In mid-December, a new set of best practices aimed at securing mobile communications was issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), specifically targeting “high-value individuals.” This move comes in response to reports of Chinese-backed cyberattacks on U.S. telecommunications infrastructure, including the breach of Verizon and sensitive phone records involving U.S. political figures. While the focus is on individuals dealing with sensitive matters, the recommendations can be implemented by anyone looking to enhance the privacy of their communications.
The five-page “Mobile Communications Best Practice Guidance” was released to address the increasing threats against senior government and political figures, whose communications are lucrative targets for foreign adversaries. CISA emphasized the importance of heightened security measures following the discovery of Chinese-affiliated actors compromising U.S. telecommunications providers, resulting in the theft of call records and other sensitive data.
The guide advises high-profile individuals to assume that all mobile communications, whether from government or personal devices, are at risk of interception or manipulation. The primary recommendation is to use end-to-end encrypted communication platforms like Signal or WhatsApp to ensure the security of private conversations. Additionally, CISA suggests avoiding SMS messaging due to its susceptibility to interception by attackers who may exploit vulnerabilities in telecom networks.
In addition to encrypted communication platforms, the guidance emphasizes the importance of using phishing-resistant authentication methods such as FIDO protocols for logging into key accounts. FIDO services like Yubico or Google Titan offer robust multi-factor authentication, adding an extra layer of security. High-value individuals are also encouraged to enroll in Google’s Advanced Protection Program for Gmail users.
Moreover, CISA advises the use of password managers, implementation of a PIN or passcode for mobile accounts, and safeguarding sensitive mobile transactions, such as number porting, from SIM-swapping attacks. Keeping mobile devices up-to-date with the latest software and using the most recent hardware versions are essential for maintaining security.
Lastly, CISA cautions against using personal VPNs, as they may shift risks from an internet service provider to the VPN provider, potentially increasing the attack surface inadvertently.
Overall, the new best practices from CISA aim to equip high-value individuals with the necessary tools and strategies to enhance the security of their mobile communications in the face of evolving cyber threats. By following these recommendations, individuals can better protect their sensitive information from malicious actors seeking to exploit vulnerabilities in communication networks.