[00:00:00] Speaker A: It's digital sovereignty. And what we mean by that is we control the data, we control that communication system, we control who's in our environment, but we're still able to leverage the global networks that are in place, providing connectivity to people around the world. It's gotta feel like a consumer app, but behind the scenes it's gotta be a system for government where they have control over the users. Are you actually communicating with who you think you are? I think from a UI UX perspective, it's like a never ending cycle and that's normal and that's good for innovation. But it also reinforces why you shouldn't use the same tools for your personal communications that you use for your official communications. Any of these apps, you know, Telegram, Signal, WhatsApp, as I mentioned earlier, they're public registration and that means it's very easy for people to go in and spoof identities.
[00:00:59] Speaker B: This is katiecast as a primary target for ransomware campaigns, security and testing and performance, risk and compliance. We can actually automatically take that data and use it.
Joining me today is David Wiseman, Vice President secure communications at BlackBerry. And today we're discussing the eroding trust in consumer messaging apps. So, David, thanks for joining and welcome.
[00:01:26] Speaker A: Thank you, Carissa, for speaking with me today and the opportunity to speak with your audience.
[00:01:31] Speaker B: Okay, so David, let's just go on the same page. What might be good is just give a little bit of context around BlackBerry. What are you guys up to these days as people may have a different version in their mind? And I just want to be clear from the get go, so people are aware what it is that you're sort of doing day to day.
[00:01:51] Speaker A: Sure. BlackBerry is actually doing the same thing we've done for 40 years, which is securing critical communications for governments and people around the world. That includes NATO, the Five Eyes, all of the G7. But the fundamental difference is we don't do that in hardware anymore. We don't make phones. It's everything we do is with software. So we're providing those capabilities on Apple phones, on Android devices. At this point in time, there's all the uncertainty in the world. There's a bigger and bigger drive for digital sovereignty, both at a individual level and certainly at a national level. And even as people are using large tech platforms and the devices from folks such as Google and Apple, BlackBerry is providing them that digital sovereignty through our software on those devices. So you can have the benefit of big tech, but the security that people have always trusted BlackBerry for. And as a result we really can focus on how do we stop eavesdropping? How do we stop the interception of communications on mobile devices and networks, which is particularly relevant now with the salt typhoon attacks in the United States and other countries in recent months, and then also the very recent risks that have come to be seen by people around consumer messaging apps, things such as Signal and WhatsApp, and the risk that those introduce. And those are the areas that BlackBerry today focuses on providing protections to our customers around.
[00:03:23] Speaker B: Okay, so there's a lot of things I want to speak to you about and I'm cognizant of time because I want to be able to, I don't want to skim over details because details are really, really important. So going back to digital sovereignty that you mentioned before. So give us a little bit more context around that, obviously because of geopolitical tension is rising, etc. What? Give us a little bit of context around what you're seeing in, like you said, the Orcas and the Five Eyes alliance, et cetera.
[00:03:51] Speaker A: Yeah, what we're seeing is that governments, there'd been a bit of a trend to move official communications onto consumer platforms and people said, hey, these are end to end encrypted platforms. This will give us good security. But then there's quickly the realization that they now have lost control over where that data resides, how that data is transmitted, who's actually running and managing the systems. And so therefore, with some of the things we've seen in the recent attacks, the recent data leakages, and we say recent, but there's a long history of this happening for many years, that there's a drive now to say how can we be more sovereign in our communication systems? And so it's digital sovereignty. And what we mean by that is we control the data, we control that communication system, we control who's in our environment, but we're still able to leverage the global networks that are in place, providing connectivity to people around the world.
[00:04:52] Speaker B: Okay, so now I really want to get into addressing maybe the elephant in the room recently in the news there was that US sort of Signal group chat leak which has been in the headlines. Etc. So I don't want to go too much into that, but it'd be good in terms of just getting your view and your perspective on that.
