Executive Summary
The Covid-19 pandemic created a massive surge in the use of video conferencing technologies and the number of service offerings. The sudden expansion of these services and our reliance on them has raised understandable concerns about risk and security.
Media reporting on video conferencing (VTC) risk was not always accurate. Suggesting that a competitor has security problems is one technique used to shift markets and customers. However, if these suggestions are provided without attribution, they are not a very good basis for assessing risk.
Since covert entry to a VTC meeting is almost impossible—since interception of communication is expensive for an attacker and defeated by encryption—and if the use of commercial cloud services mitigates many risks, the overall cybersecurity risk of using a major VTC service is no greater and possibly less than anything else done on the internet.
VTC services generally pose a lesser risk to privacy than many apps, websites, or search applications.
Encryption is essential for reducing the risk of using VTC and is provided by major suppliers. End-to-end encryption adds a layer of protection but comes at the cost of reduced services and regulatory concerns.
The leading VTC services have begun to converge in two key metrics: convenience and security. Competition over which VTC service to use is increasingly a matter of price, innovation in new services, interoperability with other programs, and consumer preferences.
Video Conferencing Technology and Risk
One effect of the Covid-19 pandemic has been an explosion in the use of video conferencing technologies and the number of service offerings. There are tens of millions of daily users on Zoom, Teams, WebEx, and other platforms. These products offer the ability to have virtual meetings with large numbers of people from any location connected to the internet. The number of platforms has also increased dramatically. Although Zoom, Teams, and WebEx have the largest market shares, they have more than a dozen competitors (both U.S. and foreign) offering similar services. The sudden expansion of reliance on these technologies has raised understandable concerns about risk and security.
The surge in the use of video conferencing technology focused attention on the security of these communications. In fact, much of the discussion of security was overblown, but there were issues and the barrage of charges principally aimed at shaping demand for different products.
We can divide these concerns over security into six categories: software development risk, loss of personal information, interception of communications, illicit access to stored data, damage to privacy, and use for influence operations. Some problems, such as unintended intruders into meetings who engage in disruptive behavior, have been remedied. It is important to note that media reporting on VTC risk was not always accurate, for reasons that will be discussed later.
It’s also important to place the risk of using video conferencing technology in the larger context of cyber risk on the internet. There is always risk in using anything that connects to the internet, and there are risks with anything that connects to China. An assessment of risk needs to look at both the risk of using one technology or service compared to others and the risks of video conferencing in the broader digital environment. There are other concerns that drive choices of VTC services—chief among them convenience and cost—but security has dominated much of the initial discussion of their use.
The first question to ask is whether using a video conference service is riskier than any other internet app? The answer is no. The second is whether one VTC application is riskier than another, and again, while the risk profile of different services varies given different company practices, the answer is also no.
How VTC works is easy to describe (although this does not do justice to the sophisticated software it uses). Video and audio input from a device’s camera and microphone are converted from an analog to a digital signal that can be transmitted over the internet. Compression software (known as codec, for compression/decompression) shrinks the data to make it smaller and faster to transfer. When the data arrives at the other end, codec software decompresses it and converts it back to analog signals that can play on speakers or a screen. Most VTC programs use software for noise suppression and sound control. The process requires high speed, high capacity, internet connections, and networks. Users can either install an app or attend a meeting by connecting through their browser.
The intent of potential attackers is not an issue. Based on years of observation, we can simply assume hostile intent to gain political, intelligence, or financial benefit. Hostile states—chief among them Russia, China, Iran, and North Korea—and omnipresent cybercrime groups make this a dangerous online environment. Potential attackers are opportunistic, often persistent, and well-financed. Any device that connects to the internet can be a target, and many are vulnerable. Yet that is not the issue; instead, it is whether opponents perceive greater opportunity from attacking VTC or whether they decide their efforts are best spent elsewhere, and whether users are incurring greater risk through the use of video conferencing than they would from using any other internet service.
To evaluate this, we can examine broad categories of cyber risk: illicit access for espionage or crime, disruption of services, loss of personal information, and influence operations. All of these risks accompany any online activity. Risk is already omnipresent online, and the issue is not whether there is risk but how that risk is managed. This means that another area for consideration involves assessing company efforts to manage cybersecurity and privacy risks.
Cyber risk is not really a differentiator for major VTC. The current leader in market share, Zoom, at first had issues, but these were a reflection of company maturity as much as anything and have largely been addressed. Zoom was also the target of a media campaign intended to discredit it. Microsoft Teams has moved rapidly to improve services, and it benefits from Microsoft’s larger commitment to security and effective development practices. WebEx is both secure and convenient. Competition over which VTC service to use is increasingly a matter of price, innovation in new services, and consumer preferences since the leading services have all begun to converge in two key metrics: convenience and security.
