The Facebook – Cambridge Analytica fiasco may have grabbed headlines, but in reality this is but one example of the data misuse and data privacy issues that are currently impacting nearly every industry sector. Consider for a moment, the potential impact of a cyberattack on a federal government agency. In the face of ever-evolving sophisticated cyber threats, federal agencies require increasingly complex data security solutions. Here are the primary data security concerns we’re currently hearing about from clients in the federal space and our recommendations to address these concerns.
Infiltration From A Weak Link
It’s no secret that cybercriminals target our infrastructure, specifically our energy sector and the grid it relies upon. According to The New York Times, in August 2017 a petrochemical plant in Saudi Arabia was attacked by hackers intending to destroy data, shut down operations and trigger an explosion. Real-world scenarios such as this have made cyberdefense a chief focus for government agencies. Bad actors generally look for and exploit the weakest link in a security system’s defense. Often, the weak link is a supplier or vendor that is part of a government supply chain. Consider the vast number of federal contracts with companies of all sizes – from both public and private sector – and from all parts of the world. There is a very real threat of infiltration as these suppliers send and receive information from the federal agency’s network.
With Silent Circle’s GoSilent appliance the federal agency can lock down its data and still provide access as needed to resources behind its firewall. As shown in the illustration below, suppliers utilize GoSilent to safely secure a connection to the Internet and then to the GoSilent enterprise server. This creates an Internet protocol security (IPsec) tunnel inside the enterprise firewall through which the supplier can securely and safely send, receive and access program information.
Another area in which Washington seeks to outsmart digital criminals is in the prevention of eavesdropping. For example IMSI catchers or MDIs (mobile device identifiers), also referred to as stingrays, are rogue mobile cell towers that intercept a phone’s voice and data transmission thereby providing the adversary full access to the individual’s phone conversations and text messages.
Stingray hardware is portable and can easily fit inside a backpack. Any member of congress or government employee using their cellphone in the street could have their conversation intercepted. Even if the person is in their office, a nearby stingray could capture the call as long as it’s within range. The reality is anyone can easily listen in on official government conversations and messages. The Department of Homeland Security publicly acknowledged this activity in April 2018, but the existence of these devices has been known for years – maybe a decade. The issue has only recently appeared on the public radar, but addressing it is a serious matter of national security.
Standard cell phone service is highly vulnerable to hacking, and even carrier-grade cell services aren’t designed with extensive levels of security. Anytime data is archived with a third party, the chances for a breach increase substantially. For this reason, Silent Circle’s secure communications products use “peer-to-peer” encryption. For phones equipped with our Silent Phone application, any voice or text communication is encrypted from the senders device to the other party’s device. End-to-end encryption is truly an ideal defense against stingray interception, because even if the conversation gets routed through a cell tower simulator, the communication remains encrypted.
Federal agencies are also keeping a close watch on the recent roll-out of Europe’s General Data Protection Regulation (GDPR). It’s expected that the United States will eventually implement similar regulation, such as the proposed Data Security and Breach Notification Act. Washington’s approach may not be as broad as EU law in the end, but it will likely impose fines on agencies and firms that do not comply with the new data protection regulations. Companies that place the utmost importance on the data privacy of their customers are already providing products and services that meet or exceed the GDPR, and Silent Circle’s products and solutions have been GDPR-compliant from the start. Learn more about how to get your enterprise ready for the rigors of GDPR or a similar compliance program.
Recognize And Contain Risk
The threats against the federal government and its highly sensitive data are not going away soon. The only best defense for federal agencies and any suppliers who work within the federal sector is to be vigilant, remain aware and implement the most robust solutions available to secure communications, maintain privacy and protect data. Learn more about Silent Circle’s technology and encryption practices.