As a recent DataPhiles post explored, the threat to telecommunications infrastructure and private call records posed by foreign threat actors only continues to grow. In fact, at least one U.S. government agency has urged employees to avoid using mobile communications for any work-related activity. This has led private entities to wonder how they might protect the sensitive mobile communications of officers and employees.

The Cybersecurity and Infrastructure Security Agency’s recently released guidance on how “highly targeted” individuals might protect themselves is a strong starting point. While the Cybersecurity and Infrastructure Security Agency (CISA) defines “highly targeted” as individuals in “senior government” or “senior political positions … likely to possess information of interest” to foreign threat actors, CISA guidance also serves as a reservoir of practical tips for private entities seeking to protect their officers and high-level employees’ communications.

There are, however, pitfalls to avoid in implementing the CISA guidance (or any similar mobile security guidance). Security enhancements may imperil compliance with litigation holds, discovery obligations, and other communications retention rules. As a result, private implementation of the CISA guidelines must be accomplished thoughtfully.

CISA Mobile Communications Guidance: An Overview

Foreign government-aligned hacking led to widespread theft of customer call records and the compromise of private communications over the past year. Even so, actual exfiltration and surveillance occurred only for a limited number of highly targeted individuals. CISA’s guidance is therefore “specifically” addressed to “highly targeted individuals” in senior government positions.

CISA’s general recommendations aim to eliminate persistent weak points in communications security. First, CISA recommends end-to-end encryption and avoiding insecure multi-factor authentication (MFA) options. For text messaging, this means adopting an encrypted messaging app (e.g., Signal). As to MFA, CISA recommends enabling phishing-resistant authentication, in particular, hardware-based authentication methods rather than text message-based options. Unenrolling from text-based MFA is also recommended. Second, CISA recommends using a password manager and ensuring that the password manager’s password is long, unique, and random. Third, CISA recommends low-cost security techniques like setting a PIN to access telecommunications accounts, regularly updating software and hardware, and avoiding personal VPNs.

CISA also provides iPhone- and Android-specific recommendations. According to CISA, iPhone users should enable lockdown mode, disable messages not sent as iMessages, employ a secure DNS resolver (such as iCloud Private Relay or Google’s 8.8.8.8 Resolver), and restrict app permissions related to sensitive data (such as location or camera roll). For Android users, CISA suggests restricting communications to Google Messages, which are end-to-end encrypted; often updating hardware and software; using a “high privacy” DNS resolver; confirming “Use Secure Connections” is enabled in browser settings; and, as with iPhone, blocking app access to sensitive data.

Balancing Risk-Informed Implementation with Communication Retention Obligations       

Some of CISA’s tips are worth employing in nearly all cases, including using a password manager; using long, unique, and random passwords (including for voicemail PINs); regularly updating software; and restricting app permissions related to sensitive data.

For those private entities that deal with sensitive national security information—because, for example, they are part of the Defense Industrial Base—broader implementation of CISA recommendations may be prudent. Supporting employees so that they can enact best practices is essential. For example, enabling voicemail PINs longer than the traditional four digits allows employees to use long, unique, and random passwords, as CISA recommends. On an entity-wide level, broader implementation of CISA guidance means taking several steps. Many private entities have a central telephone switchboard that helps connect callers to employees and employees to each other in a dedicated network. This central switch is often an attack vector, and it is therefore imperative to ensure it is physically secure and often assessed for intrusions by trained security personnel. On the individual officer and employee level, it means taking further steps, including adopting CISA’s full set of recommendations.      

But thoughtful implementation is necessary: Adopting the CISA recommendations wholesale could create conflict with communication retention obligations, for instance, existing litigation holds or eDiscovery processes. To use encrypted app-based messaging as an example, as CISA points out such apps often “include features like disappearing messages and images,” and that may mean unintentional noncompliance with litigation holds. Furthermore, injudicious use of security-enhancing strategies could imperil compliance with securities communication retention rules. For public companies and those that deal in securities, securities rules require that registrants maintain certain recorded communications, including “instant messages,” for specified periods (see, e.g., 15 U.S.C. § 78o-10(g)(1)). Likewise, registered investment advisors are required to maintain certain “books and records,” including of communications. 17 C.F.R. § 275.204-2(a)(7)(i)—(iv). If, for instance, required records are natively encrypted and a hardware-based decryption technique (such as a smart card) is relied on, the loss of the hardware key compromises an entity’s securities compliance strategy.

What the possibility of conflicting legal requirements highlights is that security choices should always be risk informed. The higher the risk an entity faces across a particular set of employees, the more it is worthwhile to protect employee and officer communications by strictly implementing CISA mobile communications guidance. The lower the risk an entity faces across a particular set of employees, the less it makes sense to risk noncompliance with communications retention requirements.

Many private entities do not possess “information of interest” to foreign threat actors and therefore face reduced risk. In some ways, the threat such entities face resembles the threat posed by classical wiretapping and corporate espionage threat models. For such entities, security steps like using a hardware option for MFA or encrypted

As always, the Data, Privacy and Cybersecurity team is here to answer any questions about mobile communications best practices. Stay tuned to the RopesDataPhiles blog for continued legal analysis of emerging cybersecurity risks.

For more information on PLI’s new edition of its cyber law treatise, Cybersecurity: A Practical Guide to the Law of Cyber Riskclick here.