Skip to navigation Skip to content

Bill Anderson: Securing Government Mobile Phones

Minute Read

How does the US Government ensure that its most sensitive data stays protected on mobile phones?

On this week's episode of The Secure Communications Podcast, guest Dr. Bill Anderson, President of CIS Mobile, talks about how the government's approach to mobile security is evolving from bulky, expensive phones purpose-built to handle highly sensitive information, to commercially available smart phones with security built right into the devices.

Welcome to the Secure Communications Podcast
Data in motion is complex, chaotic, and unsecure, but the ability to seamlessly communicate is what drives innovation, growth and progress. Discover how the leading minds in the fields of technology, cybersecurity and communications are tackling the challenge of securing data in motion, and gain insights into what’s new and what’s next on the Secure Communications Podcast. Each week, host Kathleen Booth interviews bold thinkers who are developing and/or employing transformational technologies to solve communication security challenges.

In this episode

Bill-Anderson-President-headshot

Dr. Bill Anderson is President of CIS Mobile, a leading provider of secure communications solutions for the US Government.

Bill is a veteran of the cybersecurity industry who has held executive roles in product management and marketing at several public and private technology companies. 

Bill has extensive experience in developing and marketing hardware, software, and intellectual property and is an expert on security in the mobile ecosystem. In this episode, he shares cutting edge developments in mobile phone security technology, and talks about why the secure phones of the future must balance security with user experience.

Quick links

Listen, watch, or read

Want to learn more about how the US Government is approaching mobile phone security for its most sensitive information?

Listen

 

Watch

 

 

Read

Kathleen (00:06): Thank you for joining today's episode of the secure communications podcast. I'm your host, Kathleen Booth. And today my guest is Bill Anderson, who is the president of CIS mobile. Welcome Bill.

Bill (00:19): Thanks Kathleen.

Kathleen (00:21): I am excited to have you here, but before we get started, can you tell my audience a little bit about yourself as well as about CIS mobile and what you do there?

Bill (00:31): Sure. Well, I'm a, I'm a security guy and I've been working in the industry for a long time. I got my start on the technical front. I have a PhD in cryptography that started doing elliptic curve crypto at a, at a very successful company called Sertacom. And I stayed, loved it, stayed in the, in the industry ever since. Went and did my own startup. Raised money. Ended up selling the company. Worked at a couple of more startups. Found my way into venture capital briefly, which was interesting. And then, since then I've been helping companies figure out how to start up and build a good security, mobile security business specifically. And I got really interested in CIS Mobile, CIS Secure, which is the parent company. It's been around for about 20 years through a government security contractor.

Bill (01:19): They do some very secure communications equipment. They're an NSA certified TEMPEST lab. So they really, they serve that sort of core government community that needs absolute security in their communications equipment. And it's a very successful business. They decided they needed to grow. And the obvious place to grow was, was to look at these mobile devices that they hadn't been handling before and no one really had a good handle on, for, for government, and ended up acquiring a business that was started up in Canada about five years ago, five or six years ago, actually. And I am, in fact, I happened to know these guys, obviously being a relatively small community and the offer was, was too good to pass up. And so I joined about a year ago and we've been taking that business in a new direction, really of, of targeting it specifically to the US and our allies. Government security needs for mobile devices.

Bill (02:19): Mobile has been around a long time. There's been a lot of innovation in this space for the past 15, 20 years, really. I mean, even 25 years ago when there was, we were starting with Palm pilots and Palm pilots were cool. And you know, my company helped us secure them, and then they went wireless and they needed better security protocols. So we help with that. And, and it's led to, well, why don't we put it into a cell phone? Okay, we'll put it into a cell phone. Why don't we put it into a smartphone? And then suddenly, the problems just opened up because these are effectively massively overpowered supercomputers with sensors in them - cameras and microphones and Bluetooth and motion detectors, location sensors - we're carrying around in our pockets all the time. Wonderful. I mean, there are wonderful productivity enhancers. They're also the most effective spy that you could ever have sitting in your pocket. And you don't want to just bring that into a sensitive government facility. So the government, even more than industry, has had a real love, hate relationship with these mobile phones. And that's what really attracts me. I think that's, it's really an interesting problem space that we've got something to say about.

