<img src="https://ad.doubleclick.net/ddm/activity/src=11631230;type=pagevw0;cat=pw_allpg;dc_lat=;dc_rdid=;tag_for_child_directed_treatment=;tfua=;npa=;gdpr=${GDPR};gdpr_consent=${GDPR_CONSENT_755};ord=1;num=1?" width="1" height="1" alt="">

Ep 26 | Backdoors Backfire: Hashing Out China's Hack on AT&T and Verizon

Air Date: October 7, 2024
 

 

In this compelling episode of Hash It Out, Virtru’s SVP Matt Howard joins forces with John Ackerly, Co-Founder and CEO of Virtru, and John Doyle, CEO of Cape, to dissect the recent cyber-attack attributed to the Chinese government and its far-reaching implications for the telecommunications industry. Together, they navigate the intricate balance between privacy rights and national security, delving into system vulnerabilities and the roadmap toward resilient, secure networks.

Drawing on insights from Ackerly’s experience in the White House, the trio debates the future of data security, the dangers of backdoors, and the need for verifiable control over data. Doyle highlights the importance of reimagining telecommunications architecture and shared accountability, offering solutions to prevent future breaches. This episode sheds light on the evolving landscape of cybersecurity and what’s being done to safeguard critical infrastructures.

For those captivated by cybersecurity challenges, privacy concerns, and the innovations shaping tomorrow’s secure communication systems, this episode is a must-listen. Tune in for expert perspectives and thought-provoking discussions on ensuring data security in telecommunications.