[00:05:10] Speaker A: Yeah, and it's not really a single country issue. You know, we've seen, you know, the recent issue in the United States, but it's happened other places in other countries as well. But it just continued to raise the awareness in the world of a big risk to national Security is when you're using consumer grade applications, things like Signal, WhatsApp, Telegram, to share sensitive information. And it's not that these are bad apps, it's not that they're not secure, but the problem is they're not allowing you to segregate your personal communications from your official communications. So it becomes very easy for people to, you know, by mistake, you know, add the wrong person to a chat group by mistake to paste and forward information to someone who is not who they meant to send that information to. But also back to the sovereignty point, these are systems that, you know, organizations and governments actually have no control over. So at the end of the day, you know, this government information, if you're going through those systems, you don't know where it's going to end up, you don't know who's managing those systems. And as a result, you know, it's, it's just not appropriate and you're going to have continued, you know, problems. And that's why BlackBerry focuses on, you know, giving the capabilities to government, to organizations to have that same type of, you know, quick, easy messaging communication, but doing it in a much more sovereign controlled, at the end of the day, secure manner. And security is more than just encryption, it's also identity and it's also having access to records so you can be compliant with Freedom of Information act request and these types of things.
[00:06:51] Speaker B: Okay, so just a couple more things on that. So you said before, like, you know, adding the wrong person to the group chat, like that was, that was an accident. These things do happen time to time. So talking just on Signal for a moment in some of, you know, obviously I deal with a lot of, you know, intel people, et cetera. And do you think that it just became more ubiquitous amongst the sort of intelligence community to be like, hey, like we're going to use Signal, we're going to talk on there. And I think when Facebook slash meta, like, you know, purchase WhatsApp, like a lot of people that I speak to are like, oh, I'm not messaging on WhatsApp anymore, I'm going to be leveraging Signal more. So, so do you think that people, there's just been a little bit more of an uptake for Signal more specifically in that community?
[00:07:28] Speaker A: I think so. And part of it is just it's the next phase of the consumerization of it. Right. But the challenge here is whenever you have a public registration system and whether it's Signal, whether it's WhatsApp, you no longer can have confidence that you're really Communicating with who you think you're communicating with. And while, you know, some people in the intelligence community may feel, hey, this mass global community, people in, in a sense is giving me a sense opportunity for obscurity for my communications, you really have to balance that with the risk of identity and no control over that identity. So I think that's where the pendulum swinging back a little bit that, you know, yeah, that, that was seem like a good idea, but it's becoming clearer and clearer to us that it's introducing risks that we hadn't fully appreciated.
[00:08:19] Speaker B: So do you think as well, David, that people sort of don't really think about it? And what I mean by that question is, for example, like when you turn the light on at home, the light just turns on. Like no one probably nowadays is really thinking about the mechanics and how it works and all of that type of stuff. Maybe back in the day when it was first invented, but not so now, it just sort of works. Do you think that sort of same mindset is towards these messaging apps as well? Like, well, I can just message David on there and it's somewhat secure, then that's good enough for me.
[00:08:47] Speaker A: Oh, I think that's definitely part of the mindset. And then the other part of it is that people feel like security can be difficult. Right. And there's a history in the past of having secure communication devices. You mentioned working with people in the intelligence community and the military and often these devices were difficult to use. And so people say, hey, this is an easier alternative. And so one of the things BlackBerry's focused on is how can we provide the security the governments need? How can we provide the sovereignty and control over the systems but hide that from the end user? Because if people are going to use it and they're going to adopt it, it's got to be really simple. And I think that's a lesson that governments are learning, that whatever capabilities we provide that meet our governmental needs, they also need to be appropriate for the end users and feel like a consumer.
[00:09:42] Speaker B: Okay, so that's interesting that you said before, like, difficult to use. So I've got a security background historically myself and then moves into this media side of it. So what we've often seen in security, as you would know, is like, it's like, hey, I'm going to make this thing so difficult, but like no one can then leverage it. And that's how things like shadow it, et cetera, start to, to be created within the, the organization or governments because it's just too hard. Because security's architected in a way where we can't even, there's no usability. So how do you sort of balance. And I know this is a hard question to answer, but I want to get your view from a BlackBerry perspective. How do you sort of balance the, the equilibrium between hey, they need this be secure but of course we need people to use it or else it's sort of counterintuitive by that point.