The leading VTC services have begun to converge in two key metrics: convenience and security. Competition over which VTC service to use is increasingly a matter of price, innovation in new services, interoperability with other programs, and consumer preferences.
Risk from Espionage and Cybercrime
Espionage is one of the hallmarks of cyberspace. At any moment, numerous intelligence programs are being used by a number of powerful states operating in cyberspace. The issues for video conferencing are whether its use increases the risk of data loss, the value of information obtainable from the app, and how difficult it is to obtain illicitly. Highly valuable information will elicit considerable effort from the attacker; less valuable information will lead them to look elsewhere. This means government and business users are the most likely targets.
Video conferencing technologies, by their very nature, limit espionage and cybercrime risk. An espionage effort aimed at a VTC service would need to access either communications during the actual call or access stored data if the call is recorded. This would need to be done surreptitiously, and the targeted data would have to be valuable enough to justify expending resources on VTC rather than some other target.
Video conferencing is not an efficient avenue for financial cybercrime since users rarely store financial data and the opportunities for “phishing,” the most common criminal technique, are also limited. Returns from the theft of intellectual property are also limited, as people don’t usually transmit or store company sensitive information such as blueprints or other intellectual property. There is a benefit, of course, from being able to listen in to business conferences, but this is difficult to do surreptitiously. These limitations make VTC of lower value for cyber espionage or financial crime.
The risk of interception for VTC is similar to the risk of using Voice over Internet Protocol (VOIP) for communications. The digital data of a VOIP call can with some effort be intercepted and if the signal is not encrypted, an eavesdropper will have access to the communications.
But it is difficult for an eavesdropper to avoid appearing in a video conference session. Their name will appear even if their image does not, and there is no public discussion as to whether the more advanced intelligence agencies have developed techniques for covert attendance in zoom conferences. It could be possible to listen in on video conferencing as the speech and the video is transmitted over the internet. This would be essentially the equivalent of wiretapping, but video conferencing companies have sought to address this problem through the use of encryption.
As a general rule, it is easier to access, copy, and exfiltrate stored data. However, the leading VTC providers use the cloud for storage. Microsoft, for example, uses its Azure cloud network, and Zoom uses Oracle. This means the risk of using VTC is no different than the risk of any other cloud use, as these larger cloud service providers are very secure. The use of commercial cloud services reduces risk to almost zero.
Since covert entry to a VTC meeting is very difficult, and since the interception of communication is expensive for an attacker and defeated by encryption, and if the use of cloud services reduce risk to stored data to zero, the risk of using a legitimate VTC service is no greater and probably less than anything else done on the internet.
A hacker could discover a “bug” in the VTC code and exploit this for either access to digital traffic or stored data. All software has bugs. Often these are unintentional coding errors that affect functionality or that provide for illicit access. The complexity and size of programs and applications guarantee this. The need for VTC to interface with browsers, such as Internet Explorer, Chrome, or Firefox, also creates opportunities for inadvertent vulnerabilities that hackers can exploit. The best practices to address bugs include development practices that emphasize security, company research on potential vulnerabilities, frequent patching, and updates to address any bugs that are discovered. The best VTC services offer a “bug bounty” where researchers external to the company are rewarded for reporting what they have discovered. One way to assess the risk of individual VTC offerings is to determine if they have these software best practices in place.
Encryption and VTC
Major VTC services provide users some level of encryption by default. This reflects standard practice across the industry. Teams, for example, uses the Public Key Infrastructure (PKI) key management features of Windows Server and MTLS (Mutual Transport Layer Security), a cryptographic protocol used to protect the transfer of data. Microsoft, Cisco, and others have spent years developing effective encryption for their enterprise applications, and most VTC apps follow in their footsteps.
End-to-end encryption provides another level of data protection. Currently, WebEx and Zoom offer end-to-end encryption. Essentially, the user controls the cryptographic key needed to encrypt and decrypt the traffic generated by the VTC meeting rather than the service provider. This means that only the user has access to the encryption keys and (barring heroic and expensive efforts) to the plaintext. End-to-end encryption adds a layer of protection but comes at the cost of reduced services and increased regulatory concerns. The default encryption provided with VTC product is sufficient for thwarting potential attackers, but users who want a higher level of privacy and security may find the trade-offs from using end-to-end encryption acceptable.
The use of encryption is a central part of any VTC defense against espionage. China occupies a special category of risk, given its aggressive espionage efforts and its massive domestic surveillance program. Its national practices and laws show that any information is potentially a target for the government to collect. There is a reasonable risk that China will attempt to surveil any video communications as it now does with any Internet communications between Western companies. The issue is what content is available and of interest to the Chinese State that would justify its collection, but business communications have been a principal target in the past. As a general rule, not just for activity in China, sensitive communications should be encrypted.
