The first time I walked into the Oval, I thought I’d been mistakenly led to some miniature replica. Certainly, I imagined, this iconic room where Kennedy had rocked, and Johnson had monitored TV, and Reagan had refused to remove his jacket – would be more vast than this. But the real focus of any visits to that Office would be on the President’s desk phone. For many years, it displayed the logo of my employer – and we had the job to make it secure.
I wish you could have seen the iconic phone pioneers from the seventies and eighties make their case about operational security to Presidents, one after another. The wonderful AT&T executive Bill Jack, for example, would spring up from his chair, and grab the Presidential handset, and unscrew the cap to show how easy it would be to plant a simple bug. It was visual, and the President’s people would listen. There was never push-back. Ever.
Today, I can hardly believe my eyes that we now have a Presidential Administration using such sloppy operational security in their use of mobile communications. This extends from the President himself to his cabinet and team of advisors, including the President’s personal attorney Rudy Giuliani. They seem adamant to use personal devices or to call others using personal devices – and such action is not in their interest. Let me try to explain why:
Modern global telecommunications infrastructure is controlled by a vast packet network that performs a function called signaling. When you use your iPhone to call cousins in London, for example, an American signaling system, run by your mobile provider, and a British signaling system, run by your cousin’s mobile provider, perform a handshake to work out the details – including billing, for your chat. It’s a mature process.
Two security challenges emerge, however, with this scheme. First, if you happen to make a call – either to or inside a country, where the distinction between the government and mobile provider is blurred, then it would be safe to assume that the signaling is fully accessible to the government. This allows for control and monitoring of any text, call, or session. It also includes the ability to suppress security controls that might be attempted by one party.
The second challenge, which is perhaps more intense, is that every major government in the world – including our own here in the United States – makes no bones about the fact that they openly monitor foreign communications. This is what spy agencies do, and anyone who thinks otherwise should get their head off the Disney Channel. All major governments target foreign communications, and signaling systems are a major conduit to that end.
So, when President Trump, or anyone in his orbit, uses a personal mobile phone to make a call to literally anyone, you should imagine a massive group of unsavory individuals and groups listening in. Think of it as a massive party line, where everyone on the line is about as unacceptable for inclusion as you could possibly imagine. There is no reason on the planet for any President to walk into such a trivial trap. It’s crazy.
Amazingly, the solutions to this problem, especially for a President, are spectacularly simple to adopt. The White House Communication Agency, and other support teams around the President, no longer impose the use of robotic sounding brick phones with weird keying protocols. Modern secure communications are simple to use and spectacularly high quality. They support voice, text, and other session requests. You’d like to use one yourself.
And even if the President doesn’t trust his own communications teams to provide security (so weird to type that), there are wonderful commercial options that would at least ensure that personal calls on a private mobile would be harder to tap. Koolspan and Silent Circle, for example, offer app solutions called over-the-top (OTT) communications that transform wiretapping from a simple lay-up into a much more complex endeavor.
If you are reading these words, then the chances are high that you have some connection to the cyber security community, perhaps as a working professional on a CISO-led enterprise team. Ask yourself this: If any of the executives in your company were behaving in this manner, what would you do? What action would you take to reduce this obvious risk? I think you know the answer, and I think you know what must be done today.
Please contact your representative in Congress and tell them that you are non-partisan, but that you find the risk of personal mobiles for sensitive communications to be completely unacceptable. Tell them to please make a bigger stink about this – and the process should include legislators from both sides of the aisle. Remember: this action is in the full interest of the President. He should want to do this. It’s for his own protection – and ours.
Please forward this note to others you think might be interested. Let’s start being more vocal about this obvious vulnerability.