ra2 studio - Fotolia
The problem with ‘secure’ messaging
Secure instant messaging is becoming a norm for business communications but it raises three important security and compliance questions
From the shocking scoop of Matt Hancock’s Whatsapp messages to Boris’ reticence to share his messages, the use of secure messaging has become a hot topic. Although it may seem like a new trend, the recent stream of government-centred controversies are far from the first we’ve seen, nor are they the most costly. Last year alone, US financial institutions were fined almost two billion dollars for communicating over messaging services like WhatsApp.
Instant messaging is now a preferred means of communication, it is convenient, easily digestible and seen as secure. Whether we like it or not, the simple truth is that messaging is here to stay. We must accept this and work to update the way we view and manage messaging so as to ensure security and regulatory compliance.
As a former computer auditor for major financial institutions, turned cybersecurity expert, who now runs a company that provides secure messaging services, I can say from experience that there are three issues which businesses and governments are failing to take action on. The first I call the compliance problem, the second is the metadata problem and the third is the quantum problem. Unless we can address all three issues, we are sleepwalking into an oblivion of our own making.
1. The Compliance Problem
As I previously mentioned, late last year major financial institutions in the US were fined almost two billion dollars for failing to prevent their employees from using non-compliant messaging services. Furthermore, there has been significant public debate over the so-called ‘government by WhatsApp’ over the pandemic in the UK.
Historically, communications in finance and government were meticulously recorded and took place through official channels which had official norms. This is because, in the case of both of these areas, significant oversight is required in order to ward off malpractice and provide accountability. Many secure messaging services prevent the monitoring of communications, which is key to providing this essential compliance.
This is because with many secure messaging services the central institutions (e.g., watchdogs, governments, etc.) have no control over the messages and whether they are deleted. It also prevents regulators from accessing them in some cases. This is why banking regulators are coming down so hard when institutions use tools without an audit trail.
Fines and controversy can easily be avoided by implementing a secure chat solution without weakening any encryption, but also one that permits access to regulators in the event an investigation is required.
2. The Metadata Problem
On average, financial institutions and governments take data security incredibly seriously. As a norm VPNs are required to access data and messaging services are centrally controlled and very secure. In finance in particular, even small data leaks can have huge implications in terms of financial and reputational losses.
For instance, imagine if metadata were obtained which showed that a CEO from a major company was messaging a CEO from another major company. Even if the content of the messages could not be seen, it may lead to inferences that an acquisition could soon take place. The speculation could have a huge impact on markets.
Many users of generic messaging platforms do not realise that this metadata can be accessed, compiled, analysed and sold on. Secure messaging providers can often access metadata like this even if end-to-end encryption prevents them from seeing the content of the message itself. Therefore, the use of these third-party messaging services can risk this metadata falling into the wrong hands and exposing all manner of sensitivities.
That’s why security and privacy sensitive industries need their own proprietary messaging services, where they control the infrastructure as well as encryption and the metadata insights that are inevitably emitted.
3. The Quantum Problem
When a sufficiently large quantum computer is developed it will be able to access almost all encrypted data. While this may still be a few years off, encrypted data can be harvested now so that it can be decrypted later when a large enough quantum computer is developed.
Governments and major financial institutions routinely handle data which will remain sensitive for decades. This data is vulnerable to ‘Harvest Now, Decrypt Later’ attacks even if it is sent over messaging services like WhatsApp that rely only on today’s encryption algorithms. To be truly secure today, a messaging service needs to encrypt against both classical and quantum attacks. The latest US legislation makes this point abundantly clear by mandating federal agencies transition to post-quantum encryption.
So, what should we do?
Now that messaging is such a core part of how we communicate, we need to start a dialogue on how to do it right. At a bare minimum, we must implement solutions which are regulatorily compliant and are secure from metadata mining and quantum attack.
Organisations have long understood these principles as they relate to general networking but now is the time to apply those same tried and tested principles to how we chat.
