It seems Sil­i­con Val­ley un­der­es­ti­mated just how much the feds want that back­door key

▶ Months ago, the White House said it would stand down on en­cryp­tion back­doors. Whoops ▶ “The govern­ment’s go­ing to have to get over it. We had this fight 20 years ago”

Bloomberg Businessweek (Asia) - - CONTENTS - −Michael Ri­ley and Jor­dan Robert­son

Sil­i­con Val­ley cel­e­brated last fall when the White House said it wouldn’t seek leg­is­la­tion forc­ing tech­nol­ogy mak­ers to in­stall soft­ware “back­doors”— se­cret lis­ten­ing posts in­ves­ti­ga­tors could use to snoop on text mes­sages, video chats, and other en­crypted data. But while the com­pa­nies may have thought that was the fi­nal word, the govern­ment was al­ready work­ing on a broad set of new ways to ac­cess in­for­ma­tion un­der dig­i­tal lock and key.

In a se­cret meet­ing con­vened by the White House around Thanks­giv­ing, se­nior na­tional se­cu­rity of­fi­cials or­dered fed­eral agen­cies to find ways to counter en­cryp­tion soft­ware and gain ac­cess to the most heav­ily pro­tected user data on the most se­cure con­sumer devices, which would in­clude Ap­ple’s iPhone, say two peo­ple fa­mil­iar with the de­ci­sion.

The or­der was for­mal­ized in a con­fi­den­tial Na­tional Se­cu­rity Coun­cil memo out­lin­ing pri­or­i­ties and timeta­bles. The memo di­rects govern­ment agen­cies to es­ti­mate how much money they’d need to de­velop new coun­teren­cryp­tion tech­niques and to iden­tify laws they may need changed to make more dig­i­tal files ac­ces­si­ble by in­tel­li­gence and law en­force­ment agen­cies. The NSC de­ci­sion shows the govern­ment was pri­vately hon­ing its weapons against Sil­i­con Val­ley’s pop­u­lar prod­ucts de­spite pub­lic signs of rap­proche­ment.

On Feb. 16 the pub­lic got its first glimpse of what those weapons may look like. A fed­eral judge or­dered Ap­ple to cre­ate a spe­cial tool that would al­low the FBI to by­pass se­cu­rity pro­tec­tions on an iPhone 5C that be­longed to one of the shoot­ers in the Dec. 2 ter­ror­ist at­tack in San Bernardino, Calif., which killed 14 peo­ple. Ap­ple Chief Ex­ec­u­tive Of­fi­cer Tim Cook has vowed to fight the or­der, call­ing it a “chill­ing” de­mand that Ap­ple “hack our own users and un­der­mine decades of se­cu­rity ad­vance­ments that pro­tect our cus­tomers.” The or­der wasn’t a di­rect out­come of the memo, but it’s in line with the broader govern­ment strat­egy.

White House spokesman Josh Earnest says the govern­ment wants ac­cess to just one de­vice and isn’t ask­ing for a broader re­design or se­cu­rity hole. (The prob­lem with back­doors in com­puter sys­tems is they’re easy for hack­ers to ex­ploit.) But se­cu­rity spe­cial­ists say the case car­ries enor­mous con­se­quences for pri­vacy and the com­pet­i­tive­ness of U.S. busi­nesses—and that the pre­vi­ously un­re­ported NSC di­rec­tive shows tech com­pa­nies un­der­es­ti­mated the govern­ment’s de­ter­mi­na­tion to col­lect data.

“My sense is that peo­ple have over-read what the White House has said on en­cryp­tion,” says Robert Knake, a se­nior fel­low at the Coun­cil on For­eign Re­la­tions and a for­mer White House di­rec­tor of cy­ber­se­cu­rity pol­icy. “They said they wouldn’t seek to leg­is­late back­doors in th­ese tech­nolo­gies. They didn’t say they wouldn’t try to ac­cess the data in other ways.”

What the court is order­ing Ap­ple to do, se­cu­rity ex­perts say, doesn’t re­quire the com­pany to crack its own en­cryp­tion—which the com­pany says

it can’t. In­stead, the or­der re­quires Ap­ple to build a pro­gram that can change the per­ma­nently in­stalled “firmware” on iPhones and iPads, giv­ing in­ves­ti­ga­tors un­lim­ited guesses at the ter­ror sus­pect’s PIN code with high-pow­ered com­put­ers. Nor­mally, iPhones let users with sen­si­tive data set their devices to erase them­selves af­ter 10 con­sec­u­tive failed lo­gins.

Knake says the U.S. Depart­ment of Jus­tice’s nar­rowly crafted re­quest shows the FBI pos­sesses a deep enough un­der­stand­ing of Ap­ple’s se­cu­rity sys­tems that it’s iden­ti­fied po­ten­tial vul­ner­a­bil­i­ties that of­fer ac­cess to data the com­pany has pre­vi­ously said it can’t get.

