It feels like a topsy-turvy world we’re living in when it’s the US state authorities that are telling us to use end-to-end encrypted messenger services. Back in my youth their government tended to exude rather anti-encryption vibes, or at least anti any encryption that didn’t have a state-sponsored backdoor in it. A backdoor for the FBI is of course a backdoor for everyone who finds it, rendering the whole enterprise a bit pointless.

Which unfortunately has ended up with them (well, us) somewhat reaping what they sowed

Now the US FBI and CISA (“Cybersecurity and Infrastructure Security Agency”) are warning Americans to use encryption for their messages and phone calls. This appears to have been prompted by the discovery of a hack on their communications networks by Chinese hackers - probably the “Salt Typhoon” gang - which is “ongoing and likely larger in scale than previously understood”. Apparently it might take years to figure out exactly where they are and what they did - but at the very least:

“Specifically, we have identified that [Chinese government]-affiliated actors have compromised networks at multiple telecommunications companies to enable the theft of customer call records data, the compromise of private communications of a limited number of individuals who are primarily involved in government or political activity, and the copying of certain information that was subject to U.S. law enforcement requests pursuant to court orders,” the FBI said in a statement issued with the Cybersecurity and Infrastructure Security Agency earlier this month.

So far, the hack is known to have affected major U.S. firms such as AT&T, Verizon and T-Mobile, U.S. and industry officials said.

Or, in a bit more detail:

The hackers generally accessed three types of information, the FBI official said.

One type has been call records, or metadata, showing the numbers that phones called and when. The hackers focused on records around the Washington, D.C., area, and the FBI does not plan to alert people whose phone metadata was accessed.

The second type has been live phone calls of some specific targets. The FBI official declined to say how many alerts it had sent out to targets of that campaign; the presidential campaigns of Donald Trump and Kamala Harris, as well as the office of Senate Majority Leader Chuck Schumer, D-N.Y., told NBC News in October that the FBI had informed that they had been targeted.

The third has been systems that telecommunications companies use in compliance with the Commission on Accreditation for Law Enforcement Agencies (CALEA), which allows law enforcement and intelligence agencies with court orders to track people’s communications. CALEA systems can include classified court orders from the Foreign Intelligence Surveillance Court, which processes some U.S. intelligence court orders. The FBI official declined to say whether any classified material was accessed.

Basically, it seem that they don’t know how deep the Chinese state (not to cast aspersions, but…) has gotten into the system. But if you’re using proper encryption then, to an extent, it might not matter quite so much. They might still see you’re sending messages depending on how exactly the service works, but not what they were.

“Our suggestion, what we have told folks internally, is not new here: Encryption is your friend, whether it’s on text messaging or if you have the capacity to use encrypted voice communication. Even if the adversary is able to intercept the data, if it is encrypted, it will make it impossible,” Greene said.

So, for folk less pre-existingly digitally tin-foil hatted than myself, what is the practical upshot? Probably that you want to message people, and preferably call them, via end-to-end encrypted apps. That’s the recommendation from the US authorities.

Signal is the exemplar of this technology, being free, open-source, and very highly recommended by all manner of experts. But it’s also a network that relatively few people are all that engaged on - so WhatsApp is probably a more realistic option for most folk that also uses encryption by default. Both of those apps can handle text messages, photos and video calls in a securely encrypted manner.

If you’re an Android user messaging Android users, or an iOS user messaging iOS users then you’re probably also safe on the texting front from the point of view of encryption if using the default messages app. But as soon as you cross operating systems they revert to standard text messages which are absolutely not encrypted. So, much as it pains me to promote a Meta product, WhatsApp is probably a good bet for most as an encrypted app that appears to work on almost everything and almost everyone has heard of.

Lest us Britons somehow delude ourselves into thinking we’re safe, folks from our National Cyber Security Centre have also recently provided us some stark warnings.

In a speech at the NCSC’s London HQ, Horne, who took on the role in October, will point to “the aggression and recklessness of cyber-activity we see coming from Russia” and how “China remains a highly sophisticated cyber-actor, with increasing ambition to project its influence beyond its borders”.

“And yet, despite all this, we believe the severity of the risk facing the UK is being widely underestimated,” he will say.

It’s not only China raising the alert - but Russia as well. Earlier this year the NSCS and its allies uncovered a Russian military unit who had been “carrying out cyber attacks and digital sabotage” for at least a few years.

Only last month was one of our cabinet ministers warning that:

There is a danger that artificial intelligence “could be weaponised against us,” McFadden will warn, arguing that the UK is already engaged in the “daily reality” of a “cyberwar,” with hacking efforts coming in particular from Russia.

McFadden is expected to say that “Russia has targeted our media, our telecoms, our political and democratic institutions and our energy infrastructure,” and warn that “with a cyber-attack, Russia can turn the lights off for millions of people. It can shut down the power grids”.

The UK Government’s official “prepare for cyber-emergency advice” has the following suggested steps for us to take:

  • Use strong passwords (especially for your email)
  • Keep your software up to date
  • Use 2 step verification.
  • Use a password manager.
  • Back up your data.