Watching a news report on the COVID enquiry, I wondered why so many key players were using WhatsApp for communicating matters of policy, critical communication and decision making.  All information we as the public would expect to be secure.

Beyond Privacy: The Limitations of Secure Messaging

First, this is not a dig at WhatsApp – it does what it says.   WhatsApp provides a mechanism for two communication parties to exchange messages, and claims to provide (and I have no basis for doubting the claim) a solution where “No one can … read your personal messages”.  They label this as a feature of security – so WhatsApp (from their own marketing claims) allows you to exchange information securely.

Privacy vs. Security: A Security Professionals Perspective

As a security professional, I have a problem with that.  The capability described allows you to exchange information privately.  Privacy is one aspect of security, but not the only aspect.

I argue that backup and recovery are also part of security.  Accurate log records of communication, and providing accountability, is also part of security.  Obtaining lawful access to historical data are also part of security.   These capabilities would fall within the data retention policy.   All things WhatsApp avoids – by being designed to protect privacy only. These are capabilities you would expect to be designed into and complied with in a secure information exchange solution, which would also have to protect privacy (via ensuring authorised access to information).   Had the key players been using a secure information exchange solution, rather than exchanging information securely, a lot of the political ducking and diving the enquiry has seen via “Whoops sorry, deleted that message” would have been avoided, via lawful access to secured government records.

Assessing Responsibility: Government Officials and IT Providers

So who’s a fault here?   The key government officials for using WhatsApp?   Partly.   They may have broken security policy (the enquiry has yet to explore this angle), but users will use whatever they need to use to get the job done, and in times of crisis will use whatever is quick and easy.  

Some culpability also has to come for the providers of business IT equipment they were expected to use – was it as easy to use as WhatsApp, or was it a cumbersome tool that needed several layers of authentication before being able to access the system – and even then, only able to communicate with authorised users, not the wider set of stakeholders we see being engaged.  I am speculating as to why here, but it is a very common problem where a security solution has great security features, but is hard to use, which pushes users toward so-called shadow IT (WhatsApp in this case). 

Oh, and then there is the question of how WhatsApp was even installed on the phone – under the government’s own standard – Cyber Essentials – the phone should only contain Apps approved for business use.  So presumably WhatsApp was approved for Government use, which begs the question: how did that come about and how was it expected to comply with Government Data Retention policies?

A Secure by Design Approach

At Nexor, we advocate for a Secure by Design approach, addressing security comprehensively to meet the needs of all stakeholders. Our services and solutions look at security from all angles, assesses the risks from multiple angles then designs an appropriate solution.

Investing in a Secure by Design solution goes beyond merely exchanging messages securely; it entails implementing a comprehensive framework that safeguards information exchange at every level. Let’s prioritise true security in today’s digital landscape.