The Pentagon has banned most versions of a popular video conferencing application for its personnel after reports surfaced revealing major security issues linked to China.
Service members, civilians and contractors can no longer use free versions of Zoom in official capacities, said a Pentagon spokesman, Air Force Lt. Col Robert Carver, in a statement to Military.com. However, personnel will be allowed to used Zoom for Government, a paid and more secure version of the application, but only for “publicly-releasable DoD information not categorized as For Official Use Only,” Carver said.
Zoom for Government has been issued a Federal Risk and Authorization Management Program (FedRAMP) provisional authorization, Carver added.
“The department requires our workforce only use DoD-approved platforms when conducting official business,” Carver said
The FBI said last week that it saw an increase in “Zoombombing,” the phenomenon of uninvited users infiltrating Zoom video conference sessions, in this case, between Pentagon personnel.
The Pentagon policy went into effect immediately, but an unnamed DoD official voiced skepticism to Voice of America about how fast the policy would be fully practiced by all personnel. Pentagon personnel can use a host of other services for official purposes, including Milsuite.mil, Global Video Services Unclassified, or GVS-U, among others.
“Just because senior leadership enacts a policy does not automatically mean that everyone in every corner of an organization immediately gets the word,” the official reportedly said.
The policy change came not long after the University of Toronto found in its research of the popular platform that users’ data had been transferred through China. That routed data and users’ privacy could be at risk, given that China could force Zoom to decrypt the data that was transferred through China.
“During a test of a Zoom meeting with two users, one in the United States and one in Canada, we found that the AES-128 key for conference encryption and decryption was sent to one of the participants over TLS from a Zoom server apparently located in Beijing, 18.104.22.168,” the University of Toronto researchers wrote in their findings. “A company primarily catering to North American clients that sometimes distributes encryption keys through servers in China is potentially concerning, given that Zoom may be legally obligated to disclose these keys to authorities in China.”
According to the Brookings Institute, a Washington, D.C.-based think tank, more than half of the 140 million-plus American workers are currently working from home. That’s more than double what that figure was in 2017 and 2018.
As a result, servers used by companies offering free video conferencing have seen a dramatic rise in usage, causing problems for those companies to handle all that data. In response, Zoom mistakenly rerouted some of that data to Chinese servers, where it wasn’t safe under the law, as China doesn’t enforce many laws protecting users’ privacy.
“In our urgency to come to the aid of people around the world during this unprecedented pandemic, we added server capacity and deployed it quickly — starting in China, where the outbreak began,” Zoom CEO Eric Yuan said in a statement on April 3. “In that process, we failed to fully implement our usual geo-fencing best practices. As a result, it is possible certain meetings were allowed to connect to systems in China, where they should not have been able to connect.”
Zoom has 700 employees in China across several Chinese subsidiaries. It is unknown how many of the company’s 200 million daily active users have been affected.