Kathleen (03:28): You know, the thing that fascinated me that when we first spoke was that there are a lot of companies out there that are, as you say, working on mobile security. There's a lot of advance, advancements that have been made. But there are kind of, there still remains this, this inherent conflict between the level of security that is needed, particularly within the government, as you say, where there really is a lot to lose, and the convenience factor. The usability. And this is something that I'm kind of personally passionate about is security and usability. And I loved that. You talked about that issue and, and solving for that issue and what's at stake if you don't solve for it. So this is kind of a big topic, but maybe you could kind of go roll that, roll it back a little bit and talk about historically, why have those two factors been in conflict so much - security and usability.

Bill (04:27): Sometimes if you let a pure security person design your device, you'll end up getting a very excellent, secure paperweight that no one wants to use. And, and you know, it's because it's hard to be a Renaissance guy. It's hard to, to know everything that it takes to make a device that users want to use and actually still be secure. And it, it is, it's a constant battle. Over the years, you know, the initial government reaction was, you're just not bringing that thing in here. That's, I don't know what that is. It's not coming in here, but inevitably, you know, these mobile devices are productivity tools everyone wants to use. And then we all use them in our private lives. You have to start to think about what's the societal impact if our entire government infrastructure is a generation behind the rest of the world. It's bad.

Bill (05:19): I mean, we would have people, frankly, we have trouble hiring people to go work in the government now because you know, 20 some year old has had a mobile phone in his hand his entire life. And you tell him, yeah, you're going to have to leave that in the car or leave it in a locker. We've got these great computers inside and you know, they do everything that you need. It doesn't work. People don't. First of all, it's not true. And second of all, people don't believe it. And so it's necessary to try to find a way to keep up with modern technology in order to be an effective organization. And like I said, there's a love, hate relationship with it. So the pure, pure security guys who know what our adversaries can do, you know, they stay up late at night worrying about this stuff.

Bill (06:09): If I, if I let this mobile device in, you know, what happens if somebody use this extremely sophisticated, you know, over the air baseband attack that let him take over the baseband processor and then inject code up into the, the firmware and then exploit the device? What if they did that? And the same guy says, but I know how to stop that. I'll design my own phone. And that's happened a few times. It's happened three or four times in the last 10 years where, you know, a set of extreme requirements comes out of somewhere like Fort Meade. Yes, they're there. They're typically the culprits. They know what they're doing, but they specced a few phones over the years that were monsters. What happens is, when, you know, when you work within the government community and you spec something out to meet all the security requirements, to check all the boxes, it's super conservative.

Bill (07:02): And then you, you put it out for a bid. You say, who will build this for me? Now, you gotta go through a government procurement process of getting the, who's going to do it? Is Google going to stand up and say, I'll put up with all this nonsense and I'll build you a phone the way you want it? No, they're not interested. It's the systems integrators. It's the big defense contractors that say, I'll take the money. I'll put a couple hundred people on our, its not that much, but I'll put a few people on this project for a year and a half, and we'll meet all your specs. It'll only cost you $20 million. You know, we'll build you that phone. Phones like that have been built and they end up hitting the street. And they're three years out of date. They're a monster of complexity and they have no usability because usability was not the design paradigm.

Bill (07:51): Security wasn't the design paradigm. We saw this happen with a device called the SME PED. If you look it up on the internet, you'll see it. It's ugly. How do you spell that? S M E P E D. And I won't name the guys who made it because I think they were, you know, they did the right thing. They did what they were asked to do. And then they produced this device that was kind of like, it looked like a Blackberry with some extra stuff built in. But it wasn't a Blackberry. It was actually running, as I understand it, it was Windows Mobile, 3.0 which was already three or four years out of date by the time the thing shipped. And it had some extra capabilities on it to handle the secret level communications. So they'd slap these two pieces of the phone together, put wireless in it, added a keyboard, added 12 other buttons.

