Transcript
[INTRO] Welcome to Hash It Out, a podcast built by data security experts. We decipher the data security landscape through honest conversations about today's headlines and tomorrow's challenges, brought to you by Virtru. Let's dive in. Today, we're talking with Navroop Mitter, CEO of ArmorText, about the Salt Typhoon breach, its impact on telecom security, and why end to end encryption matters.
Good afternoon. My name is Matt Howard. I'm the chief marketing officer at Virtru, and I have the pleasure today of hosting, Navroop Mitter, CEO of ArmorText, an old friend and a longtime colleague. Navroop, welcome to, Hash It Out.
Thank you for having me.
Yeah. Absolutely. Why don't we start, if you don't mind, tell us just a little bit about yourself, your company, and kinda what you guys do.
Yeah. So, look, I'm a reformed cybersecurity consultant who, thankfully made a switch from the dark side over to product companies.
And we built a company called ArmorText, which provides secure outer band collaboration.
We particularly focus on critical infrastructure companies who have a reason to want to better protect their incident response, security ops, and threat intelligence sharing communications with things like end to end encryption, but also the means to have those better commune productive communications while staying compliant with their regulatory requirements.
Interesting.
So, you know, we we had a chance. You and I have known each other a long time, caught up over coffee a couple of weeks ago, and and we were both kinda comparing notes on, you know, sort of the the news flow, which which at the time was hot and heavy with respect to Salt Typhoon and all things Kalia and the back doors, and and, you know, it was not lost on you or myself when the FBI and CISA came out with what what what seemed to be, for the first time ever, really explicit guidance to, you know, US citizens and companies presumably to embrace end to end encryption in light of the, you know, active threat posed by the SALT typhoon, hack on the US telecom carriers.
At that moment, what was going through your mind when you first heard about it? I'm I'm sure, you know, this is something near and dear to your heart, but what did you what went through your mind when you first heard about soft Salt Typhoon? And and then second, what did you think when you first saw what the FBI and CISA had to say?
Well, when I first heard about Salt Typhoon, one of my immediate concerns was how would this affect both individuals and consumers in the telcos, but also the enterprise clients. Right? You're there's a lot of doubt that got created immediately as to whether or not we could trust the telecom networks when having to keep us through certain security incidents.
Absolutely made sense.
But when I saw the FBI and CISA guidance, the first thought was, oh, wow. They finally come around and are accepting that there is value to end end encryption. This is something that more recently we've seen happen in the EU as well, where their latest laws are on NIS two, made explicit mention of the value of end end encryption and the need to not weaken it despite what law enforcement and others had said previously. And so my first reaction was perhaps finally the FBI and CISA have come around.
And then I actually read the guidance itself. And my next thought was, oh, wow. This guidance read on its own without care for what are other obligations you might have as either someone who works for government or works in a regulated sector is that following this guidance as is without consider those consideration of those other obligations could land you in a lot of hot water later on, particularly around your obligation to retain certain communications. Alright.
If you're in banking, for example, you've got records retention requirements that are coming up on you. We've most recently seen fines levied starting back in, I think it was December twenty twenty one when JPMorgan was financing two hundred million for failure to, I mean, be able to produce records that they were required to keep of communications that took place like WhatsApp or Signal during that time period. You know, fast forward a few years, that number has now reached three billion. So the second thought was literally following this advice as is could really land you in hot water.
Right. Yeah. I mean, it was interesting talking to you because, you know, at Virtru, we we had, I would say a similar but different reaction to the whole salt typhoon thing. And and and as you may have seen in some some of the the news media that that John Ackerley, our CEO, was quoted in, You know, he was, as a former, Bush White House, policy adviser, you know, near and dear to his heart was kind of privacy and concerns with respect to, you know, government mandated backdoors and telecom networks to, you know, enable legal lawful surveillance with with a with a, you know, a a a warrant from a judge.
The the thing that that kind of immediately struck us was, like, this was bound to happen. I mean, these backdoors that were implemented into the carrier networks kinda go back to nineteen ninety four with CALEA.
They subsequently expanded. I mean and and I think at some level, it's tricky because everybody understands the desire to have these backdoors there to to enable legal surveillance when some law enforcement person goes and gets a warrant from a judge. That makes sense. But it also is, I think, fairly obvious to most people, like, experts including yourself, that when you have these backdoors implemented for purposes of supporting law enforcement, it's a very short step to a place where those same backdoors might be exploited by, you know, bad actors for nefarious purposes. Is is that was that your view?
One hundred percent. Look. A robber doesn't always come through the front door. Sometimes they come through the patio door as well.
Right? If there's a door there, they're going to make use of it. Right. I I think one of the interesting things that I've seen over the years is this this notion that we could somehow create a golden key, this Right.
