to see such a great combination where we can protect our field agents and officers with the level of security you provide ― without sacrificing the capability for appropriate records management and retention, which we take very seriously.”
In addition, Wickr has been granted several ATOs, or Authority to Operate, because it can be configured in a compliant manner in accordance with DoD policies.
Moving from Shadow IT to Enterprise Software
Since 2016, when we opened our protocol to public review, no one has had a better track record for security and cryptographic testing and assertion than Wickr. It would be difficult to find a more comprehensive third-party security testing program anywhere in the world. Our transparent Security Promise Process is unique to the industry, and we have by far the most aggressive security bug bounty program.
This is why WickrPro is the only zero trust enterprise solution with multiple DoD ATOs and FIPS compliance.
Zero Trust Is Growing Up
The aforementioned consumer products were a logical first step. When it became possible to build zero trust communications, WhatsApp, WickrMe, and Signal emerged. They were the “Napsters” of end-to-end encrypted messaging apps, but they are more secure than traditional tools. Not every soldier has a fancy DISA government phone, so WickrMe fills a critical secure communications gap between government and personal phones. WickrMe is built on a zero trust model, meaning it can be run on the Roshan network ― one of the most popular and reliable networks in Afghanistan, which also happens to be owned by an Iranian company ― without fear of message interception. Not even Wickr can read the messages. The math will not allow it.
But taking this powerful technology and building real enterprise controls and deployment capabilities is a difficult task. It requires real customer service, SLAs, certifications, etc. This is simply the process of a technology growing up. Thus, Wickr took on the challenge of maturing this technology.
The combination of zero trust security, policy enforcement, and total compliance will change the way large organizations defend and control sensitive data and communications.