David Lacey's IT Security Blog

The French Security Service is reported to have advised Government officials working in sensitive offices not to use Blackberry devices because they use overseas servers, opening up an espionage risk. An alternative solution has been offered but it does not appear to work quite as well. Some officials are reported to have reverted to clandestine use of their Blackberrys. RIM claim that their encryption system is strong but they miss the point. It's about sourcing of products and services, rather than security features. If you don't control the sourcing, they can be compromised.

There's nothing new here of course. I know a few UK CISOs who initially resisted the introduction of Blackberrys because they could not get the assurances they required from RIM. In a perfect world we'd fully control the manufacture, supply and maintenance of all items that might carry sensitive data. But that's not practical. So what can one do? Ban the use of new foreign technology and services? Accept the possibility that foreign powers are listening in? Seek written assurances? Or try to manage the risks. The latter option is interesting. Because it opens up the thinking that the benefits of new technology might perhaps outweigh the potential damage from eavesdropping. And how many of our communications are really sensitive? Can they be secured on an exception basis? Or can we develop add-on solutions to secure off-the-shelf products and services?

The future technology market is a highly consumerised one, based on products manufactured in China and IT services that are increasingly off-shored. New thinking is required to manage the increased risks of espionage and fraud. Because imposing a blanket ban on the latest executive toy is unlikely to be welcomed by your senior users.