Transcript


[HOWARD]
Awesome. Great. John Ackerly, thanks for being here today, and, [DOYLE], thanks for being here today. My name is Matt Howard. I'm the chief marketing officer at Virtru. This is a Hash It Out. We wanted to have a quick conversation so with some subject matter experts as it relates to some news that broke this past Saturday, in The Wall Street Journal involving a a cyber attack that was tied to Chinese government penetrating the networks of some very large US carriers, including AT and T and Verizon, and kinda get some perspective on on what does that mean with respect to this, a, how what happened, and then, b, what does it mean with respect to kind of this long standing tension between national security and law enforcement interest and the desire for personal privacy? So so, John, I'll start with you. Kinda quick perspective on the news you saw this past weekend?
[ACKERLY]
[DOYLE] or John Ackerley? You're gonna ask me more questions. We got 2 johns rocking here.
[HOWARD]
How about John Ackerley?
[ACKERLY]
Yeah. So very happy to talk about something that's been a near and dear to the virtual heart and to so many of us now for a few decades.
I think what was so then revealed over the weekend was that 20 years after CALIA was expanded by the FCC, we were paying for the sins of our past is is my view. And effectively, the Chinese walk through the same backdoor that was open for, for so then law enforcement to, you know, try to do their important work, to, to find bad guys.
And the and the issue is as Bruce Snyder and so many others have mentioned, you can't kinda just let in the good guys. If you compromise, the very technologies that are designed to keep the public secure, it it it's an impact of privacy, but it's also an a big impact to our national security.
[HOWARD]
Interesting. [DOYLE], same question. Kind of as you sort of digest the news from this past weekend, what what's your take and, your your thought perspective from, Cape Wireless?
[DOYLE]
Sure. Thanks, Matt, and thanks, John, for letting me come on, hash it out. You know, from our perspective, Kape's the mobile and security first, or privacy and security first mobile carrier. So we're a carrier just like, the ones who are, announcing the breach are required to be CALIA compliant just like they are. So we know quite a bit about this.
What's interesting from my perspective, for what it's worth, is that, the breach occurred at these plug in points in, in the telco stack. So telcos, operate according to something called the 3 g p p standard.
It's created by GSMA, the global, sort of trade organization telcos. And I'm getting a little echo. Let me turn down here. And when CALIA, legislation came out and then equivalent legislation in other countries, the the GSMA actually baked into the standard, these plug in points. They're called the x 1, x 2, and x 3 interfaces, which really sort of codifies exactly how law enforcement plugs in to make sure you can enable these wiretaps and the other monitoring.
It also then makes it pretty simple and relatively standardized if you're a hacker who's penetrated a telco to know exactly where to go to get the content and get all the rest. And so I think that it's, you know, to John Ackerley's point, it really is just sort of, coming home to roost the fact that we we bake these plug in points in and, have not been especially thoughtful in how they were implemented, and this is the result.
[HOWARD]
Interesting. And so, John, for for the benefit of the audience, you know, you're the founder and CEO of of Virtru, but but previously, you spent time in the White House as a policy director. If I you you were there in 911. You you observed, you know, I know you've written and talked about this in past, but you you observed firsthand kind of this delicate situation that requires a careful balancing between national security and legitimate law enforcement interest and privacy rights. What did you observe back then, and and anything did you learn then kind of, you know, relevant to today all these years later?
[ACKERLY]
Yep. So, you know, very interesting to have spent some time over the past 40 hours reflecting on those early years. And just one interesting data point was in 2,000, you know, I was so that so that in the room in Philadelphia to finalize the Republican party's platform.
And we include the explicit language in that platform opposing any government mandates to to then undermine in to that to to then undermine information systems. And during the campaign, we took both Clinton and Gore to task about the old CLIPr chip, which was really an idea where where you would have a government escrow of encryption keys as being bad for privacy, bad for security.
And it wasn't really a delicate issue. This was a winning issue politically, but it was also something that had the full support of Paul Wolfowitz and and Condi Rice, but from our from our national security team.
And then if you actually look at the 2,004, you know, platform, that language was pulled out, and there's a more anodyne, you know, language about promoting it. So the innovation and and then having the right balance.
And I'm not undermining the complexity of doing the work to find bad guys. But at the end of the day, the balance was before September 11th, very clearly that from a security perspective, you should not be undermining the technology that we rely upon.
Now I will say that, you know, we have people at Virtru who are actually in the field actually implementing software onto Iridium, so that so that handsets. And there's a question about whether these backdoors were so then helpful in finding Osama bin Laden.
He was a customer of so so then so then of Iridium, back in the nineties. So I so I'm not saying that there are no benefits to these backdoors, but clearly, overall, when you think about our security posture and what China just just had access to for for effectively months, even years, you know, our position is super clear, and it was very clear back in the day as well for us. So, you know, a very rich history here, and I think this example probably ends ends ends that debate.
[HOWARD]
And, John, your thoughts. I mean, Clipper Chip was a long time ago, but but certainly, you know, I'm old enough to remember it well when it was on the front page of every newspaper. Every every evening television program was talking about the Clipper Chip debate. And, you know, when you look back on that versus the evolution of Kalia, do do you kind of how how do you see it?
And, you know, do do do you think about this idea of mandating kind of backdoors where law enforcement is sort of the right path? The you know, is there a is there a different way of thinking about it in the modern sense?
You know, what's your take? I mean,
[DOYLE]
I think, you know, is it the right path or is it not the right path is an interesting philosophical debate. The the thing I hope everyone takes away from this particular, like, the most recent news is to understand that telecommunications networks are critical infrastructure.
