Zoom bolsters policy and engineering teams as it courts government
Zoom added to its government-relations leadership and acquired an encryption company this week, as it continues to address cybersecurity issues that have caught the attention of federal agencies and lawmakers.
The video communications company added retired Lt. Gen. H.R. McMaster, who resigned as President Trump’s national security adviser in 2018, to its board of directors Thursday. Josh Kallmer, former executive vice president of policy at the Information Technology Industry Council, will head up government relations starting May 26.
A day after McMaster’s addition, Zoom announced the acquisition of Keybase, whose engineers will lend their expertise toward building default end-to-end encryption (E2EE) into calls.
While Zoom has greatly expanded its user base among the public during the coronavirus pandemic, it has faced occasional roadblocks in the federal government as agencies greatly increased their use of teleworking tools. The Department of Defense went so far as to ban Zoom for conducting official business over the security concerns.
The Zoom for Government offering — a version approved under the Federal Risk and Authorization Management Program (FedRAMP) for cloud services — remains under review by the Air Force. Agencies were warned against using Zoom’s free commercial offering for official business in guidance from the Cybersecurity and Infrastructure Security Agency.
Seven known agencies currently use the government platform: the Centers for Disease Control and Prevention, Corporation for National and Community Service, Customs and Border Protection, Department of Agriculture, Department of Health and Human Services, Department of Homeland Security, and United States Forest Service.
But adding end-to-end encryption could help. E2EE is particularly desirable for government uses, with Cisco Webex, Signal, Skype for Business, and Wickr among the applications that offer such security.
Zoom already began upgrading to the Advanced Encryption Standard – Galois Counter Mode — moving from 128-bit keys to more secure 256-bit keys — systemwide. That leaves key management the one impediment to default E2EE, Bruce Schneier, security technologist with the Berkman Center for Internet & Society at Harvard University, told FedScoop.
“They’re in the spotlight. They got nailed,” Schneier said. “I don’t know if anything else is better, so I’m glad they’re fixing it. Let’s encourage them just to go that last step.”
Whether E2EE is added to Zoom for Government is a conversation the company will have with its agency partners, according to a Zoom spokesperson.
“Spending money on fixing the problem shows you want to fix the problem,” Schneier said.
Currently, Zoom servers generate a single encryption key for every meeting, a method criticized by security experts and advocates because it allows the company itself to access the unencrypted video and audio content. True E2EE gives only meeting participants the ability to decrypt.
The NSA recently summarized the security offerings of videoconferencing apps like Zoom, but the document “remarkably doesn’t tell you what to do,” Schneier said.
Keybase’s team will help create a new E2EE solution where logged-in, paying users generate public cryptographic identities stored in a network repository. Meeting hosts will generate an ephemeral, per-meeting symmetric key distributed between clients.
Phone bridges, cloud recording and non-Zoom conference room systems won’t be supported by such meetings like they are with the free version, but the free version won’t have default E2EE.
Zoom plans to publish a detailed draft cryptographic design on May 22 that, along with its new policy hires, will factor into the company’s 90-day plan for strengthening security and government trust.
As Zoom has seen use jump from 10 million to 300 million daily meeting participants. “Zoombombing,” in which intruders disrupt calls often with hate speech and pornography, rose with it.
Last month, Rep. Jim Jordan, R-Ohio, wrote Rep. Carolyn Maloney, D-N.Y., to complain about the House Oversight Committee chairwoman’s use of Zoom for official business, after a briefing was Zoombombed three times.
“Zoom does significant good for our society, allowing people to connect and collaborate face-to-face from anywhere. This extraordinary capability is vital now more than ever,” McMaster said in his onboarding announcement. “My goal is to help the company navigate rapid growth and assist in meeting Zoom’s commitment to becoming the world’s most secure video communications platform.”