Recent events at the highest levels of the US federal government have shown that human error can be just as effective as high-tech hacking in creating security breaches exposing sensitive information.
While the Signal chat fiasco, in which the editor of The Atlantic was inadvertently added to a Trump inner-circle chat about bombing Yemen, has begun to fade from the headlines, it highlighted what continues to be a significant weakness among many governmental organizations and corporate enterprises: the ongoing use of consumer-grade messaging applications, and how slow such organizations continue to be in adopting state-of-the art protection schemes.
Anurag Lal, CEO of Infinite Convergence Solutions, provider of the Netsfere enterprise communications platform, told Fierce Electronics that it is time for such organizations to advance their thinking about what it means to have a secure and enterprise-grade (rather than consumer-grade) messaging platform.
“The Signal fallout is a red flag for industries across the board, with the incident occurring not just at a federal level but from government leaders,” he said. “Industries must recognize the necessity to go beyond consumer-grade apps, in this case, one that is built for mass enterprise-grade communications with centrally IT-managed access controls. By default, it must be assumed that communications within any organization or government agency will be handling vast amounts of sensitive information. Even though Signal is end-to-end encrypted, it lacks the security that requires user authentication and administrative control to protect users and their data.”
The need for more secure enterprise messaging capabilities is becoming especially acute as quantum computing continues to advance. Quantum computers eventually could be used to break most modern data encryption schemes, and it has been noted that even though quantum machines have not yet reached that level of maturity, encrypted data that is being stolen from organizations now still could be decrypted years from now using such a computer.
That’s why Netsfere recently entered the chat with standards-based, quantum-safe encryption technology for messaging. The platform is among several from a range of different sectors that has incorporated 1,024-bit FIPS 203 ML-KEM (Kyber-1024 module lattice-based key encapsulation mechanism) quantum-resistant encryption, adapted from a standard published last year by the National Institute of Standards and Technology. There has been a push at the federal government level in recent years to adopt quantum-safe encryption, also called post-quantum cryptography (PQC), and companies such as content delivery network Cloudflare and hyperscaler AWS have adopted it in their networks. Also, Apple was an early adopter of ML-KEM, saying last year that it would support PQC for its iMessage app by adding ML-KEM to iOS.
“Looking beyond government, industries handling sensitive data, such as finance, healthcare, legal, and supply chain operate on a global scale and require a communication solution that is not just compatible or cross-functional in its integration, but secure and resilient against threats emerging today and tomorrow,” Lal said. “Industries are also intensely regulated, considering the healthcare industry as an example where data breaches are rampant. HIPAA compliance and the need to protect sensitive patients’ PHI is paramount, and the adoption of PQC will be a decisive factor safeguarding systems that are vulnerable.”
A study by KPMG's Canadian unit that surveyed 250 large corporations has noted that about 60% of Canadian firms surveyed and 73% of US firms believe “it’s only a matter of time” before cybercriminals leverage quantum computing “to decrypt and disrupt today’s cybersecurity protocols.” But KPMG also observed that a large majority of those companies also admitted that “they need to do a better job of evaluating their current capabilities to ensure their data remains secure.”
While Lal said his company in some cases works through communications service providers like Germany’s Deutsche Telekom to provide Netsfere, he added, “We’ve deliberately built NetSfere as an over-the-top (OTT) solution. That gives us the agility to innovate independently of telco legacy infrastructure, which is critical when it comes to quantum resilience.”
By adding NIST-approved ML-KEM encryption now, Lal’s firm is also making Netsfere more attractive to more mobile carriers and enterprises as they eventually get on board with the impending quantum threat and start looking for better protection strategies.
Lal explained that while some companies have moved quickly with PQC, “most traditional messaging carriers and platform vendors are still in the early stages of addressing the quantum threat. Their reliance on outdated encryption models and legacy infrastructure makes the transition to PQC slow and complex. But quantum computing isn’t waiting, and the threat isn’t theoretical anymore. ‘Harvest Now, Decrypt Later’ attacks are already happening, where attackers steal encrypted data today, intending to break it once quantum capabilities catch up. And that timeline is accelerating.”