Summary of the NSF Discussion on….
The Apple-FBI Encryption Dispute
with
Robert Gast and Tony Rucci
The National Security Forum hosted a most interesting discussion/debate over the issue of the standoff between the FBI and Apple over the locked I-Phone formerly in the hands of the terrorists who committed the mass murders in San Bernardino. Former Assistant Director of the FBI, Robert Gast, laid out the Bureau’s position, while Tony Rucci, who has extensive experience in the U.S. Government counterintelligence community as well as the civilian IT world, initially presented the Apple position. They explained and discussed the technicalities involved, the dangers of unsecuring encrypted devices, and the implications for both national security and communications privacy.
The FBI and Apple have been locked in a strenuous dispute over Apple’s encryption of its iPhone devices. The terrorists had destroyed their personal phones; however, a work phone issued to one of the attackers by his employer was recovered intact (the phone was locked with a 4 digit password). The FBI sought and received orders from various United States courts, seeking to compel Apple “to use its existing capabilities to extract data” from locked iPhones; Apple continued to refuse to comply. Specifically, the court orders as requested by the FBI sought to compel Apple to “design new software to let the Government circumvent the device’s security protocols and unlock the phone”.
President Obama laid out the stark choice here, asking “Can we strike a balance” between privacy and strong encryption on the one hand, and national security imperatives on the other? As the President stated, “If there is no way to gain access to new communications devices, then how do we solve or disrupt a terrorist plot?”
In the interim the FBI said that a “third party” had come forward with a solution to unlocking the phone that was successful, and has abandoned its attempt to force Apple to cooperate. Our two discussants generally agreed that the Israeli company, Cellibrite, with likely ties to Mossad, had devised a method to unencrypt the phone. Gast and Rucci agreed that while this single case is over, the larger questions still remain valid, principally between our right to privacy and the need to provide security for the population.
Apple CEO Tim Cook stated that, while Apple respects the FBI, the request the Bureau made “threatens data security by establishing a precedent that the U.S. Government could use to force any technology company to create software that would undermine the security of its products”. In fact, following the cracking of this device, Cook says Apple will “make more of its devices and services inaccessible to law enforcement”.
The presentations and discussions were very thorough and interesting. However, due to their current and former positions within both the intelligence/law enforcement communities and the IT sector, it was necessary to have this NSF session strictly “off the record”. To not do so would have greatly restricted the ability of the speakers to be candid and open regarding their observations and remarks. Sorry! But we can provide you with these insights:
Gast emphasized that investigations of terrorism groups are difficult in the best of times, and made more so if legal barriers inhibit law enforcement’s ability to protect the public. For example, these groups are very small and hard to penetrate and to develop sources. Access to communications data is, therefore, “vital to our efforts”, he added. Secondly, Gast stressed that he believes “the FBI is just as interested as anyone in protecting individual privacy, particularly in view of the fact that we have seen cases in the past die in court due to privacy concerns.” There are also strict procedural guidelines governing access to phones, Gast added, indeed for all types of communications, including review and approval at a number of levels prior to authorization. And finally, Gast underlined the fact that trust and cooperation by the public and corporations are essential to the FBI “if we are expected to be successful in discharging our many responsibilities.” A public dispute such as the one between Apple and the FBI does neither any good, with the real winner being the “bad guys” who now have more information as to what and what not the FBI can do in investigations.
Rucci stated that, while it’s certainly difficult to argue that the law enforcement community did anything inherently wrong in this matter insofar as their affidavit to the courts, he believes they felt they had no other recourse once they realized they were holding a self-destructing device in their possession and with every failed attempt to access, their case might be losing valuable tactical intelligence value. While the “All Writs Act” was a far reach in any sense of the argument, he thinks they felt it worthy of taking a shot and all the courts could say was “No”. While the FBI was able solicit the support of an external, private entity to gain access to the device in question, they quickly learned the technical process used doesn’t allow them gratis access to the multitude of other like-devices in custody in evidence rooms across the country. Currently, their bypass solution only works for iPhone 5c and earlier models, so the target solution is limited in scope.
Now, the question is out there whether the FBI, with knowledge of a software/hardware vulnerability in Apple’s IP, will do the right thing and divulge the vulnerability and exploitation to Apple to afford them the opportunity to patch and issue protection to the millions of private citizens, organizations, and government entities currently using their vulnerable product. This is the expectation and norm in the tech industry… not to mention the responsible thing to do, Rucci added.