On Tuesday the United States Senate made it official and approved the use of encrypted messaging app Signal by staffers. Encryption advocates applauded the measure, but say more needs to be done to protect “civic” infrastructure critical to democracy.
“The move to secure communications applications–and, one hopes, other equally important forms of security (e.g., multi-factor authentication)–is a healthy and important step,” wrote Susan Landau, a cyber security policy expert at Worcester Polytechnic Institute, in commentary posted to the Lawfare website. “Such efforts should extend well past the community of Senate staffers.”
In a letter sent Tuesday by Senator Ron Wyden (D-OR) staffers were given the green light to use the end-to-end encrypted messaging service Signal, developed by the highly regarded Open Whisper Systems.
Citing the adoption of other encryption technologies, like the recent introduction of HTTPS on all Senate websites, Wyden in a letter to the Sergeant at Arms of the United States Senate, Frank Larkin wrote:
“With the transition to default HTTPS for all of the other Senate websites and the recent announcement by your office that the end-to-end encrypted messaging app Signal is approved for Senate staff use, I’m happy to see that you too recognize the important defensive cybersecurity role that encryption can play.”
Landau is quick to point out that protecting vulnerable U.S. assets needs to go beyond Senate staffer email. During the 2016 presidential elections, she points out, it was more than the U.S. Democratic National Committee and the private account of John Podesta, the chairman of Hillary Clinton’s campaign, that were targeted by hackers.
“They also hacked into think tanks and lobbying groups ‘likely to shape future US policies’; such attempts were made, for example, against the Council for Foreign Relations. In the wake of all of the attention on the Trump-Russia connection, this issue has not received the attention it deserves,” she wrote.
Encryption has been a hot topic among government officials who have been debating the benefits of using such technology to protect electronic communications. On one side of the argument some say that encrypted conversations can hinder the government’s ability to keep records of public officials and could run afoul of presidential record-keeping laws that mandate the preservation of all presidential records.
Still others argue that using tools such as Signal to protect the contents of emails helps keep email private from hackers.
“I have long argued that strong, backdoor-free encryption is an important cybersecurity technology that the government should be embracing, not seeking to regulate or outlaw,” wrote Wyden.
Landau points out in the wake of Russian hacking claims during the presidential election both candidate Donald Trump and President Barack Obama began using Signal. That same diligence, needs to apply to the “civic” infrastructure, she said.
“They are ‘civic’ infrastructure–civilian systems—that often lack the type of security that can resist an attack by a nation state. But these organizations are an essential part of democracies’ healthy functioning. They need security protections every bit as much as Congressional staff do,” Landau said.
She also points out that except for those working in classified settings, Senate staffers use the same consumer devices as most people do. “That’s somewhat surprising, since many of the (Senate staffers) communications, while not classified, are certainly sensitive,” she said.
According to Verizon’s annual Data Breach Investigations Report, released last month, researchers noted a rise of academia as a target of attacks in 2016. “Colleges are centers of innovation and are building technologies that would certainly be targeted by state affiliated groups,” wrote Dave Hylender, senior network engineer at Verizon, in the report.
“Criminals are realizing that intellectual property and trade secrets are being held by institutions of higher learning. And, state actors are realizing it’s easier to break into a university system and steal the R&D there than break into a government system or a well-developed and well-protected manufacturer’s system,” Hylender said.