[Updated] The UK’s National Cyber Security Center (NCSC) has become the first government agency to join Secure Chorus, a not-for-profit private company limited by guarantee, whose ownership rests with its members. The purpose of Secure Chorus is to develop a secure interoperable cross-platform multimedia communications ecosystem suitable for government and industry use.
Members of Secure Chorus include major global telecommunication operators, system integrators, defense prime contractors, technology companies, academic institutions and trade bodies including Vodafone, O2, BAE Systems Applied Intelligence, Leonardo, Sepura, Serbus, Cryptify, Armour Communications, SQR Systems, ISARA Corporation, Secoti, Surevine, Galaxkey, Cyber Synopsis, CSIT, UCL and techUK.
Like the NCSC itself, Secure Chorus has spun out of GCHQ (specifically, CESG). It was originally formed in 2012 as an industry-led working-group focused on supporting the UK government’s requirement for protecting OFFICIAL and OFFICIAL SENSITIVE communications, with the aim of ensuring that any multimedia communication in UK government is protected. Secure Chorus became a limited company in 2016, led by its current chairperson Elisabetta Zaccaria.
As an independent company, the Secure Chorus remit has grown, now describing itself as “serving as a platform for public-private collaboration and development of common standards and capabilities for secure communication for the global digital economy.” The NCSC is a strong advocate for its use within UK government.
A CESG document written in November 2015 and published by the NCSC in August 2016 reported, “CESG is committed to growing the Secure Chorus ecosystem to support more vendors and service providers. 4G Voice (VoLTE) will provide the perfect opportunity for service providers to offer end-to-end-security to government and enterprise customers by adopting the Secure Chorus standard.”
“Secure Chorus’ interoperability standards are based on an open cryptography standard,” Zaccaria told SecurityWeek. “Our cryptography standard of choice has achieved international adoption and is used by 3GPP (3rd Generation Partnership Project), a global initiative, providing system specifications for cellular telecommunications network technologies, which has adopted the cryptography standard for use in Mission-Critical applications, such as emergency services communications.”
In the 1990s, during what is now known as ‘the First Crypto War”, key escrow was a major proposal for UK government access to crypto keys. Many security professionals believe we have now entered the Second Crypto War with government demands on both sides of the Atlantic for government backdoors into end-to-end encryption products. However, Zaccaria insists that government involvement with Secure Chorus from inception, and now the NCSC’s membership, is not a subtle re-emergence of the key escrow policy.
“Many systems rely upon centralized key management solutions to provide much-needed enterprise control and management features,” she said. “Secure Chorus’ chosen cryptography standard is one of several major protocols that use a key management server. It is often a misconception that the legitimate key management server is a ‘backdoor’, when for many regulated and enterprise environments it is critical to enable the recovery of data, especially in light of the soon to be implemented EU GDPR regulation — which is sector agnostic and requires any enterprise to comply with ‘data subjects” right of access to his/her ‘personal data’, among other key requirements.”
Despite the necessity for key management, any key management server becomes a target for cybercriminals, and does provide a ‘backdoor’ into encrypted content for any person or organization that has access to the server and the stored keys. In both cases, the greater the centralization of keys within a single server, the greater the threat.
Zaccaria told SecurityWeek this is not an issue for Secure Chorus. “An enterprise can run its own KMS for its own users, maintaining full control over its own security system. In addition, thanks to the properties of the chosen cryptography standard, communication between two enterprise user groups managed by different KMS can then also be easily enabled.”
She added, “This means each enterprise can enable communication with selected external user groups without bringing these user groups into their own security perimeter.”
“One of the key objectives of the National Cyber Security Centre,” said Dr Ian Levy, technical director at the NCSC, “is to enable a safe digital economy and we see easy, secure communication for enterprises as key to that.
“Secure Chorus will play a role in convening a much-needed forum to bring together global industry, governments and academia to promote the development of an ecosystem of secure and interoperable products based on open standards.”
Secure Chorus has clarified that it is a company limited by guarantee (as opposed to a limited company), and that it evolved from a GCHQ industry-led working group (also called Secure Chorus) rather than it was spun out of GCHQ. Although SecurityWeek was originally told comments came from Elisabetta Zaccaria, we are now told they came from a company spokesperson. Finally, Secure Chorus has stressed that it is unable to speak on behalf of NCSC or any other of its members. Its comments that the key management system does not provide a backdoor should not suggest, one way or the other, any conclusion on NCSC (and therefore GCHQ) policy on backdoors or key escrow.
*Updated with Clarification on 5/2/18
Related: Fighting Cyber Security FUD and Hype
Related: UK Warns Critical Industries to Boost Cyber Defense or Face Hefty Fines
Related: The Argument Against a Mobile Device Backdoor for Government