Lesson two is about cell phones. No, I'm not going to say that you can't use cell phones. Cell phones, for good or ill, are now part of our lives. But a definite part of this story, and scandal, has to do with cell phones.
Cell phones are not secure. At least not *very* secure. Just today I got some information about a family of malware for cell phones, specifically targetting instant messaging systems, and with at least one component directly aimed at the Signal app. And a bit later we will go into some of the details about why, and how, cell phones are not terribly secure. But cell phones are certainly convenient, and sometimes they are even life-saving. So, no, I am not saying that cell phones are evil, or that you should never use cell phones.
What I am saying is that you should think about how, and why, you use cell phones.
In this particular case, cell phones definitely should not have been used. The Signal app should not have been used. The information being discussed was very important, and confidential, particularly at the time that it was being discussed, and, despite the subsequent attempts to say that the information was not classified, and did not come under a category that needed to be classified and that somebody involved in the conversation could have declassified the information, whether or not the information actually was declassified, this type of information either was, or definitely should have been, classified, and shouldn't have been discussed in this type of communications arrangement. Government and military people in the United States use, and are provided with, what is known as a SCIF: a Secure Compartmented Information Facility. This is not simply a phone, or a terminal, but an actual facility: a room, locked, with either a card or a keypad in order to identify everyone who enters it, with a phone, or a terminal, that is built to a standard of security that would make it very difficult for any adversary to eavesdrop on any conversations.
So, what does this have to do with security for ordinary folks? Ordinary folks are not provided with an SCIF.
This is quite true, but, once again, we go back to the idea of information classification. (That's why we started off with the topic of information classification.) Once again, you don't necessarily have to have some kind of formal information classification system. But you should consider the information that you are dealing with, and how important it is, to you, and the communications channel that you are using. Are you using this particular communications channel just because it's convenient? Do you have another communications channel that might be better for this particular piece of information, or discussion? Is there some other communications channel that both you, and the person you want to have a conversation with, share, and is it more suitable given the sensitivity (importance) of the information that you were going to discuss?
Cell phones, as I said, are convenient. But they also have a lot of functions that might not immediately come to mind when all we want to do is place a phone call. Just about every cell phone has a speakerphone option. Are you sure that the person on the other end of the call doesn't have their phone on speakerphone? Could it be that other people, sometimes quite a distance away, could overhear the entirety of both sides of your conversation, because the other person has their cell phone speakerphone on? Then there's the fact that pretty much all cell phones can be set up to record a conversation. This isn't unheard of with the landline, but it generally takes a little bit more trouble to do it. It can be done easily, and quickly, on a cell phone just by downloading an extra piece of software. Again, we'll go into a bit more detail about some of the problems with regard to cell phones in a subsequent piece in this series. For now, just be aware of what can happen when sending different types of information over different types of communications channels. Think about how important the information is, to you, and whether the ease and convenience of the channel that's immediately to hand makes it the best fit for the type of communications you want to engage in.
Using cell phones, and group chats, to discuss really important and top secret attack plans; the type of information that, if it goes as stray, could get people killed; well, cell phones probably aren't the best fit for that. And besides, it would be illegal anyways.
No comments:
Post a Comment