Bill (08:38): And the two pieces didn't talk to each other. So you're really carrying two things just sandwiched together. But most important is, it was way out of date. And then they said, okay, secretary Clinton, here's your phone. She said, well, I've been using a Blackberry for the last five years. I'm not using that. I don't even how. It's, it's, it's a monster. And that obviously resulted in a whole other issue that, that was in the news for years. But not, not entirely because of the SME PAD, but you know, it wasn't very usable and a lot of people reject that technology

Kathleen (09:11): Well, and I think that's, that's like a recurring theme in security in general, which is that if you give people security technology that either they don't understand, or they find difficult or inconvenient to use, they are going to choose not to use it, or they're going to find a way around it.

Bill (09:28): They'll carry their own phone.

Kathleen (09:29): Yeah.

Bill (09:30): They'll use that phone for just personal, don't worry, just personal communications. Except when it becomes easier to send an email in an emergency from your personal account, you're going to do it. It's inevitable. And so work starts bleeding into this personal phone, which has typically no security whatsoever. And that to me is, is of course, one of the scariest things about that,,that crossover, is that the phones that most of the government is using today are horribly insecure in ways that the government purchasers don't understand. There is a huge blind spot. What, you know, we'd like to do typically is we'll say all right, we'll define some standards that are in our best practices that a phone has to meet or computer estimator communications equipment has to meet. And they're all good. They're typically backwards looking. They'll say, Hey, we've been burned on 27 different things over the years. Let's make sure that we don't get burned on those things again. And we put them into a standard. And then we say, in order for us to purchase this device, you have to meet the standard. And one of the standards that's relevant in mobile phones is, is Common Criteria. NIAP. I forget what NIAP stands for.

Kathleen (10:50): National Information Assurance Partnership.

Bill (10:53): There's a specification for mobile device fundamentals and related technologies. There's actually four specs that matter in the space. And that spec is good. I mean, if you do all the things that are in that spec, then you won't get burned by the bad things that have happened before. Doesn't mean the phone's secure. It means you won't get burned by the things that happened before. And we know of a lot of problems with phones that are being used in the government right now that have passed that specification. And by the way, we're going to do the same thing. We'll still go through NIAP specific-, certification on our platforms. We make, we make platforms as well as, I'll talk about later because it's good to check all those boxes, but one of the problems is that the buyers get this really bad, false sense of security.

Bill (11:41): They say, Oh, I'll put that on my approved list because it passed the test. Check. A new vendor comes in, says I passed the test. Giant vendors, giant vendors. I won't name names because I don't like to pull people down. But the biggest vendors in the world passed those specs. And those are the phones that the government is buying and they're full of holes. And one of the biggest problems with them is that the economic system around mobile phones is designed to monetize data that the users generate. And what happens is, for example, this is a, I love Android, by the way, this is an Android phone. We, we do stuff for Android devices typically. If this was not protected by our stuff, which we, we replaced the operating system so it's actually secure, a typical Android phone calls home to Google about 40 times an hour.

Bill (12:43): And it tells Google servers where the phone is, where the user is, what applications he's running, what messages he's been sending, what interactions he's had, what advertising codes have been triggered by his browsing patterns, and so on. An enormous amount of information actually getting sent back to Google servers. Why was, why would this be a problem? It would be a major problem if you wanted to track the President of the United States as he moved around in a motorcade from his place in Florida to meet with the prime minister of Japan for lunch, and then go golfing in the afternoon. This happened. The New York times published a series of articles in January, no December, this year, last year where they simply went out to third party advertising trackers and said, we'd like to buy some data from you.

Bill (13:37): We're interested in this kind of data around, you know, people who were moving around in this area and this area and this other area. And what they did is they zeroed in on where can I find tracking codes that are tied to location that happened to be at Mar-a-Lago. And then they did the same for Supreme Court justices, Secret Service agents, congressmen, and found that they could track the movement of those people from their home to their office, to their lunches, to their clubs and so on. And these were secure phones.

