Military infosec SNAFUs: What WhatsApp and bears in the woods can teach us
One can’t spell shit without IT, but for Pete's sake it doesn't need to be in your endpoints
Column Fans of John le Carré’s Tinker Tailor Soldier Spy know how top military secrets are extracted from the enemy. Senior figures are turned in operations run by the most secret brains in the country, bluff and double-bluff mix with incredible feats of bravery, treachery and psychological manipulation.
Not any more. If head KGB spy Karla wanted to learn intricate details of the British military today, he’d just have to check WhatsApp. He’d learn who in the special services had got an extra stripe, as well as their cover units — and that’s just one document The Reg has seen. Are there others out there on public messaging systems? If we knew, we couldn’t tell you.
Inadvertent leaks of military gen are nothing new. During the Cold War, so some ex-operatives claim, one of the least glamorous jobs in intelligence was analysing paper copies of Eastern Bloc message decodes. Not so bad? They’d been pinched from latrines outside the forest barracks where they’d been recycled as toilet paper. That's real spycraft, not just going through the motions.
At issue in both WAGate and WCGate is the nature of security. Like those Soviet decrypts, on paper WhatsApp looks secure — if you think in standard security terms. A message is encrypted using mathematically blessed methods before it leaves the sender’s device and is only decrypted when it’s safely in the recipient’s. It was the same for Fialka ("Violet") — the Warsaw Pact’s default military encryption system and source of the data on Ivan’s bum fodder. But if you can swipe the final output, the quality of the encryption doesn’t matter. With Fialka, that took thick gloves, a strong stomach and inadvisable proximity to lots of unhappy enemy shootists with sore bottoms — those message pads weren’t soft. With WhatsApp, you get the benefit of 50 years of advances in tech — you can sit on your sofa and tap Copy.
We don’t know exactly how the Ministry of Defence (MoD) spreadsheet was leaked. We do know WhatsApp is designed for ubiquitous, frictionless sharing — not an ideal attribute for an Army-wide comms system. But it looked very good to a perennially cash-strapped MoD with a very long history of completely bungling its own IT and comms projects. It had previously cocked up a whole generation of Army radios called Bowman. Designed to embody that mythical mil-spec security, it ended up costing too much, taking too long, and being broken too much.
Exasperated squaddies expanded Bowman to Better Off With Map And Nokia, and someone in the MoD was taking notes. By the time every warrior had bought their own smartphone and installed the nominally secure WhatsApp, it became at first a semi-official and then a completely official military command and control system.
And we’re left with a system that knows how to keep a secret but is begging to spill more beans than an explosion in a Heinz cannery. This leaves the MoD in a quandary familiar to many businesses: if doing it yourself buys you costly, broken embarrassment and relying on third-party software leaves you with cheap, efficient embarrassment, you’re in the classic military FUBAR condition.
Let’s look at it another way. WhatsApp’s transmission channel isn’t secure because it has world-class cryptographers — it’s because it uses a known-good protocol from the Signal project. In fact, the whole internet and mobile phone network, including handsets, is a true military-grade secret infrastructure, if you use it correctly. The criminals who used Encrochat on lightly modified stock handsets knew that — the police had to put malware on the messaging servers to break it. A bit harder than waiting for a scrote to tap Forward.
It was open to the MoD — it’s open to all enterprises — to build only the bits needed to do the specific job, and buy in the other components. Or, with open source, get the components for free and pay to learn the expertise to use it — a much better investment.
For that to work, though, you need to have a clear idea of what it is you need to do. In the case of anything that has a security angle, which is everything, this means a clear appreciation of the risk landscape — of the true nature of security. You cannot have complete security, and striving for it is a disaster — ask any user of over-protective enterprise IT. But identify the points where you need to pay attention, and assess the rest for good-enoughness.
Does your endpoint have a Share button to the internet? You probably want to write that yourself. Are your decrypts being hijacked on their way to the incinerator because there’s no loo roll? Buy the soldiers some Andrex.
It’s true you can’t spell shit without IT, but you don’t need to have it in your endpoints. ®