Key that only the good guys could use. Right. If I'm not mistaken, I believe it was the the Xbox signing key at some point that was stolen effectively by a bunch of teenagers. Right?
I I might have the video game platform wrong, but the golden signing key specific to making sure that their hardware to only run authenticated games was stolen by effectively kids, right, who pulled off this interesting heist. And when you look at the details of it, you realize that even with billions of dollars on the line, these large companies were unable to protect what would be the equivalent to that golden key. And now here we're saying, hey. This isn't the key that would affect your bottom line at all, but we want you as a telecom or messaging or other provider to take responsibility and somehow protect this better than everyone else who had economic incentives has been able to do up until now.
Right. And so what what what sorry. And keep going if you have another thought.
No. No. I was just gonna say it just doesn't make sense to try to, you know, keep pushing that narrative. When we see time and time again, it just fails.
So do me a favor, kind of, if you can, connect the dots between what you and I both observed and the rest of the world quite frankly, especially those that were paying close attention to the salt salt typhoon news breaking. The subsequent announcement from the FBI insists about, hey. It's probably a good idea that people, you know, start embracing end to end encryption because we don't know if the Chinese state actors, salt typhoon folks are still in the network. We don't know when they're gonna be evicted.
And, you know, security and privacy right now for sensitive information is paramount, so it's probably worth embracing end to end encryption capabilities.
I'm curious to just kinda have you comment on why end to end encryption and, you know, the implications of that versus something like historically transport layer security TLS or something like that.
Yeah. It's a great question. It's something we talk about frequently with our customers. Right? Transport layer security protects my communications between my device and the server that is now going to be then disseminating that information further.
At the point of it hitting that server or the network layer right before it, what I transmitted over the Internet is transformed back into plain text. The simplest example of this is I wanna go to american airlines dot com. I need to buy a ticket. I don't necessarily want everyone else's intercept my information over the Internet, but American on its servers absolutely needs to be able to see that information. And from there, they might need to further transmit it to other parties and they'll go again apply transport layer security at that point. But in the middle there, on their servers, they absolutely needed my information in order to be able to issue me that ticket. When it comes to communications and then encryption, the whole point of it is to ensure that that server that's helping with the dissemination of that information or propagating it to the recipients, the people that you want to communicate with, itself can never read those communications.
Right? And that's where that privacy angle that Ackerly and others we're talking about comes in. From a consumer standpoint, absolutely signal WhatsApp and then encrypted communications totally makes sense. That Cisco and the FBI have started to warm up to it makes sense. But even if we look very closely at what they said, they technically said responsible end to end encryption, which from their perspective still means one that is somehow both end end encrypted, but has a backdoor that if they wanted to, they could ask you to use. Right?
And so Yeah.
But certainly, that was the implication. I I think that there for for a number of folks in the industry, ourselves included, you know, we saw the word responsible, as part of the, you know, written formal guidance, and it certainly raised our radar with respect to what do you mean responsible? Does that mean use something that by definition is supported with a backdoor today so that they can continue to have access through, you know, warrants and legal methods to conduct surveillance? Because if that's that's the case, I think that makes sense. You know, I don't necessarily know what exactly stills I sit here today talking to you, what they meant by responsible. That's all I can surmise. I don't know if you got any further formal clarification or saw anything from them on that.
We actually did see one comment, and I've been trying to find the link again. Right? So we saw something briefly that had been online, and I believe it was from Sys itself that helped find the responsible component. And it very much alluded to the fact that ideally, a responsible and encryption would still be one that would be able to allow you to work with law enforcement should the need are wise.
That said, the examples, the game of what technologies you should go use definitely don't meet that definition at least if you were to believe all the analysis that's been done up to date on how well Signal and WhatsApp have, you know, implemented the ratcheting protocol for Internet encryption.
Well and this is where I think we wanna take the conversation because the question is, you know, how can in your case, certainly, Virtu's case too. I think, you know, we're kindred spirits in the sense that we both believe that privacy and security with respect to sensitive information is is, paramount to, you know, the world we live in, to the customers we serve. I I think end to end encryption in the true sense is is the best practice, and neither one of us is naive about the the idea that end to end encryption can be done in a way that supports a business requirement so that their security and privacy is enhanced above and beyond what's possible with just TLS only, and in a manner where should they have certain requirements like audit or regulatory requirements if they were SCC regulated or something else could still be met. Is that is that your view?
One hundred percent. Look. Both of our companies are geared towards enterprises, and so we take it very seriously when customers tell us they need user management. They need policy enforcement.
They need remediation controls. But above all else, they also need alongside that and then encryption, the ability to maintain their business records retention requirements. Right. Because the SNC and CFTC weren't joked around when they issued three billion fines.
