Mobile voice and messaging has been around for a long time, but is still plagued with security vulnerabilities. Given the explosive growth of mobile device usage, why hasn't this problem already been solved?
On this week's episode of The Secure Communications Podcast, guest Nigel Jones of KoolSpan talks about the evolving landscape of mobile communications security, and what it will take to provide a high level of security in an increasingly mobile, connected, and interoperable world.
Welcome to the Secure Communications Podcast
Data in motion is complex, chaotic, and unsecure, but the ability to seamlessly communicate is what drives innovation, growth and progress. Discover how the leading minds in the fields of technology, cybersecurity and communications are tackling the challenge of securing data in motion, and gain insights into what’s new and what’s next on the Secure Communications Podcast. Each week, host Kathleen Booth interviews bold thinkers who are developing and/or employing transformational technologies to solve communication security challenges.
In this episode
Nigel Jones has a unique perspective on the secure mobile communications space, having worked as a Marine Corps officer focused on secure voice and data communications early in his career, to investing in the industry as a partner in private equity firm TWJ Capital and a Principal at the Carlyle Group.
Today, he's the CEO of KoolSpan, a leading provider of robust, cross-platform, communication security on smartphones globally, with government and enterprise customers in more than 60 countries.
In this conversation, Jones explains the history of mobile communications security and why, despite the astounding growth in mobile telephony, the sector is still plagued with security vulnerabilities. He also shares his insights on what it will take to finally solve the security challenge.
Listen, watch, or read
Want to hear what Nigel Jones has to say about the past, present and future of mobile communications security?
Thank you for joining today's episode of the secure communications podcast. I'm your host Kathleen Booth, and today my guest is Nigel Jones, who is the CEO of KoolSpan. Welcome Nigel.
Thank you. It's a pleasure to be here. Thank you for having me.
Yeah, I'm excited to talk with you. Before we dig into the topic at hand today, could you maybe tell my audience a little bit about KoolSpan and also your story and how you came to be doing what you're doing today?
Okay, great. So thank you again. So first of all, KoolSpan, based in Bethesda Maryland, is the leading provider of secure mobile communications as a platform for government organizations and enterprises globally. We're deployed in more than 60 countries worldwide and continuing and actually accelerating our pace of deployments as the, as the need for secure remote communications in this current environment has become really much more intense.
Yeah, it's so timely what you're doing.
Absolutely. I guess from my background, I started my career, my professional career, actually as a communications officer in the Marines. So I feel very passionately, particularly about providing secure communications to that organization, to that community, that DOD community in particular. And I've been CEO of KoolSpan since 2015. Spent a bit of time in operations and as the chief financial officer before that. And before that I just, I've had a variety of roles across private equity and venture capital as well, focusing primarily on telecommunications infrastructure.
Okay, great. And you know, this topic of mobile network security, as you said, it is so timely because as we're recording this, we're I don't know how many weeks now, I think I've lost track of time, into the Coronavirus pandemic and so many people are now working from home. And you know, the number of cyber attacks has increased on all fronts from everything I've heard and the data I've seen, and I'm sure mobile is no different. Can you talk about why, you know, cell phones and smartphones have been around for so long, but I guess a great place to start would be to talk about why, given that these are not new devices, is this still such a problem? Why is it so hard to secure mobile networks?
Yes, exactly. So this goes back. The issue, the fundamental issue, goes back to the beginning of the development and implementation of mobile networks back in the seventies. You know, back in the seventies when mobile networks were first designed, they were designed in terms of the way they interoperate, the operating protocols, with the baseline assumption that every network can be a trusted network. And in 1975, that was actually true. There were a handful of networks. And in order for users to be able to operate seamlessly roaming globally, every network was assumed to be a trusted network in terms of how the calls and messages were handed off. And that was, you know, going back 2G, 3g, that protocol SS7 has been in place ever since that and has had that same fundamental design flaw. What's even more amazing is that the interoperating protocol for 4G and soon 5G networks, Diameter, has the same fundamental design flaw.
And this protocol, you know, designed by the GSMA in Europe, it has to be a global standard that, that fundamental assumption that every network is a trusted network enables, you know, commercially available software as well as software that's available on the black market. You put it on your laptop, you put a phone number in, you're very easily rerouting calls, monitoring calls, capturing messages. And the issue is pervasive. It's been around for a long time. It's really, you know, just a couple of years ago, actually, the FCC and the Department of Homeland Security for the first time explicitly acknowledged the fundamental security flaws in mobile networks and they explicitly made the recommendation for the adoption of end to end encryption on the application layer. As you pointed out, it's really just been in the past two or three months with this, you know, this absolute requirement to communicate in terms of remote teleworking, the need to communicate securely or actually where it is that we're not communicating securely, that the issue has really come front and center.
