The FBI needs better hackers to solve encryption standoff, research says
Tech companies and privacy advocates are strongly opposed to proposals by the FBI and others to mandate government access to encrypted communications. But one expert says there may be another way to solve the feud.
In the high-profile standoff over cracking the San Bernardino shooter's iPhone, Apple and other major American tech companies made it clear that they wouldn’t build special access for the US government – or anyone else – into their products.
But one leading cybersecurity expert says there's another way for law enforcement to get the content they need for their criminal and terrorist investigations, without compromising the security of the millions of other consumers who also use those products.
Susan Landau, a professor of cybersecurity policy at Worcester Polytechnic Institute, says in a new paper released Thursday that the FBI and other domestic law enforcement agencies should double down on hiring government hackers and building in-house expertise to legally hack these devices when they have a warrant.
In a paper published in the journal Science, Ms. Landau argues that FBI investigators should take advantage of existing software vulnerabilities – rather than try to force companies to overhaul their systems to include a so-called government "backdoor" in their products, which she says would have a "devastating" effect on consumer security.
"When law enforcement says that they absolutely must have content, then lawful hacking provides a way to get there," Landau told Passcode.
The FBI ended up relying on this strategy during the legal standoff with Apple. The Justice Department dropped its case against Apple in March, after the bureau hired still-unnamed hackers to find a way around the security measures on the iPhone 5c used by one of the San Bernardino shooters who killed 14 people in a winter terror attack.
Because those contracted hackers were successful, the government was able to access the contents of the suspect's phone – and Tim Cook, Apple's chief executive officer, avoided the possibility a court could force him to build a weaker version of his product that, in the wrong hands, could get around security measures on all sorts of Apple devices other than the one in police custody.
Now, Landau wants to see the government build up its own capabilities so it will rely less on third parties.
The FBI can do an end-run around encryption by heavily investing in court-approved lawful hacking capabilities, Landau says, such as installing remote surveillance software on computers and phones and hiring more agents with computer science backgrounds who fully understand the tools developed by FBI consultants.
This would be preferable, she insists, to the approach advocated by FBI Director James Comey and some key Senate leaders on Capitol Hill to mandate companies to have ways for agents to access encrypted content when they have a warrant. Landau agrees with the tech companies and privacy advocates who insist these kinds of channels would endanger consumer security by giving criminal hackers or other governments more avenues to try to exploit, spur consumers to lose trust in American business, and even expand government surveillance powers.
The FBI used hacking software as part of a 2003 investigation to gain access to the encrypted communications of animal rights activists the agency was investigating for sabotage of a company that tested pharmaceuticals on animals, according to The New York Times.
Stymied by the encryption that made the suspects' emails unreadable, a judge let the FBI install software on their computers from afar, which the Times says allowed them to intercept the conversations before they were sent – and encrypted.
It’s difficult to know how the FBI’s hacking capabilities have evolved since then, according to Landau. The bureau has fought to keep these kind of investigative techniques secret, she says.
Even so, the agency's insistence that it could not break into the San Bernardino iPhone without Apple's help – and its reliance on an outside company to finally crack it – suggests that it's behind the curve. "One can guess from the concerns that the FBI raises that it's behind. But one doesn't have explicit examples of that," Landau said.
For its part, the bureau is increasing its budget for lawful hacking operations. Currently, 11 FBI agents have a budget of $31 million to defeat encryption, anonymization, and similar challenges, Landau’s report said. The agency has requested an increase of funding to $38.3 million for 2017, but did not request any additional staff.
But these numbers seem paltry compared to funding for its other efforts. By comparison, Landau writes, the bureau currently devotes $297.8 million and 549 agents to physical surveillance.
The apparent lack of resources available for the FBI’s lawful hacking program might shed some light on why the FBI would prefer the companies take on the responsibility of building in access for the government, Landau says. "The inadequacy of the [lawful hacking] effort may go a long way toward explaining the FBI’s current view of encrypted communications and secured devices," she writes.
While many civil libertarians have publicly voiced their support of lawful government hacking as an alternative to forcing companies to build in backdoors, there could also be significant downsides to this approach, argued Benjamin Wittes, a senior fellow in governance studies at the Brookings Institute.
"Be careful what you wish for," Mr. Wittes wrote in a January analysis of lawful hacking proposals. Broad language in the federal Wiretap Act and Foreign Intelligence Surveillance Act, means the government might end up with significantly more power to demand companies assist in these kinds of investigations – including controversial tactics such as installing surveillance malware onto their users’ devices to monitor their activity.
"When civil libertarians and cryptographers talk about lawful hacking, what that may mean in practice is the government's commandeering companies into compromising their users' devices," Wittes wrote. "Is a regime in which companies may have to do these things better or worse from a civil liberties perspective than a regime under which they have to help with decryption?"
The FBI declined to comment on lawful hacking or on Landau’s report. However, Amy Hess, executive assistant director of the FBI’s science and technology branch, told a congressional committee in April that building up the agency’s hacking capabilities isn’t a long-term solution to the fact that agents are "going dark" in their pursuit of suspects due to widespread encryption.
"Identifying these vulnerabilities and developing lawful intercept or lawful access solutions can take an unacceptable amount of time, require significant skill and resources, and the results of these efforts can be ephemeral, at best," Hess told the House Committee on Energy and Commerce Subcommittee on Oversight and Investigation.
But Landau wants the bureau to aim higher. "The FBI must develop 21st Century investigative savvy," Landau concluded. "This will require government investment, but the alternative, of permitting bad actors to access our systems, is unacceptable."