Right? If you think about even the DOJ and the FTC, they first issued guidance back, I think, in twenty twenty three around ephemeral messaging and letting you know that if you had an obligation to preserve records for whatever reason, that obligation continue to exist. They further clarify that in twenty twenty four. And so that's where I also look at this guidance from the system and the FBI and say, well, this is potentially contradictory towards the guidance that was issued by DOJ and FTC.
I mean, most recently Potentially, it is contradicting.
I mean, it's it's it's it's it's incongruent. Is it not?
It it is absolutely incongruent. Right? The FTC has literally gone after Amazon's executives for its use of signal because of the sporulation of data. Right?
There are number of of cases in which either the FTC or the DOJ or the SEC, CFTC, and now other bodies are starting to look at your requirements to have preserved an audit trail for various reasons and saying, well, if you can't do it, we're no longer gonna give you a Mulligan when you get to court. Right? We're gonna take a serious look at the practices you had. Is this something that happened unbeknownst to you or is this something you would tacitly approved along the way?
They're gonna wanna know that you had done it responsibly. Responsible in this case, though, doesn't necessarily have to be that the provider has access to the data. Like in both of our cases, both of our companies are built in such a way that we don't necessarily have access to the data, but instead we empower the enterprise to once again have control of their own data and ownership of their own data. Right?
You can have end to end encryption. They can hold the ability to decrypt while we as a provider, any of our partners, suppliers, or vendors would be unable to decrypt their communications.
Yeah. A hundred percent. And I mean, you know, when when, you know, we look at it from the perspective of, you know, it's your data. You should be the one to have the key.
You should be the one to make the decision on whether you wanna decrypt it or not. No one else should make that decision. And if you should find yourself, you know, faced with some law enforcement official, you know, equipped with a warrant asking you to decrypt the data, well, then you would make the decision to decrypt. But it's it's it's certainly, a very different world when you can imagine if you were an iPhone user and you had very sensitive information backed up to your iCloud backup and some law enforcement person went to Apple and said, hey.
We'd like you to do me a favor, please. I've got a warrant here to decrypt, the group's, iCloud backup for me.
And and the complications of that are are sort of well known to, I think, the the the world at large, at least again, the the the folks that are paying really close attention. I just wanna play this back to you though because this is kind of like when I talk about, like, it's fundamentally incongruent. I mean, like, sometimes I just have to, like I I live here in Washington, DC. I I I read the news.
I go to work. I come home. Sometimes I just have to stop and I have to think to myself, holy crap. Like, here we are living in this world where CALEA requires carriers to have backdoors so we could do legal law enforcement.
That makes sense.
We then realize, you know, matter of fact, that those backdoors were exploited by Chinese state hackers, and they are now in US telecom carrier networks and doing things like spying on both presidential candidates. That's a fact.
We are concerned about it appropriately so, federal law enforcement, FBI, and CISA.
We can't exactly tell the public when the threat is gonna be mitigated or when it's gonna be over.
So in that light, they say, hey. It's probably a good idea to now embrace and to end encryption. And, again, that's very sensible coming from the government, you know, in terms of guidance to, consumers or citizens. It makes a ton of sense. Maybe even guidance to federal law enforcement employees or federal employees who might be subject to particular, you know, surveillance from the Chinese who are now in the network.
I guess where it kind of struck me as a little bit of a misfire was on this whole idea that people, like, in the banking industry could look at that guidance from from CISA and the FBI and take it on its face and start to embrace something like signal only to find themselves sidewards with their regulators.
Yeah. I mean, look, I I I think part of the challenge is is the guidance that was issued lacked nuance and detail. Right? Instead of saying as a blanket statement, we should all be looking at end end encryption, they should have been saying, here's the kinds of end end encryption that are rightly applicable to your life in different circumstances.
I have a private life that is very different from my enterprise life as a CEO of a company, right, or as someone who works in federal law enforcement. In my private life, do I want a signal or a WhatsApp because I do not want some sort of backdoor into my personal and private communications? One hundred percent. Absolutely.
As an enterprise, though, do I recognize that I have an obligation to various records retention requirements or more broadly enterprise controls around user management policy enforcement? Absolutely. So the solution that was built for me in my consumer life is not necessarily the solution for me in my enterprise life. Well, if I'm a federal law enforcement person, I mean, I I know it sounds like the guidance makes sense. Right? They're high level targets.
This is guidance service.
It's sensible. Sure.
It well, it is and it isn't. Right? It it is in that, yes, and then encryption is sensible. But the guidance as issued failed to even acknowledge that you might still have a retention requirement. If we think back to, I believe, this twenty nineteen when the news broke, but it was probably twenty eighteen in which Jared Kushner during president Trump's first term in office had an ongoing set of communications with the Saudis and in particular Mohammed bin Salam, right, MBS.