Yeah. I have to admit, my mind is kind of blown that this has been a problem for so long and it hasn't been fixed. Now granted you mentioned there's this new mandate, but why wasn't it fixed sooner?
So in our experience, actually the issue, the awareness, the requirement for secure mobile communications has actually been much more pervasive for a much longer time outside the US than in the US. So across Latin America, across the middle East in particular, they've been working on providing or enabling more secure mobile communications for, you know, and trying to get the best solutions possible for much longer than we see here. And I think part of it, just anecdotally, is really a false sense of security in the United States. People don't understand that when they're talking on their AT&T phone, they're talking on their Verizon phone, you know, as long as China Mobile is roaming, you know, seamlessly with Verizon, AT&T, it doesn't matter where the bad actor sits, if they have the right software and those two networks are communicating with each other, you're vulnerable. And I think that that awareness has just not been - it's a bit of a puzzle to be honest with you why that understanding hasn't been as pervasive in the US as I've experienced outside of the U S
Yeah, I think there's, it definitely sounds like there's a cultural component to it. But I think what's fascinating to me is KoolSpan works with the government, you know, and I can see where the average person could say, you know, who cares if somebody listens to my conversation, you know, they might find out what movie I'm watching tonight or where I'm having lunch. But it's a different story if you're, you know, an executive with a company that has high value intellectual property or you're working for the US Missile Defense Agency on, you know, trajectories for missile launch. Like, these are things that, that can't be compromised. So knowing that there are those aspects to mobile network security and there are organizations that do have so much to lose. How are they addressing the situation right now because that's a problem that already exists?
So first of all, in all fairness, there's always been secure communications available for the highest levels, for, you know, top secret type communications, white house communications, agency type communications. Those are very expensive devices. And so in part, the issue at the highest, highest levels of government has been addressed, but it's a very, very thin segment of the market. The other element there where we've seen people try to address the problem is using consumer oriented applications, open source types of solutions like Signal, WhatsApp, Wire, those types of solutions, they have their own problems inherently, particularly in terms of not enabling an end using organization to have complete control over the backend infrastructure and the types of policy enforcement tools that are required. And I think that that kind of points to the broader issue we've seen with mobile communications, not just calling and messaging, but just generally people not understanding that you've got to have a pretty broad footprint of security in terms of securing the data on the device, securing the application, protecting the application, preventing the operating system from being compromised. And that market is continuing to grow, but it hasn't grown as fast as it should have.
That's so interesting to me. You know, and let's go back to your example earlier of the average person, the consumer who has, especially in the US, this lax attitude towards security. What does that person have to lose if they were breached or compromised?
Well, yeah, it's a very interesting question and to be honest with you, for most people, for the average consumer, in many cases, WhatsApp is good. It's good enough. I use WhatsApp talking to my friends and family. And really in terms of my personal communications, typically you don't have a lot to lose. And that's why we focus on providing a more robust layer of protection and security for government and enterprise customers where there really is valuable or highly sensitive communications that are transiting the networks. I just lost my train of thought. I got it. The issue we see now though is that so what is there to lose? So now we're kind of securely, we're not securely communicating. We're communicating on a distributed basis in this COVID environment. Everyone is working from home or people are going to school online. What there is to lose is when you've got a class on Zoom and you start getting Zoom bombed and you're getting all kinds of, you know, illicit material or racist material or racist communications. And then that's when you really realize that even in a collaborative environment, on a collaboration platform, if it's not secure, even as an average consumer, there's a real threat. Your kids are threatened. Your work communications can be, you know, they're at risk.
Yeah. I actually experienced that. I was not in my personal life or even in my job, but I was speaking at a virtual summit for another organization and it was myself and two or three other panelists, and there were some of the most vile comments that came through, clearly from a Zoom bomber. It was the first time I'd ever experienced it and it was more disturbing than I thought it would be. So I definitely can appreciate that more now than I could before. And that happened after all of this Coronavirus stuff started. So there's definitely been an uptick.
Exactly. And I think what's happened is that the threat surface has grown exponentially since everybody's using the same platform to communicate, which has attracted hackers and people, you know, the bad guys to find ways to exploit that much bigger attack surface. And I think, you know, for better or for worse, my guess is that there's going to be a lot more remote working, a lot more teleworking going forward regardless of how the world and the current situation evolves. And hopefully we'll get better. But I think people will be working for home more than they used to, which means that that attack surface is going to be bigger, you know, going forward than it ever was before, which means that there's going to be a need to have more secure solutions than Zoom because Zoom is not secure.