[00:10:24] Speaker A: Yeah, absolutely. And it's, it's not really a technology thing. It's more understanding the use case and what, the sensitivity of it and what type of people are going to need to do certain communications and thinking about it, is this a spectrum from hey, everyday communications, we really should have some level of protections around these. And I want to be confident who I'm talking to, but I just want to do it on my, you know, just regular phone. And there, you know, technology plays a big part. It's, you know, the policy is very lightweight. You know, keep in mind what you're talking about, to whom and where. Right, right. And then the other extreme is I want to have, you know, classified level discussion, secret level information.
And at that point, you know, people need to have the expectation that there's going to be a lot more controls and policies in place on how they can use these systems. And so I think the mistake that has been made in the past is any system go all the way to the right hand of the spectrum and try to lock it down fully, whereas that's probably just a very small percentage of the use cases. You know, a lot of them are just bring your own device, be aware of what you're doing. But most government works somewhere in the middle with some level of policy, some level of control and you need to pick that right spot in the spectrum where people will say, okay, I know how sensitive whatever I'm working on is and the tools are giving me and the policies are applying or appropriate for that and then they're more willing to do the adoption. So you really align with how you configure and how, what rules you put in place with how people are using it in certain situations.
[00:12:01] Speaker B: So how sort of is BlackBerry then sort of addressing that problem? And I mean there's a couple of things in there that you mentioned like, you know, the whole byod, especially if there's contractors or people that are doing sort of off book, sort of like intel projects that people don't even know about, etc. So it's sort of hard now and the lines have been blurred and we all Sort of know that. Which is making a little bit harder than the traditional four walls. What are your thoughts then around that and how do you sort of do this with the intent of, like you said, we need to be able to the usability, we need to adhere to the policy, but also needs to sort of be secure as well.
[00:12:30] Speaker A: Yeah. So our approach on this is from a pure communication space. You know, you want to call people, you want to message people, you want to share files, that, that just needs to be a very simple, easy to use process. Find the people you want to communicate, share with them. Did they read it? They replied to their messages. It's got to feel like a consumer app, but behind the scenes it's got to be a system for government where they have control over the users. Are you actually communicating with who you think you are? They've got control over the data for things like records compliance in the back end and obviously you have the encryption and that you need to feel high level of confidence that the information is going to be appropriately protected. But take that baseline and put it onto just a regular phone and you're pretty far ahead where you might have been in the past. But then one of the other things BlackBerry does is gives management capabilities for devices and whether that's a BYOD device where all we're really managing is that secure communications to a government issued device, where then we are managing what other applications people use, how they use those applications. We have that tooling that allows you to turn and dial those knobs to the appropriate level. But the important part is we started out with ease of use that's sitting on top of very high levels of security that the users don't even realize are there. And so there's not that learning curve resistance.
[00:14:04] Speaker B: So David, the other thing that's coming to my mind as you've been speaking and I literally had this conversation yesterday with someone obviously in media. Like we're sitting across multiple different angles, vendors, et cetera. One of the things that we don't often hear about, I have to be honest, is definitely like mobile stuff. And if you look at, I think every week everyone gets that notification on our phone, like how long we're spending on our phone, it's, it's probably could be a lot more than a laptop nowadays. So do you think that sort of mobiles and then obviously messaging apps, which is on a phone, you think it's sort of been a bit, a little bit relegated perhaps or it sort of just not popped up from nowhere. But people are so focused on like, you know, protecting the laptops and you know, a network, et cetera, but mobile. And then to your point, like, like messaging apps has just hasn't sort of been there in terms of like the focus that I've noticed out there.
[00:14:54] Speaker A: Yeah, I agree with you. And, and I think that's starting to change. I mean, on mobile, for example, companies, government agencies have, you know, had a long history of like, how do we securely deliver email to our employees. Right. And so there's a lot of effort that's been put into that, but that's really just taking how they did it on a laptop and replicating it as much as possible to a phone. And it's the same communication channel, so people are comfortable with that as an end user for your business email. But the messaging grew up, you know, from the consumer side and then people just started using it more and more for business because they're on their mobile device. It's too much trouble to boot up your laptop. You don't have the laptop with you. And so it's become kind of a reactive thing where, you know, organizations are coming back now and saying they can't say don't use messaging, but they need to give people an alternative because that's basically a preferred platform. And that only accelerated, you know, with all of the work from home things that happened coming out of the pandemic.
