The FBI needs to update its investigative toolkit and embrace the 21st century, a provocative editorial in this week’s Science magazine argues. The Bureau’s recent squabble with Apple over unlocking a terrorist’s iPhone only underscores the magnitude of the problem, the editorial writer argues.
In February, the FBI took Apple to court to force the smartphone maker to override the password protection of an iPhone 5C that’d been used by one of the shooters in December’s San Bernadino terrorist attack. Apple held out, saying that caving in would set a dangerous precedent. As both Apple and legal analysts at the time argued, Apple would then have had little recourse but to bow to similar future demands by law enforcement — and repressive governments overseas.
Apple won the standoff in March when the FBI instead paid a third-party organization to break into the iPhone in question. That small victory is only temporary, though, if federal criminal investigators continue treating modern digital communications as if they were just a flashier form of analog telephony.
In the 1970s or ‘80s, says Susan Landau, writer of the Science editorial and professor of Cybersecurity Policy at Worcester Polytechnic Institute, analog wiretaps were court-supervised, one-off intrusions. Wiretaps back then couldn’t be easily repurposed by other agencies or governments or criminal organizations.
“The FBI keeps talking about [the Apple case] as privacy versus security, but it’s really security versus security,” Landau says. “Do we secure our communications and our devices, because those are the ways to enable controlling the power grid safely, to controlling critical infrastructure safely, to keeping business data secure, and so on? Or do we make it simpler for law enforcement investigations at the risk of also enabling criminals and other nation states to break in?”
Landau points to the FBI’s budget as representative of the agency’s priorities. “The FBI has some excellent capabilities in cyber investigations, but not at the scale and level for solving today’s problems,” she writes. Its lawful hacking program, called Going Dark, has 39 staff positions, using 11 agents — and a budget of $31 million.
While the 2017 Federal budget increases the program’s funding to $38.3 million (with no additional positions), Landau says this level of staffing and support is simply not up to the magnitude of the problem today. For context, she points to the FBI’s physical surveillance budget, which has 549 agents and $297.8 million in funding.
The NSA, on the other hand, has if anything over-embraced the digital age.
“In the late 1990s and 2000s, the NSA was having a lot of trouble with fiber optic cable, with encrypted communications, not just by the Europeans and other developed nations but even by third world nations,” Landau says. “One of the things about going digital is that all of a sudden a lot of stuff went into communications, and NSA was having tremendous trouble.
“Post-Snowden, there can’t be any argument that NSA is collecting and making use of those communications quite effectively,” she says. Yet, she adds, “FBI instead has asked for legal controls to let them do the same kind of wiretapping they did in the 1970s.”
One of the complications, she says, that the FBI didn’t adequately acknowledge in the iPhone 5C case was the importance of reliably secure smartphones across the private and public sector. Two-factor authentication, in which logging in to an account requires both a password and a separate security code sent via text message to one’s phone, is an essential component of secure corporate and government communications today, she says.
If Apple had been forced to create essentially a skeleton key that would have enabled back-door access to the San Bernadino iPhone, she says, there would have been a real danger of that skeleton key leaking out, possibly undermining two-factor authentication around the world. And that, she says, could have been devastating.
“If we think long-term, we want our phones to be our secure authenticators,” she says. “Facebook is using that, Google is using that, some high-level government agencies are using that.
“The other part of the equation is, hey, we’ve gone digital. What we produce is digital. A lot of what we produce these days is IP rather than manufactured goods themselves. As such, the FBI hasn’t caught up. The FBI needs to develop much better techniques and a much better way of looking at the world.”
With an increase in their cyber budget and outside guidance from the public, from congress and from the administration, Landau says, the FBI has the potential to use the Apple case as a turning point.
“The FBI should be urging manufacturers to increase the security of their devices,” Landau writes.
This is because, as the FBI found with the San Bernadino iPhone, cracking an individual device that one has unlimited physical access to is not nearly as impossible as FBI initially claimed.
“There are firms that do forensic work in “decapping” chips to expose information on them,” she testified before the U.S. House Judiciary Committee on March 1, in the midst of the FBI-Apple battle. “Rough estimate of costs are around half a million dollars. I’ve heard other estimates that come in much lower, say in the one hundred thousand dollar range. The point is that solutions to accessing the data already exist within the forensic analysis community.”
In other words, FBI ultimately benefits from stronger security on smartphones and other consumer devices. Two-factor authentication, on which increasing amounts of the U.S. economy and infrastructure rely, demands it. If an individual device, like a deceased terrorist’s smartphone, needs to be opened by brute force, and there are resources enough to do it, the job often can be done.
“I am hoping that both from the kinds of things we’re hearing from former senior members of the defense and homeland security communities as well as the pressure from industry that the FBI is rethinking its position,” she says. “And realizing that it needs to build in this area, and it needs to do it quickly. And that this is an opportunity, not a threat.