The public sector just went mobile. So how do you secure voice calls and messages?

It was the latest in a series of serious warnings about foreign cyber espionage targeted at Australian government employees and security-cleared suppliers, but that didn’t make it any less urgent.

Plain-spoken and candid, Australia’s chief spycatcher, Mike Burgess looked down the barrel of a camera to personally deliver the Australian Security Intelligence Organisation’s (ASIO) latest alert about hostile actors seeking to find and exploit cyber gaps using professional networking.

ASIO, along with the Australian Signals Directorate, have good reason to worry after an unprecedented year that saw the operations of national logistics firms, retailers and manufacturers all temporarily hobbled by ransomware.

Policymakers and key government institutions like the Reserve Bank of Australia have also been prime targets over the past year, as the nation rapidly adjusted to working from home while still trying to maintain sufficient security.

For the most part, the broadly successful pivot to mobile working has helped Australia keep running while toughing-out the dreaded COVID-19 pandemic. But that very success has also redefined the threat landscape, especially around how classified or sensitive information is kept secure.

New security terrain

For decades public servants, defence, police and security agencies had the relative luxury of keeping their information assets in buildings with strong physical security backed by hardened voice and data networks and sophisticated surveillance.

But the widespread shift to mobile means that malicious actors are doubling down on compromising mobile devices and what they most commonly carry – voice and messaging communications.

“Mobile voice and messaging is an often forgotten part of cybersecurity; most people think about the IT systems and less about the risk of making a phone call,” says David Nicol, Managing Director, IoT Solutions, Asia Pacific and Japan at secure communications trailblazer BlackBerry.

Building on its pedigree in security, today BlackBerry provides innovative cybersecurity solutions to organisations such as NATO, all the G7 governments, banks, healthcare companies, and universities, whilst ensuring they remain agile and productive.

“There’s a risk in terms of people intercepting sensitive conversations, but also using voice and messaging as a mechanism for identity spoofing.”

A major issue, as Nicol sees it, has been the trend for some in government informally using public consumer-grade apps like WhatsApp where targeted individuals can be snared through techniques like spear-phishing or cleverly spoofed messages.

Secure usability comes out of the shadows

From Nicol’s perspective, many of the informal or ‘shadow’ products that have crept into organisations got a foothold there because an easy to use secure solution wasn’t yet available.

“That’s really changed over the last 12 months or so,” Nicol says. “There are now highly secure solutions available, like BlackBerry SecuSUITE, that have encrypted telephony and messaging that is part of a closed network.

“When you get a call or a message via the SecuSUITE app, you know it has validated and authenticated the person at the other end – both the individual and also the device that they are calling from.”

That validation is backed by Common Criteria certification that was achieved in February 2020 and is recognised by the Australian Cyber Security Centre (ACSC).

Nicol says that while BlackBerry SecuSUITE has been hardened to top security requirements, it does so with useability in mind. One example is that users can see the risk profile of their call through simple ‘traffic light’ alerts. This said, strict user controls and boundaries can be set when and as they are needed.

“It’s a simple, clean, intuitive and rich set of functions that integrates easily with government and enterprise networks,” Nicol says.

It also means that staff or officials on government business in the field or overseas now have many more options to communicate securely and, especially important when restrictions on travel or movement are likely to remain in some form, for some time.

Importantly, SecuSUITE is operating systems agnostic, catering to both iOS and Android.

Common standards, common good

A major challenge all Australian jurisdictions are facing in terms of secure communications, especially around voice and messaging is standardising systems and platforms so that they can interoperate.

As Australia learned the hard way during the last horror summer, governments might impose their own borders and standards but that doesn’t mean fires, floods or disease will respect them.

There is clearly a growing view from the top that part of reforming the “architecture” of government is creating platforms, systems and standards that can be used across multiple agencies and even states, especially when the core requirements are broadly similar.

In November 2020, Department of Home Affairs Secretary Mike Pezzullo used the Digital Transformation Agency Summit to caution that the public service needed to come together and find system and platform commonalities so that technology instances were not developed in isolation.

Disparate, standalone systems have long been a frustration of government, and Pezzullo cautioned that it was time for agencies and technologists to come together.

“We can’t possibly operate in the fragmented manner in which IT and technology acquisition, procurement and deployment have evolved over the last 25 years,” Pezullo said, adding that products had to be fit for the field.

“I insisted that Home Affairs technologists would get in the field with actual cops. I said, ‘Go out in the vehicles, go out on night patrols, talk to the cops about what works for them in a functional sense,’” Pezullo told the DTA Summit.

Local footprint

Nicol says that the sentiments expressed by public service leaders need to be heard by the industry, with suppliers like BlackBerry taking the view that solutions increasingly need to straddle differences rather than staking out proprietary turf.

This said, sovereignty requirements must be taken into account, with bare metal on the ground if needed to ensure data and metadata stays securely onshore.

To this degree, BlackBerry has partnered with trusted Australian local cloud and managed services provider Sliced Tech that has carved out an onshore offering for government and enterprise that incorporates and automates the delivery of the Australian Federal

Government’s Information Security Manual (ISM) and Protective Security Policy Framework (PSPF) controls.

“The Sliced Tech partnership means that it doesn’t matter what level of government or agency you come from, if you want to secure voice and messaging that’s as robust as it is easy to use, the procurement and probity path is simple and straightforward,” Nicol said.

“When you start on a platform that’s secure from the ground-up, it’s relatively easy to fit functionality – certainly easier than retrofitting security,” Nicol says, adding that free trials and demonstrations were now available for interested agencies.