Senior political officials asked to use encrypted messaging amid cyber espionage. What is it?

Show Caption

The United States government is asking senior government and political officials to use only encrypted communication as concerns grow about what the Federal Bureau of Investigation (FBI) has called a "significant cyber espionage campaign" led by the Chinese government.

The Cybersecurity and Infrastructure Security Agency (CISA) issued guidance this week on how to avoid the theft of private communication for "highly targeted" individuals, identified as senior government and senior political figures.

The guidance follows an investigation opened by the FBI and CISA last month looking into suspected cyber espionage targeting the country's telecommunications infrastructure with connections to the People's Republic of China. The agencies have said that those targeted were a limited number of people, primarily involved in political activity. However, the hackers may still be at work and the government is asking all smartphone users to be cautious of their communication methods.

The CISA is encouraging highly targeted individuals to use only encrypted communication for the time being. Here's what to know about end-to-end encrypted communication and what steps all smartphone users can take to protect their data.

What is encrypted communication and how does it work?

End-to-end encryption is a security method in which data can only be accessed by users participating in the communication. No one else, like telecommunication or internet providers, can access the communication.

Essentially, when data is encrypted, it is scrambled around to create what is known as ciphertext, according to Encryption Consulting. Only a secret key can "unlock," or decrypt the data. This key is a unique, random string of characters, like a password.

What common messaging services use encryption?

Apple's iMessage, Meta's WhatsApp and Google Messages all encrypt data. Signal is another free encryption software that allows users to share texts, videos, photos and files.

Why is SMS not encrypted?

Short Message Service, more commonly known as SMS, is not encrypted. This is because when SMS was released − the first text message was sent in 1992 − digital security concerns were not as great as they are today. Additionally, encryption software was not as robust.

SMS messages travel through the cellular network, making them vulnerable to interception by hackers.

Other recommendations to protect data

In addition to encrypting communications, the CISA recommends the following practices:

• Enable Fast Identity Online authentication. This type of authentication uses the strongest form of protection to secure accounts and other sensitive information. Google Titan and Tubico are recommended.
• Do not use SMS as a second factor for authentication. SMS messages are not encrypted and could be at risk of theft.
• Use a password manager. Apple Passwords, LastPass, 1Password, Google Password Manager and NordPass are a few options.
• Set a Telco PIN to your mobile carrier account to protect sensitive mobile operations.
• Regularly update software.
• Opt for the latest hardware version from your smartphone manufacturer. Newer hardware features critical security features that older hardware may not support.
• Do not use a personal VPN.

Here's how iPhone users can protect mobile data

The CISA recommends that iPhone users take the following steps to protect mobile communications:

1. Enable Lockdown Mode, which limits certain apps and features and makes some features unavailable, like SharePlay and Live Photos.
2. Disable SMS. To disable, open the Settings app, click Apps, then Messages and disable "Send as Text Message."
3. Protect Domain Name System by using a service like Cloudfare's 1.1.1.1 Resolver, Google's 8.8.8.8. Resolver or Quad9's 9.9.9.9. Resolver. These services support encrypted domain name systems and prevent interception from hackers. The Domain Name System translates human-readable domain names, like google.com, into IP addresses.
4. Enroll in Apple iCloud Private Relay, which uses a secure Domain Name System, masks IP addresses and splits traffic between Apple and a third-party server to reduce the chances that one entity could link browser behavior to a user's identity. Read the iCloud User Guide to learn how to enroll.
5. Review and restrict app permissions that access data like location, camera and microphone that are unnecessary. To review, open the Settings app and click Privacy and then Security.

Here's how Android users can protect mobile data

The CISA recommends that Android users take the following steps:

1. Prioritize models from manufacturers with strong security track records and security updates. Check Android's Enterprise Recommended devices to learn about the best models.
2. Only use Rich Communication Services if encryption is enabled.
3. Configure Android Private Domain Name System by using a service like Cloudfare's 1.1.1.1 Resolver, Google's 8.8.8.8. Resolver or Quad9's 9.9.9.9. Resolver.
4. Confirm "Always Use Secure Connections" is enabled. In a Google Chrome browser, ensure this setting is enabled to protect browsing history.
5. Confirm "Enhanced Protection for Safe Browsing" is enabled. In a Chrome browser, ensure this setting is enabled to protect from malicious websites, phishing attempts and harmful downloads.
6. Confirm Google Play Protect is enabled. This setting reviews and prevents the download of dangerous apps.
7. Review and restrict app permissions. To review, open the Settings app and click Apps and then click Permissions Manager. Restrict apps that access data like location, camera and microphone which are unnecessary.

Greta Cross is a national trending reporter at Paste BN. Follow her on X and Instagram @gretalcross. Story idea? Email her at gcross@gannett.com.