Kathleen (14:10): That's unbelievable.

Bill (14:12): It's amazing. And so you think, all right, so why, why did that happen? It probably happened because the people who were making these purchase decisions felt safe by simply buying stuff off the approved products list, without thinking holistically about what's really happening in this mobile ecosystem. You know, what, what, what are the motivations of the parties that are involved here?

Bill (14:35): How do they get paid? And, and that's the big question is, of course, if government is going to engage with industry and purchase technology, they have to think about where are all the values being, where are the values being exchanged? How am I paying for these platforms? And you make a mistake if you assume that by buying a cheap Samsung phone and giving it to the military, that because you paid for it, that you're okay. You're not okay. Those phones report data back to the mothership and third party advertising trackers, and they put our people at risk. And so, you know, I think it's really important that we educate the buyers, we educate the industry in general about, you know, I like to say consumer technology is great for consumers, but governments ought to know better. And, and repurposing one of these consumer platforms and putting a mobile device management tool on top of it, it doesn't solve the underlying problems, which is that they're designed to monetize people. That's why the operating system is free. That's why the apps are free. Google gives that stuff away for free. So they have to make their money somewhere else.

Kathleen (15:42): That's so interesting because it really, you know, listening to you talk about this, I feel like there, here's the, the, the black hole in the middle, right? Which is that you have the option of building your own device, which is a terrible option from everything you're saying, because you wind up having these companies that are really not experts in UI or UX, creating devices that are incredibly inconvenient, difficult to use, you know, large, et cetera, but might be secure. Or you go to these commercial providers that are really good at UI and UX, and you're sort of choosing UI and UX over security. So I imagine this is, like, where your company comes in, in the middle. But like, what is the solution then?

Bill (16:32): What we do is, we sort of stand on the shoulders of these giants. We stand on the billions of dollars that have already been invested in making the sleek piece of black plastic so powerful. You know, it's got a Qualcomm quad core processor and it's got fingerprint sensors, all that stuff. It's got a, you know, billion dollar operating system. It's a huge amount of effort that went into building this thing. We don't want to replace that. It's awesome. Android, Android is an awesome platform. And fortunately, there is an alternative to just taking it. Android's available as an open source platform. So what we do is, we take the open source and then we reengineer it. So we take out this, we can take out the weaknesses as far as we can find them. I mean, we're not perfect. We probably haven't found everything.

Bill (17:19): And the important thing is that we, we let our customers view our source code. And when our customers are running systems, based on our platform, they're running the platform. So they take the server and they run it themselves. They take the phones, we flash the operating system into them. They can look at the operating system and then they manage their phones themselves. And so all of the data is going from a controlled platform to a controlled handheld, and we've turned off all the features they don't want to see in those platforms. We've also added a bunch of other capabilities that matter in some specific usage cases. So for example, people are working from home and people are carrying multiple devices. You know? Government phone, and a work phone. We set it up now so that I can have two phones in one, or three or four.

Bill (18:09): So this is my personal device. If I log into it using my other fingerprint, it'll actually open up a government device. So there's a separate version of Android running in this phone. So I switched over to the Android for work, run just a curated set of apps that I'm allowed to run in the, in the government space. It's running a VPN that terminates at the government space. They control the apps, they control everything about the platform. And then when I need to make a personal phone call, I fingerprint into the other side, and there's my Twitter account and Facebook and all the things that I would use for personal. And it's separate, but I just have to carry one piece of plastic. And I get the power of all of it. Having a phone like this means I'm more likely to use it.

Bill (18:53): I'm actually, more or less, I'm not going to subvert it. I'm actually going to use a platform that's fully controlled. And this is important. This isn't a bring your own device solution. Those are fine, but they're not very secure. This is, the government wants you to work and wants you to be productive and is going to give you a phone that you can use for personal, as well as work. One of the neat things about our system is, let's say there was an emergency and something was happening in San Francisco. And let's say it was a Homeland security or FEMA deployment. They can actually push a third phone. Well, it's a container, but we call it, you know, you push a third container out to all the people who happen to be in the geographic area where there's been a disaster. And then they log into that third device using a different access control method and get all the apps that they need for just dealing with emergency management. Contact lists, the VPN terminates somewhere different, they've got a bunch of data collection apps. They run those and use them for the duration of the emergency. And then when it's over, you can take it all back. You can take it off the user's phone. They don't need it anymore. We refresh it and get it ready for the next disaster. And so there's, there's a whole bunch of different use cases that you can build around this fully, fully managed and secured platform.

