Why stigmatizing proactive information security is a dead end Joel Wallenstrom
December 5, 2017 The ongoing Uber-Waymo hearings have ignited an interesting and very timely public debate over the use of Wickr and other private communications technologies in business settings. This conversation is and should be much larger than any one company. It raises very important questions on whether or not privacy – and by extension security – are acceptable at all in business settings, and if so, how do we manage them responsibly in today’s risk environment?
Why is there a need for private communications in the workplace at all?
No one is succeeding at protecting massive databases and sensitive corporate or national secrets with 100% certainty. Companies large and small are compromised almost daily and their communication is among the top targets for state and non-state hackers. Just yesterday, the DOJ indicted several Chinese nationals for coordinated cyber attacks in which “hackers monitored email correspondence of an unidentified Moody’s economist” and breached Siemens and others, targeting trade secrets.
The best teams in the industry have been losing to both sophisticated and immature attackers. It’s reasonable to see enterprises, governments, and individuals now turn to encryption and data minimization. In fact, the most progressive teams are leveraging data deletion as a means to boost companies’ resiliency via ephemeral infrastructure and ephemeral data storage initiatives.
Practical realities of communications technology use in the enterprise
Since 1991, PGP, the encryption protocol, has been used to protect sensitive communications and files. It provides effective encryption but is a tooth-pull to use. Wickr has picked up this usability challenge to build a suite of products that makes encryption easy and scalable. We started with Wickr Me, one of a handful of free products that provide powerful encryption to anyone with a smartphone.
Because of the ubiquity of personal devices in the workplace, free products including Wickr, Signal, WhatsApp and others have swept – unmanaged – into the enterprise. Nobody was giving large organizations the ability to responsibly deploy and manage private and encrypted apps. It was happening to them without any control or oversight.
Wickr saw a need to build a suite of tools that can be deployed and managed in accordance with information governance policies. With that, our customers have taken a proactive and responsible approach to using encryption and controlled ephemerality in the workplace. This anti-data hoarding approach is an effective component of modern information governance policy. If there is a duty to preserve data, then procedural or product changes allow for compliance.
And while technology may be new, the general principle remains the same — every organization is responsible for developing appropriate policies for tools and processes implemented within their professional environment. It applied to email and computers when they first came out, it applies now to telecommuting, storing encrypted corporate files on Box or Google Drive, and using social media on work devices.
When deciding how to use a product like Wickr, companies including their legal and security teams will inevitably consider whether blocking encrypted communications is a reasonable approach. They will come to the equally inevitable conclusion that this will also require blocking the use of personal communication devices. Luckily, the debate over Bring Your Own Device policies is old and tired, and mostly over. Just last week, in addressing the issue of digital privacy protections, Justice Sotomayor noted that cell phones have become an “appendage” for people in the modern era.
There is a binary question – will your organization reject privacy in the workplace completely, opting instead for permanent data retention and weakened encryption, or whether you will embrace privacy and security through technologies like Wickr?
If your answer is curtailing privacy, then you have to understand that all conversations and transferred data will be logged, searchable, accessible and transparent. There would be no ‘trade secrets’. Beyond not protecting intellectual property, all whistleblowing conversations, political communications, M&A discussions, board of directors’ meetings, employee HR conversations, fraud investigations, sales negotiations, incident response planning, attorney-client privileged conversations, competitive intelligence research – all electronic conversations would be stored and inadequately protected.
And when we consider not using strong encryption in today’s risk environment, we tend to focused on optics rather than taking an assertive and responsible approach to data security and information governance. The reality is that banning encrypted communications is impractical and largely unnecessary.
Stigmatizing privacy and security efforts amid ongoing information security crises is only going to make the tasks of protecting data a lot more complex. And complexity always leads to weaker defense. It will make privacy accessible only to those who are willing to take risk of creating bad optics in protecting their systems, while making it less of a possibility to industries traditionally more cautious and often lagging in security like legal, healthcare, education, and government.
Developing a responsible approach to secure ephemeral communications
Now is the time to determine the process for managing secure ephemeral communications in the enterprise in response to mounting security threats. It’s not easy. Nothing important ever is. But this is not a good time to shove our collective heads in the sand when it comes to information security and privacy. In our democracy, privacy is inevitable. We need to work within the construct of private communications rather than pursue destructive and unenforceable standards dictated by optics and convenience.
Rushed and uninformed answers to these questions may very well set a normative precedent that is unrealistic and damaging to everyone’s data protection efforts.
We developed Wickr tools in response to a very real need and adversaries that are increasingly difficult to defend against. The anti-data hoarding approach and privacy is the only way forward and it’s the principle that we stand for.