Internal vs. External E2EE for U.S. Governments

In December 2024, the Cybersecurity and Infrastructure Security Agency (CISA), together with a host of security agencies worldwide, released official guidance highlighting significant cyber threats and suggesting best practices for network engineers and defenders of communications infrastructure¹.

This new advice comes in the wake of cyber intrusions by “Salt Typhoon”, a group allegedly linked to the Chinese government, which compromised several major telecommunications businesses based in the U.S.A. – including AT&T, Verizon, T-Mobile, and Lumen Technologies.² As a result, the hackers were able to access highly sensitive customer information, such as call records, live calls, and unencrypted text messages.³

So, what does that mean for you? Let’s examine the importance of end-to-end encryption in defending against these threats and how it can be used in consumer, commercial, and government applications.

What is E2EE?

End-to-end encryption (E2EE) is crucial when it comes to protecting against cyber attacks.

It is a secure communication process that encrypts data before transferring it to another endpoint. Data stays encrypted in transit and is decrypted on the recipient’s device. Messaging apps and other communications services rely on E2EE to protect messages from unauthorized access.⁴

For Commercial & Consumers

Private communication applications like Signal and WhatsApp offer E2EE for both messages and voice calls, making them suitable alternatives to traditional communication methods, such as standard SMS messages and phone calls, that lack such features. Additionally, for iPhone users, iMessage and FaceTime provide encrypted messaging and calling services, respectively.

For Governments

These consumer applications are not suitable for the most sensitive use cases. Instead, we recommend a solution with functions and features that include:

• Per-device military grade E2EE, utilizing AES-256 CGM encryption to ensure the highest level of security for all communications.
• A backend deployable on-premises or in a private/government cloud.
• All data, including metadata, remain entirely under the control of the user organization.
• To ensure no data or metadata leakage, full functionality requires no SaaS, Cloud, or Hybrid (towards the public internet) services.
• A proprietary notification service; no web-based push services from Apple or Google, as these are metadata-heavy.
• Self-administration.
• Android, iPhone, Windows and Mac clients are available for no lock-in effects.
• Voice, video calls, video conference calls, and file transfers do not rely on other solutions.
• eDiscovery/Audit module – optionally addable if required for compliance and audit purposes.
• FIPS (NIST) 140-2 certified.

Conclusion

Follow the guidelines and use E2EE with strong encryption for communication. Use consumer/commercial solutions such as WhatsApp and Signal for government employees' private/nonsensitive external communication needs, but NOT for government/government employees' internal secure communication needs – in these cases, use a solution suitable for governments for government/government employees' internal communication needs.

Don’t hesitate to contact us at KoolSpan to discuss secure communication and privacy for you or your clients’ organisations. Get in touch today!

Sources:

¹https://www.cisa.gov/resources-tools/resources/enhanced-visibility-and-hardening-guidance-communications-infrastructure

²https://www.reuters.com/world/us/us-cyber-watchdog-tells-senior-officials-immediately-adopt-end-to-end-encryption-2024-12-18/

³https://www.theverge.com/2024/12/4/24313187/encrypted-apps-salt-typhoon-hack-telecom-fbi-cisa

⁴https://www.ibm.com/think/topics/end-to-end-encryption