It seems Silicon Valley underestimated just how much the feds want that backdoor key
▶ Months ago, the White House said it would stand down on encryption backdoors. Whoops ▶ “The government’s going to have to get over it. We had this fight 20 years ago”
Silicon Valley celebrated last fall when the White House said it wouldn’t seek legislation forcing technology makers to install software “backdoors”— secret listening posts investigators could use to snoop on text messages, video chats, and other encrypted data. But while the companies may have thought that was the final word, the government was already working on a broad set of new ways to access information under digital lock and key.
In a secret meeting convened by the White House around Thanksgiving, senior national security officials ordered federal agencies to find ways to counter encryption software and gain access to the most heavily protected user data on the most secure consumer devices, which would include Apple’s iPhone, say two people familiar with the decision.
The order was formalized in a confidential National Security Council memo outlining priorities and timetables. The memo directs government agencies to estimate how much money they’d need to develop new counterencryption techniques and to identify laws they may need changed to make more digital files accessible by intelligence and law enforcement agencies. The NSC decision shows the government was privately honing its weapons against Silicon Valley’s popular products despite public signs of rapprochement.
On Feb. 16 the public got its first glimpse of what those weapons may look like. A federal judge ordered Apple to create a special tool that would allow the FBI to bypass security protections on an iPhone 5C that belonged to one of the shooters in the Dec. 2 terrorist attack in San Bernardino, Calif., which killed 14 people. Apple Chief Executive Officer Tim Cook has vowed to fight the order, calling it a “chilling” demand that Apple “hack our own users and undermine decades of security advancements that protect our customers.” The order wasn’t a direct outcome of the memo, but it’s in line with the broader government strategy.
White House spokesman Josh Earnest says the government wants access to just one device and isn’t asking for a broader redesign or security hole. (The problem with backdoors in computer systems is they’re easy for hackers to exploit.) But security specialists say the case carries enormous consequences for privacy and the competitiveness of U.S. businesses—and that the previously unreported NSC directive shows tech companies underestimated the government’s determination to collect data.
“My sense is that people have over-read what the White House has said on encryption,” says Robert Knake, a senior fellow at the Council on Foreign Relations and a former White House director of cybersecurity policy. “They said they wouldn’t seek to legislate backdoors in these technologies. They didn’t say they wouldn’t try to access the data in other ways.”
What the court is ordering Apple to do, security experts say, doesn’t require the company to crack its own encryption—which the company says
it can’t. Instead, the order requires Apple to build a program that can change the permanently installed “firmware” on iPhones and iPads, giving investigators unlimited guesses at the terror suspect’s PIN code with high-powered computers. Normally, iPhones let users with sensitive data set their devices to erase themselves after 10 consecutive failed logins.
Knake says the U.S. Department of Justice’s narrowly crafted request shows the FBI possesses a deep enough understanding of Apple’s security systems that it’s identified potential vulnerabilities that offer access to data the company has previously said it can’t get.
NSC spokesman Mark Stroh declined to comment on the memo. But he provided a statement from a senior Obama administration official asserting that it may be possible to limit the vulnerabilities added by the government’s access to protected data.
The people familiar with the counterencryption directive say the NSC’s Deputies Committee approved it unanimously. While the committee’s roster changes depending on the subject matter, it typically includes at least a dozen subcabinet-level officials, among them the deputy attorney general, the vice chairman of the Joint Chiefs of Staff, and the deputy national security adviser.
Silicon Valley and Washington have nursed a mutual distrust over encryption for more than two decades. In the 1990s the Clinton administration tried and failed to install a backdoor in telecommunications networks. In that case the NSA developed a technology called the Clipper Chip, meant to be installed in all U.S. phones, faxes, and computer modems as an encryption tool with a government backdoor. Security experts found ways to hack the chip and assailed it as a violation of privacy. Ultimately it wasn’t adopted.
The U.S.’s insistence on finding ways to tap into encrypted data conflicts with consumers’ growing demands for privacy, says Ken Silva, former technical director of the NSA and currently a vice president at data manager Ionic Security. “The government’s going to
have to get over it,” Silva says. “We had this fight 20 years ago. While I respect the job they have to do and I know how hard the job is, the privacy of that information is very important to people.”
The FBI will almost certainly seek more money and expanded legal authorization to track suspects and access encrypted data beyond San Bernardino, without the involvement of companies that make the technologies, several experts say. Intelligence services already have sophisticated tools for cracking encryption, and the White House’s efforts will likely lead to broader use of those techniques throughout the government, even in ordinary criminal investigations that don’t involve foreign intelligence or national security.
Apple infuriated law enforcement when it announced in 2014 that it would encrypt data stored on users’ iPhones and iPads with a PIN code even the company itself couldn’t crack. Before then, the FBI and local police routinely sent seized devices to Apple to extract data relevant to their investigations.
Creating hacking tools is simply a matter of money and focused effort, says Jason Syversen, a former manager of advanced cybersecurity programs at the Defense Advanced Research Projects Agency. “My guess is you could spend a few million dollars and get a capability against Android, spend a little more and get a capability against the iPhone. For under $10 million, you might have capabilities that will work across the board,” says Syversen, now CEO and co-founder of cybersecurity contractor Siege Technologies.
Apple officials appeared to believe their enhanced encryption would end the efforts of any government to compromise the security of their customers. Instead, the FBI has outlined in court documents several ways to bypass that encryption. “Apple has two options now: They can go back to the judge and say this isn’t possible. Or they can service the warrant,” says James Lewis, a senior cybersecurity fellow at the Center for Strategic and International Studies in Washington. “I don’t think they can say it’s not possible, because it looks like it is.”
The bottom line A confidential NSC memo shows that the government wasn’t serious about backing off its encryption-breaking efforts.