Right? They're so clearly trusted with our nation's very, very most sensitive data, you know, as it inevitably starts to come out what exactly was compromised in this enormous breach. That, you know, has become more and more clear.
And so we've taken this critical infrastructure. We've installed really well defined, very knowable, mandatory backdoors into that infrastructure, and then honestly done a pretty poor job of holding to account, the networks themselves.
You know, this breach data, this is a really big story, and it sort of overshadows what was in itself an enormous story, which was the CDR breach news from 3 or 4 weeks ago. Mhmm. It was in itself, you You know, enormous news and overshadowed the almost weekly reports of telecommunications breaches, you know, going back. You can go to our if you'll forgive a plug, you can go to our website at cape.co and view our telco breach timeline.
But there's just been no accountability on this issue, and it is really out of whack with how important these networks are to our personal lives, to our professional lives, to our national security. And this is just kind of the biggest one yet,
And so the thing I hope we all take away is to start, yeah, like, creating accountability for the major networks, but also what we're doing at Cape, which is to think creatively and kind of reimagine from first principles how do you build a more secure, more provide more private telecommunications network?
[ACKERLY]
Yes. So I think that is so well said, John.
And I think, you know, we are, yeah, for sure birds of the feather. You are building the most secure network.
And, you know, what happens, post September so then 11th from a virtue perspective, what was the animating force behind why we started the company. And if you have a layered approach where you actually have secure networking and then you have a trust layer of protecting the data that runs over that network in a way where there's verifiable control on the part of the enterprise, that if there is a warrant, they need to go to the company and it's not going to a kind of so then anonymous third party.
You know, that's that's where the data plus the network really fits so well together in terms of being able to move very fast on what is now called a zero trust strategy. But, really, it's about verifiable trust.
And and I'm not gonna rabbit hole about what I think about that term going back to those Forrester days when we try to push back on it because it's it actually, what is 0 trust provided is very it is very verifiable trust and control that the data that you that you have to share, this move across networks, you get to decide who gets to view it. And I think, you know, this point about backdoors that we've known about, but not really focused on done a poor job of communicating about is also in the world of one of our products that we're well known for, which is email. You have a lot of companies that are saying, hey. Just trust TLS.
Just trust the network. We'll make sure that it's encrypted. You can meet your compliance burdens, and no problem.
You you get to check that box. And I suppose if you're comfortable with your data being, viewed and owned by the Chinese, fine.
But I think that there's a lot of confusion out there in the market where where people are just relying on networks where security really hasn't been a first class citizen over time.
[DOYLE]
Yeah. I think that's right.
Right? I think your delineation between our two products is probably right in the in the telco industry anyway. What virtual builds would be broadly categorized as an over the top solution. Right? You're providing security, sort of above the network so you're not subject to CALIA and to the plug in points. We made this kind of deliberate decision to become a carrier and to and to to build a network and figure out the plumbing, and, therefore, are exposed to a whole new set of really tough and kind of thorny privacy and security challenges.
But I think that, I mean, the approach you guys are taking is is spot on.
[HOWARD]
Yeah. And I I mean I mean, just to kinda pull on that thread a little bit more.
I mean, not not to, again, get super philosophical or or anything, but if we all step back and we sort of look at this idea of, like like, they're it's complicated. It's it's not black and white. It's arguably shades of gray, and there's a very legitimate need for, I'll say, some type of backdoor. I mean, may maybe Bruce, isn't entirely correct when he says there can be no backdoors.
Maybe there can be. And if they can if we can step back and imagine a world where this idea of some type of capability in the network that provides for some type of legal surveillance with a with a court order, you know, do does that is there a way to think about that differently than we have historically? Is there a way to to kind of design systems that allow for legal surveillance while minimizing the risk of exploitation that somebody like the Chinese just took advantage of. I I don't know, John. [DOYLE], your thoughts on that.
[DOYLE]
Yeah. I mean, I'll answer a simpler question, which is it's almost absurd, but would we would we prefer that the Chinese government not have direct access to the lawful intercept plug in points of domestic telco networks? Right?
And the answer to that is obviously yes. We would prefer that.
And so you can you can make progress against that goal without having to, solve the more absolutest question of, like, should there be backdoors in in communications infrastructure or not? We did this
. So we're, in the middle of a pilot right now with, the US Navy that's public and has, been in Bloomberg and other places where we're deploying our network on Guam. And a big goal of that pilot is improve cybersecurity, and it it comes from everything.
Like, the simplest version is just the act of doing a clean install of, a new telecommunications network on existing physical infrastructure eliminates a lot of technical debt and security debt. They've been accrued by the incumbents over time.
Doing it in commercial cloud like we do, you know, gets you a whole another sort of layer of security for free. And then being a, a security first company that's designed around these sorts of goals from the beginning, solves a lot of problems also.
I I hesitate to go too deep and and get into really technical details here, but, it's a long way of saying, I think that you can really start to solve these immediate problems without having to agree on whether, in, like, an ideal final state, there's a, an x one interface exists or not. Right?
[ACKERLY]
Yep. Yeah. So the so I think that that's well said, John. I do think just to, you know, say that just to kinda put it out there, as a starting principle, I think it's extremely important to be very clear that's white, not black, I e.
There should be no backdoors, which implies in the dead of night. I do think that through technology, and this is what you've been doing, John, and this is what Virtu has been doing, you can move the needle in a very dramatic way where you go from trade off between privacy and security to you can actually do both.
And at Virtru, you know, we are not signal. Right?