Those communications, if I'm not mistaken, took place over WhatsApp. And at the time, folks rightly called out that this violated, I believe, it's the Presidential Records Act, right, the PRA. And, you know, later a someone had to clarify that, you know, some appropriate screenshots had been delivered, but there was no way of knowing for certain whether or not all records were kept or whether or not any classified intelligence had been delivered across that channel that perhaps had it made its way into a screenshot, something that then we would not necessarily know about. Right?
It it goes back to, like, using a personal email server. If you start to use tools that are used meant for your personal life for work reasons, your enterprise may rightfully say, hey. Wait a minute. We don't necessarily know what it is you're communicating about when it comes to work on this personal system.
We want you to switch back to some enterprise approved platform. The same is true for government. Right? There are Freedom of Information Act related requirements.
There's PRA. There are a number of other requirements that they also have for records retention despite being high value targets. Right.
Yeah. And and so, you know, I I know, like you, I mean, I'm I'm talking to a lot of enterprise organizations every day about, you know, their their concerns and their view of how do I protect sensitive data that we have inside the business that we know we have to share externally.
You know, we we can't run this business without sharing sensitive data. How do we do that in a way where it's secure, where our privacy is is maintained, and in a way where we aren't subject to unintended risk that might now be present because the Chinese have exploited our carrier networks. And, oh, by the way, how can I do it in a manner where my compliance people aren't freaked out because I might no longer be compliant with federal regulatory, regimes, which I'm responsible for? And and, I mean, in a nutshell, that's kind of the conversation we've seen playing out.
And and certainly, you know, I don't wanna make this all about, you know, armor text or all about Virtru, but but sometimes in the world we live in, you see a situation like this come to fruition where it's like, yeah. This is why companies like, you know, ArmorText and companies like Virtru exist is to provide, you know, good governance, good control over sensitive information, do it in a way where it supports the enterprise requirement, do it in a way where it still gives you the ability, to maintain compliance with regulatory regimes, and and perhaps, you know, in its simplest form, do in a way that's secure and private.
Would you agree?
A hundred percent. Look. I mean, I think this is the right time to go back and reconsider, especially with the enterprise side, what we would call a tier and protect strategy. Right? Ripping and replacing all of your internal and external communication systems with something hyper secure just because, there's this potential ability to read those communications might be overkill in certain circumstances. Right?
Probably not feasible in terms of time and money.
Absolutely. But you wanna right size to which use cases truly warrant that additional layer of protection such that if an adversary were to get a hold of them, is this information that might, you know, inform some sort of industrial espionage campaign or is this something that might inform an attacker as to how to better stay resident within your systems? And that that's kinda why we focus on use cases like incident response or security operations. You're oftentimes discussing things in those, details there, like, what your negotiation strategy is gonna be to a a threat actors now demanding a ransom.
If the threat you can watch that conversation and knows that you're authorized to go up to ten and you try to lowball them with one, at some point like Ragnar Locker did years ago to a French retail company, they're gonna say, actually, we're in control here. We know and can see Right. Or listen to your strategy. Here's a screenshot of your internal communications and chat for the whole world to see so that you now know that you actually have to pay us the ten.
You you want to right size these things. Right? And so you have use cases that we absolutely all understand and recognize are highly sensitive. Threat intelligence sharing is a form of extra communication where organizations rely on each other.
But in order to really rely on each other and best pass on information about the potential threat, what things to look for, what strategies they may or may not be employing themselves, or what has actually already hit. They need to go discuss things in detail and nuance and that requires having a greater amount of trust in the platform itself and that then requires additional security, both trust in the platform then but also then trust in the identity. So you're also looking at who are the identities on this platform. Are they well vetted, or is this just whoever's phone number got added to the chat five minutes ago.
Right? And that's again why this discussion actually has to go beyond just end then encryption.
Yeah. I I think that's an excellent point. Well, you know, it is it was great to see you a couple of weeks ago in person. I, you know, enjoyed that conversation. I I, you know, thoroughly enjoyed this one here today, and I'm glad we were able to kinda, you know, compare notes, you know, on the record for the benefit of folks that, happen to watch, Hash It Out.
You know, I I think your view of this landscape is is expert and is, you know, well informed as anybody I know, and, we're grateful for you taking the time to come in and chat with us today. Thanks everybody for joining, and we'll catch up with you next time.
Thanks for listening. If you enjoyed this episode, leave us a five star review, and don't miss us the next time we hash it out. Like, follow, and subscribe to us on YouTube, Spotify, and Apple Podcasts, all linked below.
/Arkansas-Case-Study-Virtru.webp)