Yeah, I couldn't agree with you more. I think the genie is out of the bottle when it comes to remote work and everybody's, even the doubters have recognized that the world has got, you know, continued on and there are so many not, you know, definitely not everyone can work remotely, but there are so many people who can and are and doing it well that it's going to be hard to go back to a place where we mandate everybody come in all the time. So for this to actually get addressed, I find it really interesting because you talked about GSMA and you talked about how this is very much an international problem because you have these interoperability issues. What needs to happen from a coordination standpoint for this to really get solved?
So from a coordination standpoint, the global mobile network operating community is working to provide more security on the network level. And that's in terms of implementing firewalls, SS7 firewalls, Diameter firewalls, which are meant to try to catch these malicious routing and queries. And so there's been some progress. That's actually a pretty fast growing market. The problem is, even with those firewalls, a query that looks legitimate from a legitimate actor to reroute a call or a message may actually be, you know, a hack. And so they're trying to implement more intelligence into the firewalls with data and analytics. And that will continue to evolve. That market will continue to evolve. But that is why the FCC and DHS and others are saying even with improved security on the network layer, you still need an additional layer of security on the application layer in the form of end to end encryption.
And I would even take it, you have to take it one more level and say, okay, well if my application is giving me end to end encrypted communications and messaging, encrypted end to end encryption for data in transit, what happens if my device is compromised? If my device is compromised, even if I have end to end encryption, if someone captures the microphone or the speaker, if they can take screenshots outside of those bounds of end and encryption, I could still be compromised. And that's what happens actually many times with hacks of WhatsApp. And that's why you need to have, the application either has to have the ability to detect rooting or compromise of the operating system, or you need some additional layer of protection on the device that can protect from the device itself being compromised, and particularly the operating system. So it's really, it's gotta be a multilayered defense.
Yeah, it sounds almost like you're talking about Zero Trust at a mobile device level.
Absolutely. I'm talking about Zero Trust. And I'm also talking about just fundamentally, if the operating system is rooted, all bets are off. So it's the ability to detect that the operating system that the integrity is still there.
So you've got the operating system, the application and the device. When we look at those three realms, where are you seeing that the most progress has been made to date in securing those things?
In our experience, I think the most progress has been made actually on the device level in terms of having more protections, in terms of secure workspaces, and other elements to detect if the device you know, knocks. Zimperium if the, if the operating system is, is still protected.
What are some new and interesting ways that this issue is being addressed? Are there new technologies that are starting to emerge that you think hold a lot of promise for solving this?
So I think over the horizon, both in terms of our own technology and, and more broadly, the real key is to integrate the security as much as possible into the native applications, the native calling, the date of messaging such that, you know, when the other person, the person on the other end has a similar configuration and authorization, that call, that message is just secure, automatically, by default. That's the next generation of our products. And I'd say more broadly, whether it's a collaboration tool or just a communication tool, a one-to-one communication tool, being able to natively integrate the security capability, the security feature without, which means that the user does not have to make an independent decision to adopt a security feature, is really the key. And I think that that's where the world is heading and, you know, five or six or seven years from now I think that's where we will be in terms of the security on the device as well as securing data in transit. It will just be there and it'll be kind of seamless in the background. And the key to that is going to be the adoption of standards across, you know, the iOS world, the Android world and so forth.
That sounds like a big hurdle. The adoption of standards across all of these different worlds. I mean, you've got really entrenched players that at least, it seems to me as somebody who's not as deeply embedded in this as you are, don't always play so well together. Are you seeing that there's more cooperation between some of these different players or the possibility of it?
On a regional basis we're starting to see some cooperation. So for example, iMessage, FaceTime, those are actually relatively secure tools, although there's still issues with the back end infrastructure where it's being hosted at Apple. But there has been an impetus amongst the carriers, and I've seen this particularly with the carriers in North America, to begin to adopt end to end encrypted communications, you know, that's managed by the carriers. RCS calling and messaging for example, that's managed by the carriers. That's a regional initiative. I could see a world, particularly as 5G gets rolled out, you know, a decade from now where there might be some global mobile network operator level protocol for end to end encrypted calling and messaging potentially that would, potentially supplanting solutions iMessage and FaceTime.
Now the issue will be, those would be good solutions for consumers. You would still have this fundamental problem that governments and enterprise or you know, big enterprises have, in particular the US Department of Defense, where they need to be sure that the backend infrastructure for user administration, for call management, the call data records, that really needs to be under the control of the end using organization in order to have the maximum layer of protection and security. Because even if the carriers move to adopting more encrypted tools themselves, you still have the problem that the carrier themselves, the service provider, is hosting the infrastructure.