Kathleen (20:10): That's so interesting. I have so many questions. So the first of all, my comment is that that sounds amazing because the last place I worked did. You know, I'm in cybersecurity. And so it's, that is a priority for companies. They actually issued me a work phone. So I had my work iPhone and my personal iPhone. And I remember I was like, Oh, this is so inconvenient having to carry two phones. And so I went on to Amazon to try to find, to see if there were cases that were built to carry two phones. And there really aren't. I mean, there are some, but they're, they're just equally as bad as carrying two phones. Right? So it's just, it's an awful solution. And, and like you were describing, I would find myself in situations where I'm like, Oh, I don't have my work phone with me, because I didn't want to carry it.

Kathleen (20:58): I didn't think I would need it. You know, and it just, it, or it wasn't paired with my car. And so I would use my personal instead, all kinds of dumb excuses that because of usability reasons led me to not using that phone in the way it was intended. So I can really see the value of having it in a single device. But are there still, I mean, you still have to toggle between containers, correct. So what you had, you have any data around what, I guess what percentage of, of, of, I don't know, even know how to phrase it. If you go from having, let's say two phones to having one phone with two containers, what percentage improvement is there in terms of people not falling back on the personal side?

Bill (21:46): I don't have, yeah that's a great question. I actually don't have a statistic because we don't have enough data to really answer it. We probably wouldn't like the answer.

Kathleen (21:54): Yeah. I mean, I imagine there's still plenty of user error. Willful user error. But I could see where it would be less.

Bill (22:02): You'd have a lot more control as the, as the government administrator, because you would be able to say things like, look, the government apps are always there. They're at your fingertips. It takes two, two seconds. You know, you push the button, then you're in the container. So it's not that hard to get there. And they're always with you. And you could say things like, look, we don't, we don't put Gmail in the government space, but it's right over there on your personal space, if you need to use it. But for government emails, you know, you go over to the government phone and use that one. If you make it easy and you peel over the barriers to using it properly, then people are more likely to use it properly. One way to measure it would be consider the impact of failure to follow the security rules. It's a very, very high impact. We could be completely subverted. If we can reduce the incidence by even a, you know, small percentage, it's a significant improvement in our overall security posture. But I, I would not be surprised if, you know, if we can get most people using a single device, then compliance would be extremely high.

Kathleen (23:06): Now you talked about this in, in terms of a solution for the government. Is this equally as viable a solution for enterprise clients?

Bill (23:19): Our strategy is to focus on the, really not quite the highest problem. The highest problem is actually a very, very small number of super, super secure $5,000 phones, $30,000 to deploy. We don't want to do that. You know, we're selling standard phones, that cost a standard amount. But we're, so we're sort of targeting the second tier people who are doing, you know, secret and, and, you know, unclassified materials on a phone, which is the mass of the government. The, the next, and we're going after our allies so we have customers in the five eyes community already. And the next tier for us around that is actually all the government contractors because they're, it's a huge community. And they're working with the same kinds of information and the same kind of security requirements around them. And so that's kind of our next circle to expand to. We are talking to some companies that are interested in deploying for enterprise but we may not ever get into doing enterprise deployments ourselves.

Bill (24:30): It might compromise some of the, our capabilities. There are things that I have not told you today about what we can do with the phone. We serve the intelligence community as well. And so we have a whole bunch of capabilities that we just don't talk about particularly publicly. And so it's not, it's not really acceptable for us to, to be offering those up to the enterprise community. So what we might end up doing is sort of splitting the code base at a certain point and licensing it out to enterprise use because it really is quite useful for enterprise. And then keeping the really high end secret stuff for, to, for just our government community.