Privacy
The privacy risks associated with the use of VTC depend on what data the service provider collects and how that data is used. The information collected to open a VTC account does not vary widely from app to app. It can include name, address, email address, phone number, job title, and employer. The risk from this collection of information is low. This personal identifiable information (PII) is often already available from open source sites or black markets. The intelligence value of PII available from VTC accounts is limited, and basic biographic data does not provide useful information, even when cross-referenced with other data. This makes VTC less useful as a source of data for cybercrime or espionage. It is also usual when using the platform, even without an account for the e-service provider, to collect the type of device being used and the IP address.
The question for privacy risk, however, is not just what is collected, but rather how it is used. In this, VTC services generally pose a lesser risk to privacy than many apps, websites, or search applications, since the big VTC services do not have an advertising-based revenue model, where personal data is harvested and then used or sold for advertising. What makes this kind of user data valuable is when it is combined with indicators of interest that are provided by search queries, websites viewed, geographic location, or keywords in email. PII is most valuable when these are collected, analyzed, and correlated with other data, and then used or sold for commercial purposes. Well-known examples include Google and Facebook, but there are a number of less well-known data collectors since the practice is the norm online. The major VTC services do not use this kind of data collection model as a way to generate revenue.
Zoom, at first, had issues stemming from a relationship with Facebook that have since been rectified. The Zoom app notified Facebook when a user opened the app and provided details on the device, the time zone and location, the network service provider, and, more troubling, a unique identifier which could be used for targeted advertising. This data transfer to Facebook was at first not described specifically in Zoom’s privacy policy, although the policy did say that “third-party service providers and advertising partners (e.g., Google Ads and Google Analytics) automatically collect some information about you.” When this omission was pointed out, Zoom removed the Facebook “Software Developers Kit,” which had collected the data as part of allowing a Zoom user to log in using Facebook credentials.
VTC services generally pose a lesser risk to privacy than many apps, websites, or search applications.
All of the major VTC services have taken action to make their services compliant with the European Union’s General Data Protection Regulations (GDPR). WebEx, for example, is accredited under the EU Binding Corporate Rules that require policies that are fully aligned with GDPR. These involve differing mechanisms for consent, options for “cookies,” and management of personal data. GDPR’s requirements for transparency, accountability, and user control set a global regulatory baseline, although in some instances, the application of these measures is limited to consumers with an IP address in Europe. The measures address the requirements of GDPR for user consent and control of data (and in some cases, the requirements imposed by California state law). There is a real risk to privacy online, especially in countries with weak regulatory regimes, but the use of VTC does not increase this.
VTC and China
One potential alleged risk is the development of software for these video conferencing projects in China. In fact, many large software companies have development offices in China—the most obvious being Microsoft, which has been there for years. Microsoft has developed effective controls to mitigate the risk of this software development process to avoid creating security problems in its products.
Interviews with a number of companies suggest that the primary reasons for having development offices in China are to customize their products for the Chinese market and to take advantage of the talent pool that exists in China. For video conferencing, customization for the China market is less important because the primary market before Covid-19 was Western enterprises that wanted video conferencing capabilities. Since Covid-19, the market has shifted to include both enterprises and consumers and a range of consumer-facing applications including health and education that do not pose customization issues. None of the major video conferencing platforms rely on Chinese software or make extensive use of Chinese coders for their platforms.
Most companies that do software development in China take a number of steps to ensure greater security. These include compartmentalizing the software development process so that Chinese developers do not have access to code for the entire product, ensuring that the “crown jewels” for any program remain under U.S. control and in many cases are developed within the United States, and finally using encryption and other defensive measures to prevent access to code by unauthorized personnel in China. The development of these steps has been driven by the very real risk of espionage and surveillance in China, and this alone motivates companies to protect their software because of the fear that it could be copied and stolen by Chinese employees even if the Chinese state is disinterested—a problem that goes back decades. These measures are fairly well-known within the IT industry and are used by major video conferencing platforms.
The concern is that the Chinese developers employed by a Western company could be recruited by the Chinese state to tamper with or surreptitiously insert malicious code into a product that would provide access to communications or data. But there is no evidence that this has occurred with videoconferencing products. While the risk of supply chain poisoning remains important, we need to think of it in terms of the priorities of the opponent. In the cases of these VTC services, where the ability to access software without detection is difficult and might require more effort and investment than other targets, this could lead opponents to look elsewhere for opportunity. An opponent might pursue other avenues for data access, and while we cannot dismiss the risk of supply chain poisoning, it remains a low probability threat for video conferencing platforms.
