WASHINGTON, (CARLA BABB-VOANEWS.COM). - U.S. military and government employees continue to use the popular videoconferencing application Zoom for official business, despite FBI warnings about privacy and security issues, an action experts fear is increasing the risk of government data breaches.
Zoom has seen a surge in activity during the coronavirus pandemic as office workers across the country have turned to the free app to quickly arrange video calls with dozens of participants.
The federal government has been no different, despite an FBI announcement April 1 that hackers could exploit weaknesses in videoconferencing software systems like Zoom to “steal sensitive information, target individuals and businesses performing financial transactions, and engage in extortion.”
The security concern is much greater than “Zoom bombing” attacks reported by users whose chats have been infiltrated by hackers shouting profanities or posting lewd images.
Experts say the teleconferencing app may introduce security risks not only during government employees’ Zoom sessions, but to data that resides on government computers.
“If there are vulnerabilities, the app can jeopardize the security of data on the computer on which it is installed, or even potentially on other computers on the same network,” Joseph Steinberg, a leading cybersecurity expert and the author of Cybersecurity for Dummies, tells VOA. “Such vulnerabilities have been discovered — and more may exist.” .
Zoom CEO Eric Yuan said in an April 1 blog post that the company was freezing work on new features to focus on fixing its privacy and security problems.
In the meantime, VOA reporting shows that Zoom remains one of the most popular videoconferencing applications for U.S. government employees from the Pentagon to Capitol Hill, not all of whom are aware of its potential risks.
"I'm not aware of any issues with Zoom,” a senior official in the Office of the Joint Chiefs of Staff told a small group of reporters a day after the FBI guidance was issued.
The U.S. defense official said he was using Zoom to videoconference amid the need to social distance, but when pressed by VOA about the potential security risks, the official added that every discussion his team had while on Zoom was “at the unclassified level."
Government employees can use Zoom for Government, a paid tier service that is hosted in a separate cloud authorized by the Federal Risk and Authorization Management Program. It is unclear, however, how many government employees have differentiated between the two services thus far.
To date, Zoom remains on the approved list of mobile phone applications for U.S. Department of Defense employees, according to multiple officials.
However, one senior defense official said the Pentagon was currently looking into “guidance adjustments” for the application.
Multiple employees at the State Department have also been using Zoom for official business. One staff member said he and his colleagues have daily Zoom meetings and have not received any guidance against using the app for internal and external communication.
Assistant Secretary of State for Political-Military Affairs R. Clarke Cooper last week tweeted about his department’s use of a “Zoom Room.”
The State Department sent an email to employees Thursday morning saying that the free version of Zoom "is not authorized for the conduct of official business or on official Department devices used to access OpenNet." It told employees to use Cisco Webex, FAN Google Meet, Microsoft Teams or Skype for Business.
"While the Government version of Zoom may be reviewed for Department adoption in the future, Zoom has been approved for use on Dedicated Internet Networks (DIN)," the email said. "In light of new security concerns, the Bureau of Information Resource Management office of Information Assurance (IA) will take a fresh look at this and address any cybersecurity concerns that may exist."
On Capitol Hill, a U.S. lawmaker’s office insisted that VOA use Zoom for an interview, despite the FBI warning. The lawmaker’s press secretary told the reporter that there would not be security issues because the meeting was password protected.
A Zoom spokeswoman told VOA Zoom takes user security “extremely seriously.”
“A large number of global institutions ranging from the world’s largest financial services companies, to leading telecommunications providers, government agencies, universities and others have done exhaustive security reviews of our user, network and datacenter layers and confidently selected Zoom for complete deployment,” a Zoom spokesperson said Thursday.
While various parts of the U.S. government have yet to restrict Zoom use, U.S. tech giant Google has banned the popular videoconferencing software from its employees’ devices.
Last week, Google sent an email to employees citing Zoom’s “security vulnerabilities” and warning the videoconferencing software on employee laptops would cease working.
Germany’s Foreign Ministry has also restricted the use of Zoom, allowing it only on fixed connection computers, rather than mobile devices after concluding the app’s software had “critical” weaknesses, according to media reports Wednesday.
Concerns of Chinese cybertheft
Scott Stewart, vice president of Stratfor's Threat Lens and a former diplomatic security service special agent, told VOA a “good portion” of Zoom’s development team is in China, and the videoconferencing company’s failure to use end-to-end encryption could allow an employee under pressure by the Chinese government to access and share private conversations.
Defense Secretary Mark Esper has repeatedly said maintaining a military advantage over China is the Pentagon’s “highest priority,” and for years top military officers have warned of China’s use of forced technology transfer, intellectual property theft and cyber-espionage to expand their military capabilities.
Steinberg told VOA he would not recommend Zoom use on military or government computers.
“Other apps are more time tested,” he said.
Nike Ching, Katherine Gypson, Michelle Quinn and Patsy Widakuswara contributed to this report.