The DNC email leak in 2016 revealed just how insecure email communications can be. It should be no surprise that government officials have been turning to other, more secure mediums, to communicate. White House staffers have reportedly used the encryption app Confide to communicate, French president Macron’s inner circle has relied onTelegram, and former Australia Prime Minister Malcom Turnbull turned to Wickr and Whatsapp. But as government messaging solutions go, such tools are limited, and in most cases not as secure as one might think. They may offer encryption but they fail to secure messages on devices and don’t address critical compliance issues related to government communication.
Comprehensive Government Messaging Solutions Require More than Just Encryption
It should be simple—using an end-to-end encryption app should ensure that your messages are secure, right? But while the messages areprotected from the time the user presses send and is in transit, once it’s on the recipient’s device that’s a whole different story.
Encryption can’t protect you from certain human behaviors. One of the recipients in a conversation may choose to share sensitive messages with others via screenshots, cut and paste or simply by forwarding information that you never intended to go outside your circle of original recipients. In addition, someone may save the conversation for an indefinite amount of time, increasing the risk that it will be shown—either by purpose or inadvertently—to a third party – or breached. And then there’s the issue of how data is backed up. As an example, Whatsapp has cloud back up enabled by default, risking exposure of decrypted messaging. And if you have multiple devices that sync chats, the risk of sensitive conversations being exposed increases X fold.
Again – it ‘should’ be simple but it isn’t always straight forward.
Recent news attests to these risks. During their ongoing investigation, the FBI obtained Whatsapp messages sent by Paul Manafort. In another investigation, the FBI was able to obtain messages sent over Signal by White House staff and a New York Times reporter. While these are examples where people were using encrypted messaging for questionable purposes it points to a larger problem. Anyone who uses these platforms face the same risks—their conversations could be accessed by a third party.
Think Beyond Encryption
When it comes to government messaging solutions, government officials need to think beyond encryption. Government officials frequently need to communicate critical sensitive information—and it’s imperative that such conversations are not seized by or leaked to third parties with bad intentions. For these reasons, safety mechanisms need to be in place once messages reach the recipient. This means that a secure, ephemeral communication platform that ensures that messages cannot be screenshotted, forwarded, printed or saved to the device must be in place.
The problem with such features, however, is that they can be at odds with compliance. Government Messaging Solutions must comply with the relevant data protection government requirements, especially with regards to classified information.
Apps like Confide, for example, which was reportedly used by Republican operatives and White House staffers pose issues because there is no record of the messages sent. End-to-end encryption poses no problem for government messaging solutions, however ephemeral messages or messages that disappear do. Utilizing a secure, ephemeral communication platform that provides compliance capabilities (i.e. the ability to archive a single copy to a repository of record) in addition to advanced security and ephemerality capabilities, is required.
Finding the Balance between Content Control and Compliance
To recap, end-to-end encryption is an important first step for secure government communication. It is far from the final step however. Even with encryption, there is the question of both protecting the message once it reaches the device and is in the recipients’ hands and with complying with regulation. When considering secure messaging solutions, you should look for the following:
Content control – features that ensure messages can’t be screenshotted, forwarded, printed or stored on the device.
Compliance with regulations through secure archival of messages to a client designated repository.
To learn how Vaporstream can help you with content control and compliance when it comes to government messaging solutions contact us today.
Contributor: Kristi Perdue Hinkle
*** This is a Security Bloggers Network syndicated blog from Vaporstream authored by Kristi Perdue-Hinkle. Read the original post at: https://www.vaporstream.com/blog/government-messaging-solutions/