Censorship and Influence Operations
Other security issues raised by China include influence operations and censorship and the application of Chinese laws regarding content. The most famous example might be TikTok, where there was a fear that China would use this short video platform as a means for influence operations. This is a dubious concern since the bulk of the messaging on TikTok does not lend itself to Chinese propaganda. Similarly, use by China of VTC platforms for influence operations will be extremely difficult, given the format and the lack of anonymity.
Influence operations are another hallmark of cyberspace and, after espionage, the most common form of malicious activity by nation-states. Russia, China, and Iran are the leading users of influence operations, which move traditional propaganda and disinformation online and make use of both covert and overt social media campaigns—which have immensely increased the reach of influence operations and the ability to spread false or misleading information. None of the VTC platforms are attractive for influence operations. Early problems such as unintended intruders into meetings who engaged in disruptive behavior, or “zoom-bombing,” which could be seen as a primitive form of influence operation, have since been remedied. Given that the content is “live,” attendance is a matter of choice, and surreptitious participation is difficult, VTC is not a good platform for influence operations.
The greater risk is not injecting propaganda or misinformation into video streams but censorship. China has been active in ensuring that any company that operates on its networks observes its national laws regarding the censorship of content that the Chinese government regards politically harmful. In this, the risk is again minimal. Consumers using VTC are not accessing Chinese content, and major video conferencing platforms have been careful to design their platforms are not subject to Chinese controls.
Censorship is a problem, but not one that any individual company can address. It arises if someone is using VTC in a country that censors content, and that country demands that the VTC service provider block certain meetings. Most companies deal with this by stating that they observe the laws of the country where the service is being used but do not apply those laws to users outside of that country’s jurisdiction. This involves filtering users by probable location (based on the IP address) and not applying censorship request to users outside of the jurisdiction in question.
This issue is mainly raised by China, given its government’s agitation over anything that deviates from the Party line or seems critical—concerns that are complicated by China’s deep business interconnections with the rest of the world. Zoom was criticized for its mishandling early in the pandemic of censorship vis-à-vis China, but this reflected the company’s immature internal processes and appears to have been since rectified. This problem goes back to the Yahoo incident of 2006. While the solutions remain unsatisfactory, it is part of the larger international dispute over China’s disregard for fundamental rights and efforts to apply its national restrictions on an extraterritorial basis. However, China’s controls do not apply to content created and consumed outside of its jurisdiction. This puts VTC meetings outside of China’s reach.
Media Coverage Driven by Competition
In understanding the public story on the security of VTC service providers, it is worth placing these stories in the context of the hyper-competitive tech market. The House of Representatives provided examples of this kind of competitive behavior. In this environment, suggesting that a competitor has security problems is one technique used to shift markets and customers. Early media reporting on VTC security vulnerabilities seems to have been driven at least in part by these kinds of completive concerns. However, reporting without attribution is not a very good basis for assessing risk.
Easy tests for judging the validity of a story include: does it cite sources by name, or does it refer to anonymous “experts?” Does it look at the risk of using technology from all companies in the space, or just one company? A story that only talks about one company and cites anonymous experts or unnamed industry sources should be given extra scrutiny. If a spate of such stories appears at the same time, this may be a sign of a campaign intended to damage a competitor. One example of this is the 2006 Dubai Ports effort to purchase a U.S. port management company. A frustrated competitor contacted media outlets and congressional offices to charge that this purchase by a forewing company created security risks, ultimately killing the deal even though the charge was frivolous.
Suggesting that a competitor has security problems is one technique used to shift markets and customers. However, if these suggestions are provided without attribution, they are not a very good basis for assessing risk.
Security and Privacy Checklist
The response to Covid-19 created a major new market for VTC, leading many companies to develop products and services for video conferencing as a replacement for face-to-face engagement. Cybersecurity is a real concern, and in looking at the leading products, it seems safe to say that VTC is no worse, and in many cases, better than other online apps and services. Cybersecurity is not a static activity, and the ability of VTC providers to continue to update and improve the security of their services—and demonstrate this to their customers—is crucial. The following questions can help guide decisions on the risk of using VTC.
Does the VTC app and platform use encryption?
Does it have an advertising-based revenue model?
Does it have policies in place for breach notifications?
Is it GDPR compliant?
Can it demonstrate that it follows secure development practices?
Does it use industry best practices for patching and updating?
Does it use a reputable cloud service provider?
Are there known incidents of espionage or crime?
The answers to these questions provide a framework for assessing risk unique to VTC, and our conclusion is that cybersecurity and privacy risks are no greater than what is generally found on the internet and not significant differentiators among major VTC services. Instead, the leading services have all begun to converge in the security and convenience of their apps. Competition over which VTC service to use is increasingly a matter of price, innovation in new services, and consumer preferences.
No comments:
Post a Comment