Finally, the government acknowledges the reality of encryption. Or the lack thereof. Encryption backdoor debate 'done and dusted,' former White House tech advisor says: When the FBI urges E2EE, you know it's serious business
It isn't often that you witness a bureaucracy admit that they were wrong, and while they haven't said that explicitly, they now are saying the opposite of what they were pleading with tech companies to do a few years ago.
In the wake of the Salt Typhoon hacks, which lawmakers and privacy advocates alike have called the worst telecoms breach in America's history, the US government agencies have reversed course on encryption.
After decades of advocating against using this type of secure messaging, "encryption is your friend," Jeff Greene, CISA's executive assistant director for cybersecurity, told journalists last month at a press briefing with a senior FBI official, who also advised us to use "responsibly managed encryption" for phone calls and text messages.
Just this week, CISA published formal guidance [PDF] on how to keep Chinese government spies off mobile devices.
The US government MANDATED backdoors be built into communications systems. They had to be able to listen to any conversation, and read any email. They believed they could keep the bad guys out. They were wrong.
"We know that bad guys can walk through the same doors that are supposedly built for the good guys," Virtru CEO and co-founder John Ackerly told The Register. "It's one thing to tap hardline wires or voice communication. It's yet another to open up the spigot to all digital communication."
You can read the the recommendations at CISA: Mobile Communications Best Practice Guidance. That is a PDF document, written by the government, but it is only five pages.
The Highlights:
- Use Signal or similar apps. The document actually calls out Signal.
- Don't use SMS for Multifactor Authentication. They recommend hardware keys such as those from Yubico.
- Use a Password Manager
Signal will also encrypt phone calls, not just text messages.
There are recommendations for both Apple and Android users. The big one, being don't use iMessage for communicating with Android phones... it reverts to SMS. (Apple refuses to play by the encryption rules. Use Signal!)
There is much more. It is 5 pages, but surprisingly readable for a document produced by a government bureaucracy, of which I've read my fair share, though they were usually measured in the 100s of pages. (The .gov is nothing if not verbose.)
CISA stands for Cybersecurity and Infrastructure Security Agency. It was apparently named by the Department of Redundancy Department. It has a logo straight out of the 1950s, which is odd given it was formed in 2007.
Whenever I see that logo I am reminded of Sky Captain and the World of Tomorrow
ReplyDelete