And then, sort of related to that, when you think about corporate mobile device usage, I've worked in a variety of settings, some where I'm issued a cell phone by my company. Some where I have to have my personal phone and my company phone. And then others where I just use my personal phone. You know, I would imagine that now it's much easier to exert control if you issue your employees phones, although the cost of that I would think is considerable. In the future, how do you think that will be handled?
So if I understand your question correctly, I think this points to one of the other issues with the consumer oriented applications being used in a government or enterprise context. And that is, if you're using WhatsApp to chat, to send chats with sensitive information to your colleagues, and you leave the company or you lose your device, all of that sensitive chat history is right there. If someone could get into the device, they can see what's in there. And what you need, is you actually need a solution that I think this is your point, that enables an organization to remotely wipe the application, remotely wipe the device. But if it's a personal device, what's important is the ability to remotely wipe the application. Because obviously you can't remotely wipe a device. And so I see the world moving towards a place where if it's your personal device and you have an enterprise application or an application for government communications, that application is going to be tied into the mobile device management platform of the organization so that it can be remotely managed.
How big of a challenge is the you know, I like to think of it as the uniquely US passion for kind of, I don't want to say privacy because I think in some ways we're very privacy relaxed, but like independence and control over your own domain. I'm curious whether people would accept on a large scale giving a corporation access to any ability of control over their personal device. And if that were to be the solution, that there would be mobile device management at a centralized level within an employer, is it a barrier right now, given the way we're used to functioning in this country to say, as an employer, I want to be able to have ssome control over some part of your device?
I don't think it's a barrier because if you think about it, I think people have accepted that corporate email is actually owned by the company. And even if you put personal information in your corporate email, you're inherently, you're sharing that information. You're giving the corporate IT manager access to that information. I think where we're getting to, and people understand that email is vulnerable because we, we've seen phishing attacks and email so much more so up to now than we've seen hacks of calls and messages. But I think that more broadly, all data in transit that is under the corporate purview is going to become under more control, similar to what we've seen with email. And I think that because people have become socialized to understanding that they actually don't own their corporate email, I think that they will eventually come to accept that they also don't own all of those messages, you know, in the corporate messaging application. So what you'll have, so I've got TrustCall on my phone, which I use to communicate with people at work and I've got WhatsApp on my phone, which I use to communicate with friends and family, and the two worlds do not intersect.
Got it. And you mentioned phishing when you were talking earlier. I started thinking about phishing because, I think at least in my experience as an employee, as a person who's worked for different private enterprises, I've undergone plenty of training to recognize what a phishing email looks like. But I don't think I've ever had any training that talked about the equivalent for mobile devices. What does a phishing call or text, et cetera, look like? What needs to happen on that front? Because it does seem like, from what you're saying, that the individual is still the weakest link in the chain.
I think it's just going to be, well, it's going to be training, but it's also going to be really awareness and sensitivity to the vulnerability which we're seeing in spades right now. I think people just don't think about the fact that your Zoom call can be attacked, but they do now. And I think that as people become more aware, they're actually, I mean I was just reading articles the other day, they're becoming aware of how does, how to, to the extent they can adjust the privacy and protection and policy settings to give themselves more protection.
Yeah, it's definitely changed really quickly. That's been an interesting thing about this current situation, is I think it's been like a catalyst for something that might otherwise have taken potentially years to happen. Maybe that's a silver lining. I don't know. So what needs to happen from a regulation standpoint?
I think from a regulation standpoint, so this is a really interesting question. I actually think one of the reasons that it's taken so long for awareness in the United States to grow, to be where it needs to be in terms of the vulnerabilities in mobile communications, is because it's been very difficult to have the dialogue with the carriers about the fact that the networks are not secure. And it's really not, so we work with mobile carriers around the world and the message I bring to them is not your network is not secure AT&T. That's not true. AT&T's network, you know, they work hard to make it as secure as possible every day. The issue is that the network, the global network of networks is not secure. And so from a regulatory standpoint, it really needs to be you know, that needs, that's a global issue.
You know, all of the carriers are using the same protocols that really needs to be driven by GSIMA and they are working very hard, truth be told, to develop more secure protocols for networks globally. However, the problem is going to be for a long time. So, even if we say a 5G network is a lot more secure than a 3G network, well guess what, 5G networks have to be able to interoperate with 3G networks for the next 30 years. So as long as there's even a handful of 3G or 4G networks out there in the world and we want every network to inter-operate, those flaws are going to be there, just fundamentally. The security and vulnerability is going to be there.
