This post is also available in:
עברית (Hebrew)
In mid-December, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued a new set of best practices aimed at securing mobile communications, specifically targeting “high-value individuals.” This guidance follows reports of Chinese-backed cyberattacks on U.S. telecommunications infrastructure, including the breach of Verizon and sensitive phone records involving U.S. political figures. Despite being aimed at personnel who deal with sensitive matters, the recommendations can be implemented by anyone who desires their communications to be as private as possible.
The five-page “Mobile Communications Best Practice Guidance” was published to address the rising threats against those in senior government and political positions, whose communications are valuable targets for foreign adversaries. CISA highlighted the need for enhanced security measures after Chinese-affiliated actors were discovered compromising U.S. telecommunications providers. These breaches resulted in the theft of call records and other sensitive data.
The new guide urges high-profile individuals to assume that all mobile communications—whether from government or personal devices—are at risk of being intercepted or manipulated. The first and foremost recommendation is the use of end-to-end encrypted communication platforms, such as Signal or WhatsApp, to ensure private conversations remain secure. Additionally, CISA advises avoiding SMS messaging due to its vulnerability to interception by attackers who may gain access to telecom networks.
Among the other recommendations, CISA stresses the importance of using phishing-resistant authentication methods, such as FIDO (Fast Identity Online) protocols, for logging into key accounts. FIDO services, like Yubico or Google Titan, provide robust multi-factor authentication, adding another layer of protection. For Gmail users, enrolling in Google’s Advanced Protection Program is also advised.
Furthermore, CISA advises high-value individuals to utilize password managers, implement a PIN or passcode for mobile accounts, and protect sensitive mobile transactions, such as number porting, from SIM-swapping attacks. Keeping mobile devices updated with the latest software and using the most recent hardware versions are also key to maintaining security.
Lastly, CISA warns against using personal VPNs, explaining that they often shift risks from an internet service provider to the VPN provider, which may inadvertently increase the attack surface.
