US Attorney General Loretta Lynch has waded into the melee surrounding Apple and the FBI, posing some fundamental questions about the issues at stake.
The comments, made Tuesday during the RSA cybersecurity conference in San Francisco, came the same day as a congressional hearing on the other side of the country, in which both Apple and the Federal Bureau of Investigation voiced their opinions.
During that session in Washington, FBI director James Comey claimed that “all parts of the US government” had been consulted in the effort to crack open the iPhone at the center of this storm – and none was able to help.
“Do we let one company decide this issue for all of us?” said the attorney general, in a Bloomberg interview at the RSA conference. “Do we want one company to say this is how investigations are going to be conducted and no other way?”
And so she drilled down to the heart of this debate, which goes far beyond a single iPhone, a single company, or even the FBI. The question is one of precedent, of how much access law enforcement agencies should be granted, both today and going forward.
Yet to portray the struggle as simply between privacy and security is to miss some of the most integral facets of the issues at stake, as Susan Landau, professor of cybersecurity policy at Worcester Polytechnic Institute, who gave evidence at Tuesday’s congressional hearing as a technical expert, tells The Christian Science Monitor in a telephone interview.
“This isn’t about security versus privacy, it’s security versus security,” says Dr. Landau. “There is a long queue of phones the FBI and state law enforcement agencies also want Apple to open. The problem with more than one is that you’ll need to set up a process, which doesn’t have the same level of scrutiny as a one-off or once-in-a-while event.”
With a process in place, it would then become easier for those engaged in organized crime, as well as nation states, to take advantage of weaknesses and gain access to devices.
This matters, says Landau, because phones are not just for photos or text messages. Increasingly, we access our email, our calendars – a whole plethora of personal and business-related information – as well as using mobile devices to assist in authentication.
“If you look at how systems are broken into, the most valuable thing to get hold of is log-in credentials,” Landau tells the Monitor. “What the FBI is pushing for will make phones less secure.”
Indeed, at the inaugural Usenix Enigma security conference in San Francisco at the end of January, Rob Joyce, chief of Tailored Access Operations at the National Security Agency, underscored the importance of log-in details as a means of access for hackers.
“In the world of advanced persistent threat actors (APT) like the NSA, credentials are king for gaining access to systems,” wrote Kim Zetter in Wired. “Not the login credentials of your organization’s VIPs, but the credentials of network administrators and others with high levels of network access and privileges that can open the kingdom to intruders.”
Moreover, as an illustration of the kind of chaos that can be unleashed when access information is acquired by those with dubious intentions, one only needs to consider a Department of Homeland Security report released on Feb. 25 about the cyberattack last year on Ukraine’s critical infrastructure:
“The companies believe that the actors acquired legitimate credentials prior to the cyber-attack to facilitate remote access.”
The issues at stake are complex but crucial. The outcome of the debate will “set a precedent for security of our citizens,” as Jamie Winterton, director of strategy for Arizona State University's Global Security Initiative, wrote in the Monitor. “It's healthy to have a vibrant debate about the iPhone case – and matters of privacy and national security more generally – but the way [some presidential] candidates have talked about risks is encouraging a toxic tug-of-war between government and tech."
“No one benefits from animosity between the two," she wrote. "But the country would also suffer if one were enslaved to the other.”