[00:15:59] Speaker B: The other thing is as well, like when I work in an enterprise, they would give you like the second phone, for example, because it's got mdm, et cetera, for this purpose. But then I just used to resort back to my original phone because I've had this number literally for like 20 plus years and I don't, I couldn't even remember the other issued work phone as well. So I just used to resort back to my personal phone, which then sort of goes around the whole problem because again, like I didn't want to carry two phones. I'd forget it. When people ask me about my mobile number. I wouldn't, couldn't remember it because I only remember my own personal number. So are you seeing that in terms of like, behavior of people as well, even if they are issued a work phone?
[00:16:39] Speaker A: You know, there's a big desire by people to, to just have one device, right. So how can I have one device that does my work as well as my personal and does both appropriately? But there's something you said that I want to drill into a little bit and you were talking about how long you've had your phone number and the reason I bring that up is when you start talking about a mobile centric world. The phone number is the identity. And as a result of that, once you know someone's number, that identity association is probably going to be good ten years from now. Even so, one of the risk we see is the collection of metadata and the scooping up of information about who's communicating with whom means that adversaries know a fair amount about any particular person. And maybe as their career grows, as their role changes and the sensitivity of what they do changes, it becomes really easy to target people on mobile and you start to get the spoofing attacks. I'm sure you get text and WhatsApp messages all the time of hey, hadn't talked in a while, what's up? Or you know, you know, people trying to pretend they know you and sometimes even the numbers feel familiar. Right. So people actually leverage the fact that you've had your number forever and probably will have it forever as a vector of attack. And that's one of the other things that, you know, BlackBerry really works on in terms of the identity is, you know, how do we let people have their numbers and not force them to learn a new number, but still be able to start to provide much higher levels of security for messaging?
[00:18:13] Speaker B: Yeah, this is interesting because like I've spoken about this on the show before and it's like, you know, telcos have got some, some responsibility in this, right? But then they're like, oh well, it's not us because it's like, you know, we're not issuing like necessarily like the phone device technically. So then it just gets like there's a bit of that gray area as well in terms of like where the responsibility starts and then ends effectively? So do you think that as we sort of move forward now that this, this problem will sort of start to get ironed out in terms of who's sort of responsible for what, who's, who's securing what, etc.
[00:18:46] Speaker A: I don't think you can assume that it will because what we're seeing now, you mentioned the telcos and where their line of responsibility is. So many of the services that people use now are over the top that, you know, the telco is just a pipe at that point. So they actually have very little control over, over those systems and very little control of, you know, monitoring them. In a sense, once you move beyond, you know, an SMS and mms, you know, type of thing, you move to an over the top messaging service and it's not really clear that it's in the business Interest of, you know, the large consumer IT companies to do a lot in that space. I mean, they'll do some, but if they go too far, then just the next new company will come along and it'll have the shinier new toy and it'll feel easier to people and they'll just switch over that. So it's like a never ending cycle and that's normal and that's good for innovation. But it also reinforces why you shouldn't use the same tools for your personal communications that you use for your official communications. Particularly, you know, if you're working in the government. And the pace and the change that happens on those official communication tools needs to be much more controlled. But it can't be so controlled that it starts to feel old to people. So, you know, so there's kind of a new balance and new expectation on how quickly tools need to evolve for people to keep using them. And that applies both to consumer things that you use in your daily life as well as to, you know, the tools that you're organizations providing you for communication. So it kind of the standards and the expectations of people, you know, have changed from when they were just doing all this on their laptops.
[00:20:31] Speaker B: So when you say feel old to people, do you mean like from a UI UX perspective or.
[00:20:36] Speaker A: Yeah, I think from a UI UX perspective and then also from a, you know, functionality perspective that, you know, just a very simple example now that, you know, everyone expects I should be able to share my location with somebody on where I need, you know, from a map and tell them where we should meet up. Right. And you tap on that and you get walking directions. You know, that's kind of a basic thing now that, you know, people expect.
