Cybersecurity for think tanks part four: the bright and dark sides of Zoom

SERIES Cybersecurity for think tanks 5 items

In mid-April, during a web event in our #DigitalThinkTanking series, we surveyed thinktankers on which video-conferencing tools their think tank uses for online events. This is what we found:

In other words: an overwhelming majority of think tanks use Zoom.

The results of our quick survey also seem to fit in with the global trend: Zoom surpassed many established video conferencing services like Microsoft’s Skype, Cisco’s Webex or Google’s Hangouts in terms of popularity.

In late March 2020, Twitter and social media feeds were suddenly full of screenshots showing Zoom work meetings, Yoga classes and after work beers online.

Many policymakers jumped on the Zoom bandwagon too – especially in those countries where the public sector ‘overslept’ the digital transformation (for example, where labour laws regulating public officials and workspaces had not been updated in years to allow for remote work, or where there’s no established or trustworthy way to cast votes remotely).

In the digital world it is often the tools that are particularly easy to use, that focus on a single task, and that have low barriers to entry, that attract a lot of users. Security is often an afterthought.

Once user adaptation is widespread, network effects kick in making it unattractive to use alternatives to the most popular option. This has been the case with Facebook, WhatsApp, and now Zoom. This network effect leads to a cascading effect, meaning even more users and latecomers to digitisation – like governments – join  the platform too.

With high popularity comes the bad guys

‘Zoombombing’ – the practice of pranksters joining Zoom sessions without the password – soon became a thing.

This was facilitated by a lack of awareness by new Zoom users. Posting screenshots of your meetings on Twitter that show the meeting ID allows anyone to join the call. This led the FBI in the US to issue a warning that everyone should set up passwords for their meetings. And in the UK, Prime Minister Boris Johnson accidentally shared the Zoom Meeting ID for a cabinet meeting.

Source: Pippa Fowles/10 Downing Street via Metro UK, 31 March 2020

The Zoom trend did not go unnoticed by intelligence agencies either. Chinese state hackers allegedly began to target Zoom calls of companies to siphon intellectual property. With more governments conducting day-to-day business via Zoom, this should not come as a surprise. The sudden popularity of the app made it worthwhile for intelligence agencies to invest time and resources to spy on digital meetings. Like most hackers, intelligence agencies tend to go where the users are, because the return on investment seems highest.

The company Zoom actively contributed to this trend, as it made false promises about its security practices. A report by the Canadian Citizen Lab uncovered that, although advertised on its website, Zoom did not use the industry gold standard of end-to-end encryption.

Instead it relied on transport layer security (TLS), which has one important loophole: communication via two parties is only encrypted while in transit from each user to the server, but not while it is processed on Zoom’s servers.

Zoom uses intermediary servers sitting in between users to do audio processing and signal enhancing. This is essentially the key to Zoom’s unmatched scalability and ability to host meetings with hundreds of participants, while maintaining excellent audio quality. The caveat is that this allows spying on sensitive conversations via these central servers.

Source: Matthias Schulze

Another contributing factor was Zoom’s start-up heritage. Zoom is considered a unicorn company, one of the few start-ups that become a successful multi-million business in just a few weeks.

The standard slogan ‘move fast and break things’, that is still the prevalent mindset in the start-up culture, has the unfortunate downside of ill-security practices. Launching a limited product quickly is more important than the cumbersome and slow process of adding security during the design process.

Zoom showed lots of signs of this sloppy approach to security: malware-like behaviour of the Zoom client, unwanted data sharing with Facebook and looming security vulnerabilities. Zoom’s CEO Eric Young was forced to publicly apologise and in response promised a stronger focus on security in the future. Since then, the company certainly has upped its security game. For example, in June, Zoom announced that is working on end-to-end encryption. But IT security is a marathon, not a sprint.

Zoom’s security blunders left many in governments and think tanks wondering how secure it is to use video conferencing tools. Some countries or government agencies outright banned the use of Zoom, among them the US Senate, the German Foreign Ministry, NASA and the Australian Defence Force.

Many of those who banned it refer to fears of Chinese cyber-espionage and, particularly in Europe, uncertainty about data being hosted on US servers and thus out of reach for the EU’s General Data Protection Regulation (although it is now possible to choose Europe as a server location for Zoom).

If services are hosted on foreign servers there is always the risk that a company is forced to open up their systems for law enforcement or intelligence agencies (lawful access). That risk gained prominence in the debate about potential ‘backdoors’ in Huawei 5G network equipment. However, the Snowden leaks remind us that lawful interception and mandatory surveillance backdoors are being implemented in democratic countries too.

Of course, Zoom is still a reasonable choice for some purposes and organisations. In part five of this series, we go into more detail about how you can create safer spaces for sensitive policy conversations in terms of confidentiality and cybersecurity… including with Zoom.