Kathleen (25:09): That makes sense. And do you sense that there is demand within private enterprise for this? Because the, the impression I've gotten just from other conversations I've had is that, is that private enterprise really isn't there yet in terms of the mentality and the focus on security? I think in principle, they liked the idea, but, but they don't, they don't seem to put their money where their mouth is.

Bill (25:32): And they're better than consumers though. I'll say that at least enterprise, you know, that's where we've always been. I've always made money in the past is selling security to enterprise. They will pay for it if it brings them enough value, but you know, there's a lot of good security for enterprise already. The basic platforms with mobile device management software and the APIs that are built into the phones, they do a lot. There is opportunity for differentiation and if you're a new vendor coming into the space, or you see the big guys eating your lunch, how are you, how are you going to survive? You know, there's a, there's a couple of ways to survive and go down market. You can go up market. But for the folks who want to go up market, it's about security. That's one of the most important differentiators that I'm hearing about.

Kathleen (26:18): Now, when you think about the future, do you think at some point this level of security will, will become accessible to the individual user? I mean, is that the direction we're heading or will we kind of remain with, you know, just secure enough for us to feel, feel like we're checking the box?

Bill (26:38): I think we have a societal problem in that the corporate motivations behind this technology are to you know, to serve the, the interests of the corporations, which is to serve the interests of the shareholders, which is to make money. And, and the way that the, the two main players in the mobile phone space work, so it's really, it's a, it's a duopoly right now. You can have an Apple phone or you can have an Android based phone. There's nobody else left. And, and they have slightly different business models, but the way that they make their money is to collect data and to, and to, and of course in Apple's case, they do other stuff. Apple doesn't collect as much as, as Google does, but they both do to some extent, and that's in order to, to be able to provide other services. Other, you know, other paid services.

Bill (27:28): I don't see that motivation changing anytime in the, in, at any point. And so if we were to see a, the development of privacy for an individual and security for their data and having some sort of individual sovereignty over your information, if that became a theme that people cared enough about, then we would have to see political action to actually start to, to to put regulations into, put, put sort of standards in place for how these companies should interact with users' data. For the most part, consumers don't think about it. They don't care about it enough. They don't mind the fact that somebody might be tracking them. It doesn't actually hurt them all that much. And what they get is, they get a phone that's not very expensive. And, and so, you know, the mass 90, 95% of all people just don't care enough to worry about it.

Bill (28:29): However in the European Union, the European Union looked at some anti competitive practices and found in, what, let's see, in 2018, actually ruled against Google and said, what you guys are doing here is anti competitive with, with some of their platform practices and said, you can't do that and fined them. I think it was almost $5 billion, which is probably not very much for Google, but it seems like a lot to me.

Kathleen (28:57): I wouldn't mind having $5 billion.

Bill (28:59): I think they're probably still disputing whether they need to pay or not. But the point is that, you know, the EU said, look, this, this practice that you guys have for forcing OEMs to deliver all of your software suite, all of your services to prevent other people from building platforms like yours to prevent, couldn't fork the code, a single OEM who was already building an Android phone that had Google services on it, wasn't allowed to build a phone that was slightly different. And so there was a bunch of practices there that were, in the EU's opinion, against the consumers' interests. And the EU said, you've got to stop that. We haven't seen any change in North America though.

Bill (29:42): So it's apparently not a political issue. And so I, I doubt, unless there's a real sea change, unless there's some real awareness about this, then you probably won't change. And I don't think we will see a significant improvement for consumer security. But for governments, unfortunately, they're being hurt right now and they don't even know it. And that's where we come in and we're, we're trying to, to raise the bar and to prevent some of that data leakage. And when we show what we can do to these customers, they, they, they, they understand. I mean, they were aware of the issues and they're kind of looking for solutions.

Kathleen (30:16): Yeah. Now, when you look ahead to the future, what do you think when it comes to mobile security? What do you think the biggest challenge is going to be that we'll face in the next few years?