[00:21:00] Speaker B: So I want to sort of go into now a bit more specifically on like Signal WhatsApp more the additional challenges perhaps that people just don't think about. And what are you sort of seeing on that front? I know before you mentioned you gotta have different tools for your work, slash, you know, government role versus your personal. But I want to get into this a bit more because I think this is really interesting and I just don't think enough people are really actively thinking about it.
[00:21:25] Speaker A: Yeah, that's, that's a great area to dig into a bit. The first thing I would say is, you know, people talk about end to end encryption and that means I'm secure. I would say end to end encryption is just the starting point. And what do I mean by that? I could have an end to end pipe. I'm Encrypted. It's going to be very hard for people to listen to my conversation, but it doesn't do me any good if I'm talking to the wrong person. So that's the first thing. You know, any of these apps, you know, Telegram signal, WhatsApp, as I mentioned earlier, they're public registration. And that means it's very easy for people to go in and spoof identities. And if you're a serious adversary, a foreign intelligence service, you can become very sophisticated in the way you do that. And I talked earlier about, you know, people have their numbers for a long time. What that means is that if you're a sophisticated adversary, you actually have communication patterns. You know, when people make calls, you know when they message, you know when they talk to certain people. So that means that you can take the identity spoofing and you can tailor it to be even more effective, because now you're going to be communicating with someone pretending you're someone else at a time of the day when they expect it, or at a pace of communications that feels right to them. So they're more likely to fall into that. So, so that whole identity thing, people don't think about that enough. And we saw that in the recent signal one where, you know, I accidentally added the wrong person. But you can certainly the Russian intelligence, Google put out a recent report where they've been actively using those tools. So people actually didn't feel like they added the wrong person. They thought they added the right person, but it wasn't really that person. The second thing is around the metadata and who's messaging whom and who controls that. And there's two aspects to that. There's the privacy aspect. If you look at, for example, Meta, their terms and conditions, say, hey, we're going to encrypt your voice call, but we're going to take all the metadata and use it for business purposes. So you probably had that weird experience where you've talked to somebody or messaged them in WhatsApp about a particular topic, and all of a sudden you see an Instagram ad, they didn't have to read your message, they knew who you were talking to, they knew what that person had been searching on on the Internet. Probably a good chance that you know, similar of interest to you and use that to drive ads. But then the other part of it is from the actual government or even an industrial firm, they have a responsibility to keep records. Hey, who did we communicate with? When? Particularly in regulated industries. And there's a big gap when you start to Use the consumer systems that people aren't realizing, or maybe they are realizing it and they kind of like it, but it's not appropriate that the whole record compliance, you know, methodology starts to fall apart. So, you know, so those are kind of some of the big areas. And then the third area is sovereignty of. From a personal perspective of do you really know who's. Where your information's going, who has access to it? You know, a pretty big topic that, you know, people haven't thought about enough.
[00:24:30] Speaker B: Okay, this is really interesting. I really want to get into the identity side of things in the. This spoofing example. So just so I have this right. So it's basically, you're obviously in the US I'm in Australia. Hey, I messaged you on Signal. Hey, David, you know, great chat, you know, on the podcast, et cetera. But you're saying now it's getting to a point where I think I'm messaging David Wiseman on Signal, but it's actually not you.
[00:24:53] Speaker A: Correct. And there's actually a Google threat research report. They, you know, I mentioned they, you know, they had identified an attack by some Russian intelligence agencies where they actually used some of the features of Signal specifically and how you could link it to your desktop to basically intercept the communications and take them over. So you actually initially established a correct connection to me, but then they intercepted it and they take over that communication stream and you're not even aware of it, that someone's using your account. So that's kind of, that's the one extreme. But the, you know, the other extreme is I just go create accounts. And it's easy to spoof a phone number. It's easy to spoof an identity. And I get you, you know, I start you off on a conversation from the beginning. It's not the right person.
