We know email can be hacked, but what could be next? (Shhhh it's voice)
If you are like most people, you are beginning to wonder if anyone has even a tenth of a clue about how to protect email. We all watched, for example, as reams of stolen political correspondence from a major email provider were posted each day leading up to the recent election, more than likely influencing the outcome.
And we all watched as another major email provider lost 500 million accounts to hackers who seemed to barely break a sweat in doing so. And, as if that’s not bad enough, the criminal underground put these swiped email goods up for sale at about a millionth of a cent per user account. Sadly, that’s just how trivial the bad guys think it has now become to break into our email. Criminal theft of email has officially become commoditized. The old Pony Express was safer.
Cyber security experts watch this craziness and correctly prescribe increased use of end-to-end application cryptography, as well as stronger forms of account authentication. They also tend to support, however, the growing, sad conviction that sensitive business communications should be relegated to face-to-face encounters, a chilling prospect from the perspective of information sharing and productive cooperation. But in addition to the growing risks these recent email breaches expose, security experts also understand that these incidents provide a frightening forewarning for another major class of business communication that is often taken for granted from a cyber security perspective: Voice.
Now, we all have rolled our eyes at the executive sitting next to us in coach, explaining loudly the precise basis for her client’s legal defense, or why some supplier needs to be fired, or why Sally in accounting needs to start working harder, and on and on. Since no technology will ever solve the problem of people being careless in proximity situations, security teams are forced to just optimize their awareness program. But many teams have also taken voice security for granted because the mobile carriers in the United States and many other countries have done such an excellent job improving their voice security infrastructure. Advances in encryption through UMTS/3G and LTE/4G mobile technology, for example, have reduced the risk of voice compromise in a significant manner. The Tier 1 carriers are to be strongly commended for such investments.
But under many sets of circumstances, mobile voice calls can still be downgraded to less protected networks. And there are still weaknesses in many common traditional voice standards. And executives travel. And they roam. And they log onto Wi-Fi. And they carry multiple devices, often from different carriers. And they rarely consider the implications that their voice communications, under just the wrong set of conditions, might actually be subject to theft by criminal or nation state actors. As a result, perhaps the most common form of business communications, namely voice, has not been properly subjected, in the majority of business situations, to strong, layered defenses using the best commercial security technologies.
This is a chilling prospect, because while modern business folks have learned to be at least somewhat selective about what they type, they generally speak with total abandon when their phone is pressed up to their ears. This is no different whether the executive is in Indiana or India. They tend to speak openly, and even irrationally, because speech is, after all, little more than someone thinking out loud. They tend to utter innocently conceived test phrases that might be inaccurate at best and slanderous or even illegal at worst. And the presumption is that the sound from their mouths just disappears into the ether, never to come back as evidence of any bad judgment or criminal intent. This is a bad presumption, and I’d be surprised if we all do not see voice communications starting to pop up in places like WikiLeaks. Take a moment and think about that possibility for your own voice communications, especially if you travel to unusual places.
As I explain in my recent 2017 TAG Cyber Security Annual, released in September, this problem of optimizing voice security used to be a tough problem to solve with technology. Not too long ago, over-the-top voice security solutions often required clumsy or expensive separate hardware, and usually required a team of dedicated experts just to keep the cryptographic keys straight. Voice quality over encrypted communications was often quite lacking, with simple conversations sounding like robots synthesizing speech from inside deep tunnels. As a result, very few companies outside the defense industry ever bothered to take steps to optimize encrypted voice, and a norm emerged where anyone in business or government, regardless of the sensitivity level of their work, became perfectly comfortable using fixed and mobile communications without thought to any additional layered encryption.
Well, now this has changed -- and the improvements are dramatic. The deployment of software-based tools for application-level encryption on mobile communications, including texting, has become so much simpler and more effective that it seems irresponsible for any modern enterprise security team to ignore this available control. Companies such as Koolspan, for example, can now offer an integrated suite of over-the-top encryption controls for voice that will dramatically reduce the likelihood that your CEO’s recent conversations are leaked in a drip-by-drip manner on WikiLeaks or some other forum intended to embarrass. Combine these application controls with the amazing improvements in Tier 1 security infrastructure, and enterprise security teams can rest assured in the knowledge that they’ve taken every available step to make sure their voice communications are not the subject of the next segment on CNN.
Dr. Edward G. Amoroso is Chief Executive Officer of TAG Cyber LLC, a global cyber security advisory, training, consulting, and media services company supporting hundreds of major companies across the world. Ed recently retired from AT&T after thirty-one years of service, beginning in Unix security R&D at Bell Labs and culminating as Senior Vice President and Chief Security Officer of AT&T from 2004 to 2016.