The details regarding the capabilities of every government’s intelligence-gathering apparatus are closely guarded secrets that impact the national security of governments in every country around the world. Every country runs security programs to ensure the safety of the state and its citizens; and to preserve the integrity of their government as a whole. Recent reports have provided all sorts of conjecture as to the co-operation between the NSA and various U.S. technology vendors, with allegations of backdoors and other mechanisms that undermine the core security of their product offerings.
While I have no knowledge of these situations, I do wish to shed some light based on my experience with BlackBerry, who is known as the industry leader in mobile security. I hope to explain what consumers, enterprises and governments really need to know when listening to reports about alleged security vulnerabilities. The primary objective of security and encryption is to protect the confidentiality and integrity of a transaction between the end points. For smartphone users this is between your device and the services running behind your company’s firewall. What my colleagues and I have learned from years of experience and testing is that an integrated approach to mobile security, including data encryption between these end points, is the best defense.
One of the biggest challenges to the effectiveness of a modern encryption system is entropy. For those of you who don’t live this every day, entropy is the gathering and creation of random data. In a very simplified view, you could consider the effectiveness of a system as the difference between picking a number between 1 and 10 versus picking a number between 1 and 1,000,000,000,000. While the problems are essentially the same, the level of difficulty and complexity is substantially different.
In the context of the BlackBerry solution, we use multiple sources of entropy to create dynamic and changing keys that ensure that mobile data is encrypted and unreadable until it is safely delivered and decrypted at its destination. These keys change for every packet of data that is sent. So when you receive a one megabyte presentation on your device that actually represents 500 individual packets (or transactions) – each encrypted with a unique key.
In today’s world, every computing platform may be susceptible to spyware (or malware). If you are using an open development platform, you can absolutely count on people trying to find ways to exploit users. This is a significant threat for governments, enterprise users and individuals who all require solutions that will properly safeguard their privacy.
Malware has become a tool of international cyber-crime and a threat to everyone running applications on their mobile devices. From consumer applications designed to misappropriate your personal information and steal your identity, to state sponsored initiatives used to gain access to government secrets. The threat is real and growing.
There is no turning back the clock on the reality that our most precious information has now gone mobile. That trend will only accelerate. So when it comes to trusting your communications or mobile infrastructure, security has to be built in, end-to-end and at every layer: from the hardware, software and the network itself, in order to protect data where it’s most vulnerable.
It is everyone’s best interest to focus on creating open standards that are passed through independent testing and validation so that we can choose solutions with the confidence and assurance that our information will be protected. Security experts who have spent their careers finding better ways to protect data realize there will always be people trying to break our systems of protection. The industry needs to continue to innovate and redefine state-of-the-art technology, as our views around security and encryption continuously evolve.
At BlackBerry, that means we have teams dedicated to the security that is at the core of everything we do. We build our solutions without “backdoors” or compromise. Trust, but verify; hold your partners accountable to be transparent and prove that they are protecting your information.
Totzke is senior vice president for BlackBerry Security.