NSC spokesman Mark Stroh de­clined to com­ment on the memo. But he pro­vided a state­ment from a se­nior Obama ad­min­is­tra­tion of­fi­cial as­sert­ing that it may be pos­si­ble to limit the vul­ner­a­bil­i­ties added by the govern­ment’s ac­cess to pro­tected data.

The peo­ple fa­mil­iar with the coun­teren­cryp­tion di­rec­tive say the NSC’s Deputies Com­mit­tee ap­proved it unan­i­mously. While the com­mit­tee’s ros­ter changes de­pend­ing on the sub­ject mat­ter, it typ­i­cally in­cludes at least a dozen sub­cab­i­net-level of­fi­cials, among them the deputy at­tor­ney gen­eral, the vice chair­man of the Joint Chiefs of Staff, and the deputy na­tional se­cu­rity ad­viser.

Sil­i­con Val­ley and Wash­ing­ton have nursed a mu­tual dis­trust over en­cryp­tion for more than two decades. In the 1990s the Clin­ton ad­min­is­tra­tion tried and failed to in­stall a back­door in telecom­mu­ni­ca­tions net­works. In that case the NSA de­vel­oped a tech­nol­ogy called the Clipper Chip, meant to be in­stalled in all U.S. phones, faxes, and com­puter modems as an en­cryp­tion tool with a govern­ment back­door. Se­cu­rity ex­perts found ways to hack the chip and as­sailed it as a vi­o­la­tion of pri­vacy. Ul­ti­mately it wasn’t adopted.

The U.S.’s in­sis­tence on find­ing ways to tap into en­crypted data con­flicts with con­sumers’ grow­ing de­mands for pri­vacy, says Ken Silva, for­mer tech­ni­cal di­rec­tor of the NSA and cur­rently a vice pres­i­dent at data man­ager Ionic Se­cu­rity. “The govern­ment’s go­ing to

have to get over it,” Silva says. “We had this fight 20 years ago. While I re­spect the job they have to do and I know how hard the job is, the pri­vacy of that in­for­ma­tion is very im­por­tant to peo­ple.”

The FBI will al­most cer­tainly seek more money and ex­panded le­gal au­tho­riza­tion to track sus­pects and ac­cess en­crypted data be­yond San Bernardino, with­out the in­volve­ment of com­pa­nies that make the tech­nolo­gies, sev­eral ex­perts say. In­tel­li­gence ser­vices al­ready have so­phis­ti­cated tools for crack­ing en­cryp­tion, and the White House’s ef­forts will likely lead to broader use of those tech­niques through­out the govern­ment, even in or­di­nary crim­i­nal in­ves­ti­ga­tions that don’t in­volve for­eign in­tel­li­gence or na­tional se­cu­rity.

Ap­ple in­fu­ri­ated law en­force­ment when it an­nounced in 2014 that it would en­crypt data stored on users’ iPhones and iPads with a PIN code even the com­pany it­self couldn’t crack. Be­fore then, the FBI and lo­cal po­lice rou­tinely sent seized devices to Ap­ple to ex­tract data rel­e­vant to their in­ves­ti­ga­tions.

Cre­at­ing hack­ing tools is sim­ply a mat­ter of money and fo­cused ef­fort, says Ja­son Sy­versen, a for­mer man­ager of ad­vanced cy­ber­se­cu­rity pro­grams at the De­fense Ad­vanced Re­search Projects Agency. “My guess is you could spend a few mil­lion dol­lars and get a ca­pa­bil­ity against An­droid, spend a lit­tle more and get a ca­pa­bil­ity against the iPhone. For un­der $10 mil­lion, you might have ca­pa­bil­i­ties that will work across the board,” says Sy­versen, now CEO and co-founder of cy­ber­se­cu­rity con­trac­tor Siege Tech­nolo­gies.

Ap­ple of­fi­cials ap­peared to be­lieve their en­hanced en­cryp­tion would end the ef­forts of any govern­ment to com­pro­mise the se­cu­rity of their cus­tomers. In­stead, the FBI has out­lined in court doc­u­ments sev­eral ways to by­pass that en­cryp­tion. “Ap­ple has two op­tions now: They can go back to the judge and say this isn’t pos­si­ble. Or they can ser­vice the war­rant,” says James Lewis, a se­nior cy­ber­se­cu­rity fel­low at the Cen­ter for Strate­gic and In­ter­na­tional Stud­ies in Wash­ing­ton. “I don’t think they can say it’s not pos­si­ble, be­cause it looks like it is.”

The bot­tom line A con­fi­den­tial NSC memo shows that the govern­ment wasn’t se­ri­ous about back­ing off its en­cryp­tion-break­ing ef­forts.

Newspapers in English

Newspapers from Australia

© PressReader. All rights reserved.