ARTICLES

High-assurance Collaboration Taking Center Stage

The history of nation-state surveillance is long and sordid. For as long as rival countries have been in existence, leaders of those countries have sought to gain a competitive advantage over one another. Land, money, social influence, and power are just some of the reasons a leader or government might want to dominate another, and gaining access to competitor secrets is a must if one is to succeed. To gain an upper hand, insider intelligence by means of surveillance can be valuable. But gaining that intelligence isn’t easy, and power-hungry leaders have, throughout history, turned to illicit means to accomplish their aim.

There is, of course, a flip side to the nefarious doings of evil leaders. Law enforcement can use legal surveillance to suss out criminals and identify who they are, what they’re doing, and where they’re going. Surveillance can be an effective tool in preventing crime, not just committing it. The line between lawful and unlawful surveillance can be fuzzy depending on which side of the line you fall. It is true, though, that many nation-states have clear rules about what is lawful and what is not when it comes to surveillance, particularly in the case of wiretapping.

Back in the late 1990s, Aaron Turner was cutting his teeth in security working at Microsoft on enterprise server platforms and Windows systems, including what would become MSN Messenger. Flash forward to the fall of 2001 when he was invited by the U.S. government to join a post 9-11 project to identify vulnerabilities in cell phone networks and critical infrastructure. The goal of the project was two-fold: first, find vulnerabilities, second, develop a lawful way to intercept communications that would allow the Department of Justice to surveil for malicious activity and find and bring criminals to justice.

When good technology is used for bad

Turner knew he was doing good work helping private industry and government work together to prevent crime. Yet, years later, and much to his dismay, Turner learned through the release of the Edward Snowden documents that several of the projects he worked on and the technologies he helped develop were being used illegally by the U.S. government (and likely other nation-states) to surveil ordinary citizens. This news only strengthened Turner’s resolve to create secure ways for people and organizations to communicate.

Not so coincidentally, global cyber crime was on the rise. Crime fighters were using vulnerabilities in mobile networks, messaging apps, and other collaboration platforms to lawfully identify potential criminal activity. Simultaneously, nation-state actors were abusing mobile and application vulnerabilities to steal private enterprises’ intellectual property (IP).

During this time, a few companies built promising private communication and collaboration platforms, but none provided a level of protection enterprises or private, lawful citizens could rely on. “Ultra-secure” messaging apps like WhatsApp and Telegram have been breached, and collaboration platforms like Slack include in their (long and oft-unread) terms of service that data can be shared, used, or copied without explicit authorization. Facebook blatantly sells personal data to the highest bidder, and Twitter admitted it “accidentally” sold users’ mobile phone numbers to advertisers. For its part, Apple has been fighting with the U.S. government for years about encryption backdoors in their products—a backdoor can’t be open for lawful purposes yet closed to exploitation by criminals.

Meanwhile, Jonathan Warren was developing a cryptographically secure peer-to-peer messaging platform called Bitmessage. The platform was designed to overcome key authentication issues inherent in then-current messaging and communication technologies and give users a more-secure alternative to PGP. Bitmessage was released in 2012 as an open source project. Ironically, it was later exploited for criminal activity.

New beginnings

By 2017, Turner was looking for his next career move and Warren had taken his skills to, HighSide, a Bethesda, MD-based startup building a secure messaging and file platform on the basis of zero trust. Turner launched his company, initially called HotShot, with the underlying technology from HighSide. The goal was to create a secure and private unified collaboration platform that included distributed identity and virtual file encryption. The combined capabilities allowed HotShot and HighSide to jointly reduce the potential for nation-states to break the roots of SSL encryption, disallow attackers from exploiting repositories of encryption keys, and prevent illegal surveillance.

The companies recently announced a formal merger—which only makes sense, given their tight integration over the last two years. The company will operate under the HighSide brand, riffing off the colloquialism that top secret or classified information is delivered “on the high side.” Turner will take the role of President and Chief Security Officer, and Brendan Diaz will remain CEO of HighSide. Together, the combined teams and their platforms will take on the challenges of protecting companies’ intellectual property, reducing data leakage through consumer messaging applications, and providing high-assurance collaboration software.

Messaging applications

In the messaging space, HighSide is challenging a crowded market, and one that includes well-loved platforms that provide “good enough” security. But HighSide isn’t satisfied with “good enough,” understanding from years of experience that private conversations generally need to be kept private. Let's take, for example, a company developing a new tool or introducing a business plan that will change the course of its operations. The CEO is traveling abroad and is messaging the CFO about how contracts to support the new initiative are going. If a rival company, be it a nation-state or other entity, can surveil or intercept that conversation, those plans can be adopted and adapted by the interloper to beat the original company to market.

There are parallels for personal security, as well. Organizations protecting abused women need to ensure communications between the organization and individual are secure. Information in the wrong hands, especially pertaining to physical location, could prove deadly. A government protecting industry whistleblowers or witnesses to crimes have similar needs. Society needs secure, reliable means of communication between law-abiding citizens that can't be tapped by those seeking personal, political, or financial gain.

For HighSide, the key (pun intended) to providing secure messaging is zero trust, distributed identity. “The main problem with the current batch of zero trust identity providers,” says Turner, “is that they have root of trust problems; they may build a unique identity for every entity, and make sure that every system communication between entities is verified on both end of the communication, but key material is so centralized and all generated from the backend that users cannot distribute themselves away from the system. Providers are setting themselves up for failure.”

Time- and location-based identity policy enforcement

Highside’s remedy to a “single point of failure” is distributed identity and hyper-fast key rotations which make it hard for unauthorized parties to surveil private communications. The solution is geared towards enterprises with coveted intellectual property that need to protect themselves from nation-state actors, but any organization could argue that this kind of IP security is necessary. “Nations are abusing roots of trust,” says Turner, “and there are no lawful intercepts for this kind of private sector information. In the age of the Balkanization of the internet, nations are carving themselves off from what were once allies. The only way to protect your company from this type of IP theft is distributed zero trust identity and distributed crypto.”

Along similar lines, HighSide offers virtual file system encryption with distributed identity that protects files when employees are on the road. Though it’s easy to say that best practice when traveling abroad, especially to adversarial nations, is to use a burner phone, create a temporary email address to be used only during the designated period, and to not communicate about highly sensitive IP using any regular platforms, reality is that it’s near-impossible to conduct business this way. HighSide’s virtual file system encrypts files using the methods described above and turns them into files or folders inaccessible to eavesdropping adversaries.

The team at HighSide positions its products as a way for targeted enterprises to achieve greater data integrity and compliance. That said, the use cases for protecting good from evil are nearly limitless in today’s politically-charged, go-to-market-faster, use-any-means-to-win business culture. Though HighSide isn’t a household name at present, expect to hear more from them—and inevitable copycats—soon.