Communications Security: Lessons Learned From Ukraine
The war in Ukraine is teaching us lessons about communications security — lessons that apply to both the battlefield and today’s business world.
Securing communications is a significant struggle for many organizations and governments — and that’s not a new development. In fact, the challenge is actually quite old, like Julius Caesar old. Back in 46 B.C., Caesar used what is known as the “Caesar Cipher” to encrypt his messages while ruling the Roman Empire:
"If he had anything confidential to say, he wrote it in cipher, that is, by so changing the order of the letters of the alphabet, that not a word could be made out. If anyone wishes to decipher these, and get at their meaning, he must substitute the fourth letter of the alphabet, namely D, for A, and so with the others." - Roman historian Suetonius
Figuring out how to keep your communications private and secure is a challenge for the ages that continues today.
Critical Communications Are Often Intercepted
Today, modern technology makes it relatively simple to aggregate large quantities of everyday information — found in casual business or personal conversations — and turn it into a treasure trove for analysts and cyberthreat actors.
Here’s an example. If a military entity intercepts and aggregates enough casual calls between soldiers and their families, it can glean insights into the overall state of an opposition’s operation, as well as the status of the participants in that operation. This is potentially very critical information!
This exact scenario is playing out in Ukraine right now. In NPR’s story, How Does Ukraine Keep Intercepting Russian Military Communications, the reporter interviewed Dmitri Alperovitch, a cyber expert who heads the Silverado Policy Accelerator.
"There was an intercepted phone call where the Russian officer was saying how half of his troops have frostbite on their feet, how they don't have any hot stoves for food. They're sleeping in trenches," says Alperovitch.
Now, what might this tell Ukraine about the morale of Russian troops?
And this is not the only use for conversations recorded through leaky communication channels. Intercepted calls are being logged for use in potential criminal prosecutions and potential war crime trials.
How are so many conversations and communications being intercepted? It turns out the Russians are often using off-the-shelf mobile phones and radios they seized during the invasion.
War is an extreme example, however, similar things are also happening in business. Motivated threat actors can intercept and aggregate calls or messages traveling over public phone networks and through consumer-grade messaging apps. If you listen in and hear enough people alluding to different types of business deals, or business trips employees are taking and things like that, it actually becomes possible to determine some of the key strategies and activities that a business has underway.
During my recent talk at the ninth annual BlackBerry Security Summit (the session is now available on demand), I shared a series of headlines from the past eight years, where people have called out these types of scenarios in various contexts.
The Cost of Insecure Communications
How much thought have you given to communications and protecting your metadata — or that of your customers — to ensure both privacy and compliance? Failing to do so can be extremely expensive. During September 2022, the SEC fined some of the largest banks in the U.S. $1.8 billion for using inappropriate tools and processes for their communications. This type of thing is not just happening to big financial companies. It also occurs at smaller companies and startups. In fact, it has become a legitimate regulatory risk for a large number of organizations.
My colleagues on the BlackBerry Incident Response Team recently wrote about another aspect of this security challenge: insecure communications after a cyberattack can harm your incident response. Threat actors are often found to be reading your email or team discussions on popular business messaging platforms. See their write-up, The 13 Deadly Sins of Incident Response, for more on that risk.
Encrypted Voice and Messaging for Android and iOS Devices
As we’ve explored, off-the-shelf or consumer-grade communications options can leave your organization, your people, and your compliance status at risk. And so do many mobile security tools that come bundled with something else. This is why a growing number of governments and companies are putting a new focus on specialized tools that are purpose-built to provide secure and private mobile communications.
You may already know that BlackBerry is a longtime leader in this space. You may not be aware that NATO recently selected our high-security voice and messaging platform for its iOS® and Android® devices. BlackBerry’s SecuSUITE® will encrypt the conversations of NATO’s technology and cyber leaders wherever they communicate – in the workplace, at home, or travelling abroad. And SecuSUITE is protecting numerous countries against electronic eavesdropping whether the comms are unclassified, Top Secret, or some level in-between.
The Future of Secure Communications
To consider where secure corporate and government communications go next, download our complimentary infographic, The Future of Secure Communications, or watch my complete session from the BlackBerry Security Summit, Communications Security Lessons Learned From Ukraine is now available on demand.
We’ve sure come a long way since the days of the Caesar Cipher, haven’t we? Now we have advanced tools for encrypting and securing all our communications. The only question is, are you using them?