[00:25:40] Speaker B: So, for example, I'm a media could easily rip my photo off the Internet, pretend it's some WhatsApp account of me. It's like using certain parlance, perhaps I would use like, referring to KB rather than Carissa, perhaps, like, maybe people would think that. But to extend a little bit more, would you also say, like, for example, the certain vernacular or certain slang words that Australians use or Americans use that perhaps would give you that indicator. But again, you're not really sort of looking for that unless it's really, really obvious. But are you seeing people get caught out just on that, or you seeing people notice to be like, hey, this definitely isn't David. It sounds like a suspect, David, or do you have any sort of Insight on that.
[00:26:21] Speaker A: Yeah. And that kind of gets to this topic that's pretty hot right now about deep fakes. Right. And I think even in Australia, you know, some politicians have intentionally volunteered and had deep fake videos made and things like that. But it's kind of this emergence of all of this metadata and data mining capabilities being combined with the AI capabilities and there's a lot of risk around that that make these deep fakes, you know, more and more effective. But I want to go back to the salt typhoon attacks that became public in the US in November last year. I don't know if you recall those, but it turns out that basically all of the US telecom networks have had been infiltrated. And in real time a third party was monitoring all that information, collecting who's communicating with whom, but even being able to listen into phone calls and read text messages. And they particularly targeted political candidates and people close to those political candidates. But, but that's pretty scary. And it's a big shift because we've had situations over the past decade where phone companies or others have lost records, but that was always retrospective. Hey, I lost this calling record. Now someone's going to go mine it and have their own nefarious purposes. But now it's bedded in the network. It's real time. And it's not only who you're talking with, when in real time, but they know how you talk, they know how you text. Putting that into an AI model that almost in real time it turns around and reaches out to you. And you're expecting to hear from me because we'd already had four messages back and forth today and the tone is perfect. Right. And it's on topic. And once that trust is established, then you start to evolve the conversation to extract information. That's what that you want. And I think, you know, the AI tools are, you know, particularly now that they have access to all of this source communication information, doesn't matter. Probably five years from now, probably your tones are similar. Once you have that information out there, you know these attacks are going to be more and more effective.
[00:28:31] Speaker B: Okay, so just to press a little bit more, do you call people on like Signaler? Because I often do. And the reason for that is they're overseas. So I'm seeing a lot of people in the us, uk, etc, Netherlands, so it's just easier for me to call them on there. So going back to like the whole spoofing of the identity that still work or do you think it's even that sophisticated? It's like a deep fake KB Voice, for example. But that, I mean, that seems really like extreme. It would have to be sort of a very, very targeted attack. But what are your thoughts then on that?
[00:29:02] Speaker A: So I think it's certainly possible. And you know, as I mentioned, the, the Google Threat Intelligence report on that Russia was doing on signal. It was that very purpose. Basically they were able to insert themselves into all the conversations and listen. Right now obviously they've got particular targets of interest, but I think that target list could be pretty broad and they might want to collect as much information as they can because maybe in the future someone has an even more important role and they want to roll back to that information. So I think it's certainly possible. I think the bigger risk is around some of the organizations or the apps that are using the metadata aspects for business purposes because there's all kinds of third parties and people that have access and even can subscribe to services around those. There's services out there right now where you can sign up and basically listen into people's, you know, it says it's basically spoofing as a service, hacking as a service. You know, for a monthly fee they'll intercept and let you listen into WhatsApp calls, for example, or read those messages. So who knows, you know, why someone might target a particular person. But if they want to, it's not that hard right now to, to basically take over their communications.
[00:30:20] Speaker B: So you mean any sort of WhatsApp? You could just say, hey, here's the number. Let's, let's, let's see what's going on in there.
[00:30:26] Speaker A: Yeah, there's, there's websites out there where they offer that as a service. Now.
[00:30:30] Speaker B: Okay, this is really interesting. So let's, so government obviously, you know, for national security secrets, all of that. But then what about then on the enterprise? So I X bank. So at times we would catch people doing insider trading because they would communicate on like Microsoft link about some deal trade that they were working on. So do you see that becoming a thing then as well? If they were to listen in on someone's call or WhatsApp or whatever in terms of like insider trading or where do you see that heading?
[00:30:59] Speaker A: I think economic espionage, both at a government level and a corporate entity level is only going to increase and you know, it could be, hey, you want to front run a trade that someone's doing, you may be competing on a very large contract and you want to understand what your competitor strategy is. It may be, I've got factories in foreign countries and you want to listen in and extract, you know, IP about their production processes. There's a lot of reasons, you know, from a business perspective, beyond the obvious ones of, you know, just protecting personal information about your customers and your employees.
