US government agencies have been urged to use end-to-end encrypted messaging services, including WhatsApp, Signal and FaceTime, following disclosures that China has breached US telephone networks in a hacking operation that undermines US national security.

In a letter to the US Department of Defence (DOD), two prominent senators warned the DOD is placing security at risk through its continued use of unencrypted landlines, and unencrypted platforms such as Microsoft Teams.

The warning follows confirmation from the FBI and the US Cyber Security and Infrastructure Agency (CISA) that groups linked to the People’s Republic of China have compromised multiple telephone networks and had accessed private communications of a “limited number” of people in government and politics in a hacking operation dubbed Salt Typhoon.

Democratic senator Ron Wyden and republican Eric Schmitt criticised the defence department for failing to use its purchasing power to require wireless telephone service providers to provide cyber defences and accountability, in a letter on 4 December 2024.

“DOD’s failure to secure its unclassified voice, video and text communications with end-to-end encryption has left it vulnerable to foreign espionage,” they warned.

US Navy tests encrypted messaging

The senators disclosed previously classified details of a trial by the US Navy to test end-to-end encryption communications platform Matrix, an open-source, decentralised service widely used by Nato countries. The US Navy is testing Matrix to send encrypted messages from 23 ships and three on-shore sites.

“While we commend the DOD for piloting such secure, interoperable communications technology, its use remains the exception; insecure propriety tools within the DOD and the federal government generally,” the senators said.

“The widespread adoption of insecure, proprietary tools is the direct result of DOD leadership failing to require the use of default end-to-end encryption, a cyber security best practice, as well as a failure to prioritise communications security when evaluating different communications platforms.”

The Salt Typhoon attack, first reported by the Wall Street Journal, has targeted individuals including president-elect Donald Trump, vice-president-elect JD Vance and Senate majority leader Chuck Schumer, according to press reports. 

“This successful espionage campaign should finally serve as a wake-up call to the government’s communications security, despite repeated warnings from experts and Congress,” the senators wrote.

The FBI and CISA have recommended that people use encrypted messaging and voice services such as Signal and WhatsApp to reduce the risk of hackers intercepting text messages.

CISA executive assistant director for cyber security Jeff Greene told broadcaster NBC this week: “Encryption is your friend, whether it’s on text messaging or if you have the capacity to use encrypted voice communication. Even if the adversary is able to intercept the data, if it is encrypted, it will make it impossible.”

According to a blog by cyber security expert Bruce Schneier in October 2024, Chinese hackers appear to have accessed backdoors used by the US government to execute wire-tapping requests, which have been mandated by the Communications Assistance for Law Enforcement Act, enacted in 1994.

“For years, the security community has pushed back against these backdoors, pointing out that the technical capability cannot differentiate between good guys and bad guys,” he said. “And here is one more example of a backdoor access mechanism being targeted by the ‘wrong’ eavesdroppers.”

Matthew Hodgson, co-founder of Matrix.org, a non-profit foundation developing standards for end-to-end encryption, told Computer Weekly that the Salt Typhoon hack was an “unfortunate validation” of concerns raised about the impact of the UK’s Online Safety Act, which contains measures that could be used to weaken end-to-end encrypted communications services.

“It is morbidly amusing to see all of the intelligence agencies telling everybody that actually, end-to-end encryption is a good idea, and the backdoors are a bad idea, and everybody should hop on encrypted systems like Matrix or Signal rather than trust the phone network anymore,” he said.



Source link