Nor are we even proton mail where where where it's really about preventing the individualized search warrants based on probable cause. And if you use free software, you'll be protected. At Virtu, we are we are very clear that if it's a search warrant based on probable cause and you use our free software, we will comply. Right?
And we will give up the keys and then law enforcement can go to Microsoft. They can go to Google.
They can they can combine key and content, but there is a separation of duties. There there is a division, from a trust perspective where blanket surveillance orders, those, we we can't help with, and we won't help with, and it's, a very different ball of wax, legally.
And for the enterprise, where you don't want Virtru in the middle like that, you you have an enterprise version where you can deploy your own key server, and then it becomes a conversation for the New York Times with government. We are completely out of the loop, but but, like, we're very clear, in our trust center about what we do or don't.
Or you have a disconnected version of Virtru and your DOD, and you just run it that way. So I think really where people get in trouble and organizations get in trouble is when they hide the ball about what's going on or they overpromise, and that's where we try and be super careful and clear.
Yeah.
[DOYLE]
I think, John, you made a really important distinction that, honestly should get socialized a little bit as this conversation about the breach played out over the next several months, which is separating a backdoor is something that's accessed under cover of darkness, right, from legitimate and, you know, you can quibble with the margins of what's legitimate and what's not legitimate, but legitimate request to access information whether you're law enforcement or an enterprise or otherwise. And the key that I know Virtru cares about and is also key to how we think about it at CAPE is building the technology and building the tooling to enable fine grained control of that, how you wanna answer that question.
Who should have access and when rather than, just stumbling on backdoors.
[ACKERLY]
Yep.
[HOWARD]
Yep. A 100%.
Yeah. Well, this is not, simple stuff by any stretch of the imagination, and it's been playing out for a long time, you know, decades now. And and as the world turns, we we see ourselves here today.
And I'm one final question for you guys before we wrap this up. Kind kind of from where we sit right now, looking ahead, how do you see this landscape evolving?
What is what is does this happen again in 10 years, or is there fundamental change either because of something that Kape is able to bring forward into the carrier realm or because someone like Virtu continues to kind of push forward, John, in sort of the software realm with this concept of separation of trust. How do you guys see the the future in the next 10 years, and, you know, does it look any different than where we find ourselves today?
[DOYLE]
John, I wanna make sure you get the last word. So I'll just say that in in 10 years, when everyone in the world is a cape subscriber and, we've made significant progress against the problem in in seriousness, I'll say our our approach generally is this.
Like, we recognize this is, this is the latest symptom of a much more endemic problem, which in my opinion is, stagnation and sort of, ambivalence in the telco sector around security and around privacy. Our approach at CAPE is to acquire as much footprint as we can on the global cell network and, assemble a team I'm enormously proud of, a very, very talented engineers who care deeply about what we're trying to do, and just roll up our sleeves and get to work and figure out the plumbing that works, to do what John was describing, which is eliminate the back, and then we'll be able to find green controls for legitimate, interest, whatever they may be. Yeah. That's it's it's hard to know the end state, but, I'm I'm confident in the approach.
[ACKERLY]
Yeah. So it's so impressive what you are doing, John, and it's someone with your expertise, and I'm not just blowing smoke, but background and multi time, you know, serious entrepreneur to, like, take on the foundational challenges of building a better network.
So many other approaches are kind of adding on the barnacles to the broken network, and, you know, that is inherently really challenging. It's also why $200,000,000,000 is spent every year on on a conglomeration of security tools that you see at RSA.
If we if you can get the network right and you can get the data piece right, I think we're moving the ball forward in a in a very meaningful way. And, you know, for Virtru, it's been 12 years. I I I have said this to the team and but we're just getting started. We are in the 1st or second inning.
And I think what's optimistic amid all of the I mean, sometimes I beat my head against the wall because it's like, wow. I was in the White House 20 years ago frustrated.
And we have we moved the ball forward at all? I don't know.
But I do feel like there is and I was joking around about 0 trust, but there is a tectonic shift happening. And I think the combination of this architectural approach of the fact that you have these these new foundational models and tools where data needs to be shared, not just to prevent this kind of backdoor risk, but to drive business value.
We are moving from an appreciation, and and I hope this story is gonna shed some light for people, that you have to move to a much more micro security approach. Right?
Like you have to protect the data itself, tag the data, understand where it's going over secure networks so that you can, like, not worry so much about what the large telcos are doing, and you can actually get a lot more value from your data. And I and I think fast forward 10 years, even 5 years, I mean, the world's moving so fast, I think we have a we have a chance to make a real difference here.
So so the so the silver so the silver lining from all these terrible stories is, can we take advantage of it to make real change happen? So that's my final word.
[HOWARD]
Yeah. It's super interesting. And and, you know, I appreciate both of you guys, sharing your perspective on on this story. There's no doubt we'll be, all sort of reading more, digesting more, and reflecting more in the coming days weeks months as this plays out.
But I think to the point you made, John, I mean, there there is, no doubt that more granularity and security architecture is probably warranted, you know, if the perimeter in $200,000,000,000 a year hasn't prevented breaches, you know, maybe we should rethink how we do architecture. Maybe we should rethink it from a systems perspective, from a platform perspective, which is exactly what John and the team at Cape Wireless are doing with respect to the carrier realm. These are not easy problems to solve, and, you guys have both been doing great work both at Vertu and Cape Wireless on this front. I appreciate you taking a few minutes to join us today, and, we will catch up with you guys on the next episode of, Hash It Out.
Thanks.
[DOYLE]
Thanks a lot, Matt and John. Cheers.

Enjoy a coffee on Virtru!

Fill the form below to claim your gift.