Bill (30:29): I would say it's probably that corporate mentality of, we need your data. So that's, that would be on the one hand. And I've talked enough about that. The other is that frankly, there are bad guys out there who are going after your data too, and they really are going after their data. And so, you know, we, we do need a base level security. I want to say too. And I know, in case I came across too strong, Google and Apple have both done a really excellent job of building security into these platforms. They are really, fundamentally, very secure against external attacks. So when the hardware boots, it does a hardware root of trust, the checks, the first layer, which checks the next layer, which checks the next layer, which checks the operating system. And so it's really, really hard to, to break that. They've done an excellent job.

Bill (31:18): And as, as you know, they're really, really very capable. My only exception is that they wrote themselves a get out of jail free card, and they said, we won't let anybody else have the data, but we can have it. That's my only complaint. But the bad guys are out there. And you know, for our governments, when they work overseas and, you know, go to various places where they need to work, they can't rely on the infrastructure. In some cases, you know, the local carriers are connected with the intelligence services that they may find antagonistic. And so, you know, they need a phone that can can blend in, that looks like a regular device, that doesn't give off any signals that says I'm a, I'm a Blackberry.

Kathleen (32:04): I'm a spy phone.

Bill (32:04): I'm a spy phone. I'm a Blackberry, I'm a, I'm a super secure, you know, $5,000.

Bill (32:08): They can't have that. They need to be able to, to act and look like like a regular device and not stand out. And so you need a special approach to be able to protect government workers against serious, serious existential threats when they're working abroad. And so, and that's not going away anytime soon. You know, we also have to think about the, you know, the reliability of the infrastructure. We should not trust any networks. We should assume that every network is subverted and we should be delivering data securely from end to end. Never assume that nobody is listening because they typically are. And so we should design our systems from the base up assuming that we're responsible for our own protection.

Kathleen (32:57): Yeah. Now building on that question, when it comes to secure mobile communications, is there a particular company or individual outside of your own that you think is doing really interesting work in this area?

Bill (33:11): Well, one thing I was, I knew you'd ask this actually. So I, I did think about it a little bit. We've, we've talked to and looked closely at what the UK government's National Cyber Security Center's been doing. And they've put out some really excellent recommendations about how to think about risks, how to think about deploying systems that we think are, they're just full of common sense. So unlike the sort of checkbox where, that I've complained about before, where he said, I would really well, we'll make sure we protect against all the things that happen before a check. Okay. We can all buy that. These guys say, no, that's never okay. Every time you go to field a new system, you need to think in this way. And they have some really, really intelligent, deeply thought out advice for how to think about risks and threats and usage models. And, and I think it leads the users to deploying a system that doesn't cost too much, and that is typically going to be effective for their particular use case. And, and I, I found that very refreshing. So I'd recommend more people go and take that approach to, to their deployments.

Kathleen (34:21): That sounds interesting. I'll definitely have to go check that out. Well, this has been really fun to chat with you about. And I think it's, it's neat that you guys have a solution that really works with the devices that we're all already used to using anyway. I mean, that's, that, that eliminates so many of the points of friction. I think that otherwise would cause us to make very poor choices as human beings. So it's, it's, it's fascinating. So check out if you're listening, check out CIS Mobile. Bill, any other places that you would point listeners to if they wanted to learn more about the company or ask a question about what you're talking about?

Bill (35:02): Feel free. Yeah. Feel free to email us. Cismobile.com. And if you go to the cismobile.com resources page, we've got a bunch of videos where I've, I've actually recorded the product in action. So you can see some of the capabilities and it's kind of fun to see what you can do with it.

Kathleen (35:17): That's great. Well, definitely check that out if you're listening. Thank you so much for joining me this week, Bill. It was really fun. And if you are listening and you enjoyed this episode, please consider leaving the podcast a review on Apple podcasts or wherever you choose to listen. And we want to hear from you. If you have an idea for a future episode or a guest that you want to suggest, tweet us at Attila Security. That's it for this week. Thank you so much, Bill.

Bill (35:42): Thank you.