Mobile devices pose major cybersecurity threats
Among the many rights that we hold dear, national security is, without reservation, at the very top of my personal list of priorities. But, such passionate convictions are not inconsistent with the need to intellectually evaluate public policy issues on the basis of utility and efficacy. That said, the public showdown between the FBI and Apple was, as some commentators have also written or said, a carefully chosen test case.
Ever since the first articles began appearing about the problem of terrorists “Going dark,” and long before the controversy concerning Apple and the FBI over the contents of ISIS-inspired murderer Syed Rizwan Farook’s iPhone 5c, I watched from the sidelines wondering whether and if to express observations or an opinion. The controversy was a rare opportunity for everyone from lawyers who know nothing about technology, and technologists who know nothing about the law —and everyone in between—to offer up an opinion.
As examples of the most spectacular commentaries, Apple, through its head of services, Eddy Cue, told us it wouldn’t be long before the FBI would force the technology company to surreptitiously turn on iPhone cameras and microphones, reported Univision. San Bernardino County District Attorney, Michael Ramos urged in a court filing that Apple should assist the Government in accessing the iPhone because it, “May contain evidence . . . that it was used as a weapon to introduce a lying dormant cyber pathogen that . . . poses a threat to the citizens of San Bernardino County.” Edward Snowden, among others, speculated that there were extant backdoors or zero-day exploits available to the FBI or others to access the phone. Likewise, certain commentators assured us that black hat hackers could already extract data from an iPhone via “critical flaws” (and, of course, qualified such conclusory claims with, “I cannot publicly share specific details beyond this”).
The controversy, which has been variously cast as a tectonic collision between privacy and security in which one or the other must give way, is neither epic nor novel. Yet, it is drama theater we must endure, if only because it brings attention to and sharpens certain issues, reminding the old of core values, and introducing those values to the young. This issue dates back at least to J. Edgar Hoover’s FBI intelligence gathering after World War II that continued until 1971, which led to the first Congressional investigations of the function and propriety of intelligence agencies’ activities. Then, just as now, technological developments resulted in a cat-and-mouse game between the Government’s intelligence programs and its subjects of surveillance.
That brings me to explain the ultimate thesis of this short commentary: the ability to communicate confidentially, as made possible by encryption, among other things, has become a cardinal tenet of information security needed to lubricate the engines of both commerce and government. The fact that criminals also rely this technology to obfuscate their criminal activity doesn’t mandate an attempt to monopolize or dismantle that technology overtly (as in through legislation or judicial imprimatur) and hope criminals won’t take notice or fail to adapt. They are resilient and resourceful and will adapt. And just because the Government might not be able to break the encryption is by no means the end of our civilized world. As has been true with all technological developments, just as one source of information has been foreclosed, new ones appear. Arguments to the contrary, I believe, are fueled just as much by laziness (i.e., resistance to innovation or adaption) as they are by a desire to serve and protect the public.
Prior to computer hard drives, law enforcement investigators relied on banker boxes of papers. Although such evidence could be burned, leaving no trace, imagine the frustration of having to learn computer forensics and latent data recovery in order to access the same information that was once found on ordinary paper. That initial frustration must have led to euphoria when investigators soon learned that what criminals thought was deleted was, in fact, recoverable! Years later, solid state drives, defragmentation programs, and forensic wiping utilities robbed investigators of the fruits of favorite data recovery techniques. But, at the same time, mobile devices and cell tower data provided an even richer trove of evidentiary artifacts.
Now, many of those mobile devices use hardware encryption by default, encryption apps are ubiquitous, and there is a credible forecast that 70% of global Internet traffic will be encrypted this year. Yet, thanks to the so-called Internet-of-things and embedded devices, there are newly appearing repositories of information, including Internet-connected cars, airbag controllers that record speed and force of impacts, Internet-connected home heating and cooling systems that detect when homeowners have arrived home or departed, fitness devices with GPS and activity tracking, and many, many other devices. So, just as mobile devices are increasingly out of reach of law enforcement, new evidentiary sources are appearing everywhere. Law enforcement, just as the criminals, must innovate. And so, the cat-and-mouse game will continue with or without judicial or legislative intervention.
And that is why the FBI’s withdrawal of its request for the Court to deputize Apple, resulting from a third-party’s proffered solution, is not the denouement of this drama. Now, competing legislative proposals (e.g., proposed by Richard Burr (R-NC) or John McCain (R-AZ)) are being drafted to provide the Government with a back door (thereby providing plausible deniability for Apple, WhatsApp, and other companies in failing to voluntarily assist the Government). The notion that such measures would enhance national security seems to me, without studying the issue further, illusory. Certainly, some criminals would resort to using an app compromised by such legislation (just as some do so now by using unencrypted text messaging, for example), but tech-savvy criminals may resort to rooting the phone and utilizing cipher suites or non-commercial cryptology solutions from outside the U.S.
Recently, committee members of the House Energy and Commerce and Judiciary committees formed a working group on encryption. More promising was that House Homeland Security Chairman Mike McCaul (R-Tex) and Mark Warner (D-Va) of the Senate Intelligence Committee introduced talk of a bill to create an Encryption Commission to analyze this subject. The panel would consist of computer scientists, cryptography experts, law enforcement, tech execs, intelligence officials, privacy and civil liberty advocates. In my view, this is the proper ecumenical gathering to address the subject, and I believe that they will do so in the context outlined above.
Learn more about Mobile Cybersecurity Issues at the National Cybersecurity Institute.
Graglia, D. (2016, March 8). Apple: El FBI se pone del lado de los hackers en el caso del iPhone de San Bernardine. Univision Noticias. Retrieved from http://www.univision.com/organizaciones/apple/apple-el-fbi-se-pone-del-lado-de-los-hackers-en-el-caso-del-iphone-de-san-bernardino
Rainie, L. and Maniam, S. (2016, February 19).Americans feel the tensions between privacy and security concerns. Pew Research Center. Retrieved from http://www.pewresearch.org/fact-tank/2016/02/19/americans-feel-the-tensions-between-privacy-and-security-concerns/
Sandvine (n.d.). Internet Traffic Encryption. Retrieved from https://www.sandvine.com/trends/encryption.html
Nasr, A. (2016, March 21). House Judiciary, Commerce Committees Announce Encryption Working Group. Retrieved from https://morningconsult.com/alert/house-judiciary-commerce-committees-announce-encryption-working-group/