[00:31:39] Speaker B: So do you think it's just going to potentially go full circle back to the, the olden days of meeting people in person or like, obviously you can't because we're working across like, you know, different countries and regions, so. I understand that. But do you think it's going to get to a point where it's like, can't even trust this at all or what? Where do you see that heading then in the future?
[00:32:00] Speaker A: Yeah, well, I think right now people for the most part just assume their communications are safe. And I think we really need to change that mindset. And I think what's going to happen is people are going to become more selective about what types of methods they use to communicate in the future. And it might move away from this, you know, just total social openness to much more private communication networks. And, you know, maybe everything isn't appropriate to be, you know, a Google chat on the Internet at this point. Right. And recognition of that, you know, I think is already happening at the government level. Let's kind of pull back that control. But I think over time that's going to happen at the personal level also. And people may have a whole series of applications that they use to talk to particular people just so that there's not an aggregate view available to someone of their communications. So it's kind of like you're not meeting in person, but I've got this private way to talk to you.
[00:33:00] Speaker B: Got it. So before we move to the metadata, just one other thought as well as, as you were speaking, is going back to the whole end to end encryption. Do you think that sort of just, you know, when people see the word organic, they just automatically think, oh, it must be good because the word's organic on there. Now, whether it is or it isn't is a different conversation. But do you think that sort of assurance from an end to end encryption is sort of there for people as well?
[00:33:21] Speaker A: Oh, I, I think people assume, you know, end to end encryption, it's safe. However, assurance is the key word there. Right. How do you know? Even if the company that's saying that means, well, how do you know it's actually implemented correctly? How do you know they haven't made a mistake? How do you know you're, they're actually doing what they say they're doing? And that's where certifications become Important, particularly for corporate entities, particularly for government agencies, that they need to actually see certifications that have been done by other government agencies around the world to back up that encryption. And that's one of the things that BlackBerry invests very heavily in for our secure communications. Our system called SECU Suite, that we actually have multiple 5i governments that do security validations, as well as like NATO and Germany and other organ countries and organizations. And they independently validate it and make sure that, you know, things are implemented correctly. And as a result, they say, hey, this can be used for classified information in our country or sensitive information in our organization.
[00:34:27] Speaker B: Okay, so, David, I want to now move on to the whole metadata side of things. I want to get into a bit more. So what do you think people just aren't aware of when it comes to.
[00:34:35] Speaker A: Metadata, how valuable it is? And by valuable, I mean it becomes the tool that is the basis of a lot of cyber attacks and how easy it is to, to in a sense, get access to the metadata and how rich that information set is. You know, I'll go back to WhatsApp, for example. You know, you can go into WhatsApp and you can download the data they have and it's going to tell you who you've talked to, what groups you're in, where you've been at different points in time, all this information and that information is available and actively used by Meta to sell advertising. But the bigger risk there is that information is available for other people to steal. And, you know, you don't actually have to listen into our conversation to get a good sense of what we're talking about. If you notice changes in communication patterns and hey, what time and what other people are now being roped into the conversation, you can learn a lot about a person, about an organization, about a government, just from that metadata. And people have probably seen the police movies. You know, you have the wall, you got the string, the little pins, who was here, who was there, and they use that to solve the crime, that that's, that's metadata.
[00:35:47] Speaker B: But do you think as well, though, Dave, this I'm hearing like with all of these breaches, people are saying like, oh, well, I don't care because, oh, I'm already, you know, with the whole Medibank and Optus and, you know, X, Y, Z, the next breaches they're going to hear in the future, you think people are becoming desensitized? We were going to say, oh, well, David, who cares? So what are you hearing a little bit of that? I mean, maybe on A consumer front, less so government. But what are your thoughts then on that? Because everyone's like, you know, well, I've got my whole Facebook out there and all my kids are on there and you know, my whole, my whole life's out there. What, where do you think now in terms of, do you think people just have given up on the whole sort of privacy etc or where's their head at you?
