CISA Urges Public to Use Encrypted Messaging Amid Espionage Risks

The Cybersecurity and Infrastructure Security Agency (CISA) has issued a call to action for individuals in sensitive roles, such as senior government and political positions, to adopt encrypted communication platforms. This comes in response to espionage activities linked to People's Republic of China (PRC) state-affiliated actors targeting telecommunications infrastructure to intercept sensitive information.

CISA's report underscores a sophisticated threat landscape where PRC-linked threat actors exploit telecommunications infrastructure to compromise private communications and steal customer call records. The agency warns that “highly targeted” individuals should assume that all communication from mobile devices, whether personal or governmental, is susceptible to interception.

Such espionage efforts primarily focus on senior figures with access to valuable data, potentially influencing governmental, political, and economic activities.

Given that state authorities and law enforcement agencies have, in the past, called technology vendors to implement encryption backdoors that can support their crime-fighting abilities, the turn to the opposite direction in CISA's latest call is notable. In fact, CISA goes to the extent of proposing Signal specifically.

“Adopt a free messaging application for secure communications that guarantees end-to-end
encryption, such as Signal or similar apps,” reads the first recommendation in the published guidance.

“CISA recommends an end-to-end encrypted messaging app that is compatible with both iPhone and Android operating systems, allowing for text message interoperability across platforms.”

Key recommendations

CISA's guidance provides a robust framework for protecting sensitive communications. Some highlights from the published guidance include:

• Adopt Encrypted Communication Tools: Use applications like Signal or similar platforms ensuring end-to-end encryption across all devices and operating systems. Features such as encrypted voice and video calls, disappearing messages, and metadata minimization are critical for maintaining privacy.
• Implement Advanced Authentication: Employ phishing-resistant Fast Identity Online (FIDO) authentication methods, such as hardware-based security keys (e.g., Yubico or Google Titan) or passkeys. CISA emphasizes avoiding SMS-based multifactor authentication due to its vulnerability to interception.
• Migrate to Modern Hardware and Software: Update operating systems and mobile hardware regularly to leverage the latest security features, such as secure enclaves and monthly patches.
• Avoid Personal VPNs: CISA discourages the use of personal VPNs, highlighting their potential to increase attack surfaces rather than mitigate risks.

For iPhone and Android users, CISA includes tailored advice, such as enabling Lockdown Mode on iPhones and utilizing Android Private DNS with trusted resolvers to protect Domain Name System (DNS) queries.

Users looking to transition to encrypted communication platforms can consult our guide of the best secure and encrypted messaging apps in 2024, updated just last week after analytically testing all the latest versions of the presented products.