Yeah. Not to go to a dark and doomsday place, but when you talk about that, it makes me wonder how vulnerable are the larger networks? Like how easy would it be for a malicious actor to take down, you know, AT&T's network, for example? Forgetting about the consumer - like the big one.
So, yeah, interesting question. I think, and we've seen this a lot in the news in the past couple of years, kind of, you know, where did the components of the network come from? Should we have some sort of national security policy around our supply chains from mobile networks? And I think that the question, actually in my mind at least, fundamentally misses the point, which is that, you know, I think a bad actor someplace else in the world is not necessarily, you know, I don't think they're thinking about how to take down AT&T's network. I think, you know, if you're a spy someplace, if you can have complete visibility into that network and see all of the communications or whatever the communications that you think you need to see in that network, you're just as well having, you know, just maintaining that access as your leverage point, as your asset. And you actually don't have to touch the network in order to have that level of access. The vulnerable, the vulnerability of the network becomes a liability for, you know, for the host country, for the home country.
Is it fair to say then that probably many of our existing networks are already most likely compromised?
Absolutely. Because as long as I can roam from AT&T to any other network in the world, it's vulnerable. AT&T and I'm picking on AT&T, I don't mean to pick on AT&T, Verizon, Sprint, they're all, you know, they're working to put firewalls in place. Those firewalls provide better protection, but it's still, it's a very hard problem to solve because the firewall needs to be a smart firewall, and their firewalls are getting smarter, but they're still not smart enough to eliminate the vulnerability.
Wow. That's just so interesting because on the one hand you think about just how quickly mobile device technology has evolved, and how clearly the stuff that underpins it on the backend has not kept pace with that. So fascinating. Well, a couple of questions I want to make sure I ask you before we wrap up. The first is really with the way that we communicate and manage data changing so quickly, what do you see as the biggest challenge that we're going to face in the next few years?
I think the biggest challenge we're going to face is the one we're facing right now, which is how do we collaborate remotely in a secure way that's actually intuitive and easy to use for a broad swath of the population? I don't think we're there yet and I think we're finding out very painfully that we actually have quite a ways to go. There's quite a different, you know, there's a number of tools that are out there. I haven't seen one yet that I think really rings the bell in terms of ease of use, ease of access, and a robust level of security. I think that that's going to be a big problem for us. A big challenge that a lot of people including us are going to be working hard to solve over the next few years.
So knowing that there's not one that rings the bell, what technologies that are out there right now are you most excited about?
That's a great question. So I'm really excited about our technology because I think we approach the problem first from a security standpoint and from meeting the requirements of the organization and then, you know, broadening our capabilities to become more of a collaboration platform as opposed to a one to one communications platform. And I think that others have come from the standpoint of ease of use and a more consumer feel. And I think it's actually harder to come from that perspective, as we've seen with Zoom, and try and layer in the security.
Yeah. Now other than KoolSpan, company or individual, who do you think is doing really interesting and cutting edge work in this area?
Other than KoolSpan, who is doing really interesting and cutting edge work in this area?
It could be an individual person or a company.
I think that Harold Smith at Monkton is doing really interesting work in this area in terms of, he's got a really good understanding of the security requirements, particularly from the perspective of the Department of Defense, but then also just kind of a leading edge, innovative perspective on how to rapidly develop mobile applications and get them into the hands of users as quickly as possible. And he's been working a long time, you know, kind of building this capability and I think right now we're really seeing that that combination, his pretty unique combination of understanding how to navigate through the building and the Department of Defense, but then also be a really innovative and scrappy mobile app developer is just a great combination.
Alright, so Harold Smith?
Harold Smith at Monkton, yes. That's the one to watch.
I'll put a link to information about him in the show notes.
Absolutely, and someone that's worth talking to by the way.
Yeah, definitely. We'll have to try and get him on. Harold, we're coming for ya. Well, thank you so much for joining me this week, Nigel. This has been really interesting to learn about this and what a fascinating but sort of hairy problem to try and solve.
Challenging times but exciting and really looking forward to being part of the solution here.
Great. Well, if you're listening and you enjoyed this episode, please consider leaving the podcast a review on Apple Podcasts or wherever you choose to listen. We want to hear from you, and if you have an idea for a future episode, tweet us @Attilasecurity and maybe whoever you suggest will be the next guest. In the meantime, thank you so much, Nigel. It was fun talking with you.
Thank you. It was a pleasure speaking with you as well.