[00:36:25] Speaker A: Maybe they feel that way, but I'm not sure they're going to feel that way when all of a sudden there's a thousand dollars missing from their bank account or, you know, I don't think they're going to feel that way if you're a politician and all of a sudden you're on the front page of the paper for, you know, leaking very sensitive information that, you know, hauled in front of the legislature. But I think people are going to look at what they do and say, okay, well what are the actual things I do care about and how can I be more careful about protecting that information? Already a lot of people intentionally don't put pictures of their children out on Instagram and stuff like that because, you know, they're worried about what are the future implications just sharing that information. So, so I think there's already a start of that in kind of the public mindset. But I think that's going to continue to evolve and it's really going to be people are going to compartmentalize about, hey, what I'm willing to share and what I want to be a lot more careful around.
[00:37:18] Speaker B: And would you say people are becoming a lot more cognizant of what they share versus what they are not sharing, for example?
[00:37:23] Speaker A: I think so and I think it's two parts to it. Part of it is I run into a lot of people now, they're like, oh, just, you know, call me because I'm taking a social media break for a while. Right. So there's that, you know, overall just take a break from it. But then I, I do think I see a lot of people now, you know, using just auto expire messages and, and things like that just so they don't intentionally build, you know, at the end of the day that data's out there, but at least the long term history is not easily accessible to everyone. So I think more people are kind of defaulting to, you know, short term data visibility.
[00:37:58] Speaker B: Yeah, that's interesting. What about those like disappearing messages, for example? Do you think that they actually in reality really disappear or they're distilled somewhere but you visibly can't see it in the chat, for example.
[00:38:07] Speaker A: Oh, I think they, they, they're stored somewhere and the data might eventually be written over. But, you know, there's lots of, you know, if you, if you talk to people that are into digital forensics, if it was ever on disk, there's a good chance they can recover it.
[00:38:22] Speaker B: So given everything that we've discussed today, which is a lot, where do you think so do we go from here? And I know that's a very broad question, but just from, given your role, your pedigree, your experience, what you're doing, it's just always interesting to get your perspective then.
[00:38:36] Speaker A: Yeah. So I'd say a couple of things. One, from a government perspective, you know, the digital geopolitical landscapes increasingly volatile. And I don't think that's going to calm down and that, you know, data sovereignty is more critical than ever for national security. And that needs to kind of feed into policy. And what that means is that, you know, organizations and industry as well as government, they need to take more control over their data, over their communications, but they need to do it in a way that's not going to chase their employees away from using the approved systems. So you need to educate on the risk of using consumer systems, but you got to give them an alternative that, you know, makes sense to them, is easy to use. And then the other thing is you, we kind of talked about, you know, deep fakes and voice spoofing and all that in terms of people, information being gathered about particular people. But that also becomes a tool to flip around and bad actors try to use that to influence public opinion. And we just look over the next few months, you know, we've got elections, you know, in Australia and Canada and numerous countries around the world. And every election cycle, you know, this negative influence aspect becomes, you know, stronger and stronger tool that are, that's being used to try to manipulate things. So, you know, we have to understand this, eavesdropping, the interceptions already happening. And with that in mind, what responses do governments have to take to protect their communications and to protect the integrity of the information that the public receives?
[00:40:11] Speaker B: So, David, do you have any sort of closing comments or final thoughts you'd like to leave our audience with today?
[00:40:16] Speaker A: You know, my final thought is, you know, if you're going to rely on consumer apps for critical communication, you're making a big gamble, particularly, you know, if you work for the government and that sensitive information and it's easy to make mistakes. And so you need to think about that and you need to really put a messaging and communication system in place such as BlackBerry secu suite that's going to provide the controls that are needed.
[00:40:45] Speaker B: This is KVCast, the voice of Cyber. Thanks for tuning in. For more industry leading news and thought provoking articles, visit KBI Media to get access today.
This episode is brought to you by Mercset. Your Smarter Route to Security Talent Mercset Mercek's Executive search has helped enterprise organizations find the right people from around the world since 2012. Their on demand talent acquisition team helps startups and mid sized businesses scale faster and more efficiently. Find out
[email protected] today.
