Cybersecurity VS Secure Messengers
“In the RED CORNER, born from HACKERS and FIGHTING out of corporate America, it’s CYBERSECURITY!
And the BLUE CORNER, emerging FROM THE ASHES of the CRYPTO WARS, your returning champion SECURE MESSAGING!” – Bruce Buffer or Schneier, maybe
There’s a tension between cybersecurity and secure messaging, particularly in the word “secure.” Cybersecurity is the art and science of securing and defending assets in cyberspace in order to enable your team to go to mission and win. But secure messaging is… encrypted messaging?
These are two drastically different senses of the word “security,” but we throw them around in similar contexts as if they are the same… and it’s confusing. On the cyber side we have something that sounds like full, team driven, multi-functional practice. On the messaging side we have well configured tools.
Using the term “secure messaging” is, in my opinion, a little misleading. It sounds like we’ve found something static or Platonic, an inviolable principle. In terms of build-time controls or configuration that sounds useful. But operationally we need both well built walls and defenders on those walls.
Really, we should talk about “encrypted messengers” or maybe “protected messengers,” then we can map something useful between how the tools are configured as part of our IT environment into a broader picture of our operational security and cybersecurity. A well-built, properly developed and configured messenger with encryption maps into the PROTECT function from the NIST Cybersecurity Framework. We’re performing a function of blocking and logging. And it likely fits the NETWORK asset class from the Cyber Defense Matrix (“CDM;” I’m adapting the all-capitals convention from Sounil Yu and his excellent book, The Cyber Defense Matrix). “Secure communications” is never less than the PROTECT function but it’s often much more.
Namely, on the internet it includes the rest of the NIST Framework’s function: IDENTIFY, DETECT, RESPOND, and RECOVER.
For something to be secure in an operational sense, we need to know its boundaries, control it, and monitor it (i.e. we need structural controls, building the logic out from The Cyber Defense Matrix). Then we need to be prepared to defend it by detecting when something is on fire, respond to fires, and recover from fires. In other words, we need structural controls (good walls) and situational controls (soldiers on the wall to respond to attacks).
Secure messengers, secure video call solutions, etc. not only need to be well-encrypted but also need to be monitored and actively defended. We don’t argue about it much on Twitter/X/whatever-it’s-name-is-today, but we subtly expect tool developers to deploy and manage well defended infrastructure. We need to bring that expectation to the forefront of our minds when selecting and evaluating tools:
End-to-End Encryption is not enough, we need defensible and defended infrastructures.
Fortunately, we seem to get something like that from the big providers—or do we? Signal, Threema, etc behave in a way that implies they have defenders managing infrastructure and developers constantly improving code, but very very few of their attempts to build credibility talk about how they defend themselves against advanced threats as opposed to how well built their walls are (Though Signal might spend upwards of $600K on IT this year, maybe that includes some defense spending? https://www.crunchbase.com/organization/signal-foundation/technology)
But if we might be getting defense from commercial tools, we (as a broader missionary and high-risk nonprofit sector) definitely do not do a good job of expecting defended infrastructure from our self-hosted solutions. I’ve found that we tend to talk about self-hosted solutions in terms of time and cost to deploy, but not in terms of time/cost to operate, maintain, monitor, and actively defend. If we’re going to accurately count the costs, we need to acknowledge how difficult this is to achieve, ESPECIALLY if your team is small.
There’s no right solution, but defense has to be one of our most important criteria when navigating our various tradeoffs.