The FBI has hit the pause button in its battle royale with Apple over the iPhone used by San Bernardino, Calif., gunman Syed Rizwan Farook. In a twist to the intense legal drama, an unknown "third party" may have a way to hack the phone.
If it turns out the bureau can successfully crack the iPhone after all, will it reveal the software vulnerability to Apple?
It may seem unlikely. After all, why would the FBI buy such a capability only then to give it up? There are no laws forcing its hand, and the FBI has no more commitment to Apple than other government organizations, like the National Security Agency, that collect arsenals of software vulnerabilities.
But based on a two-year old policy, the FBI and Department of Justice are subject to what's known as a White House Vulnerability Equities Process, or VEP, which kicks in whenever an agency comes across "newly discovered" vulnerabilities, called zero-days.
The VEP is meant to be a "disciplined, rigorous, and high-level decisionmaking process" so that the National Security Council can balance the benefits to law enforcement or intelligence of using the bug versus the broader security value of protecting industry and consumers.
According to documents made available through a Freedom of Information Act request, the VEP "applies to all components, civilian and military personnel, and contractors of the United States government." The FBI can’t find much of a loophole there.
Nor is there a loophole that the iPhone bug is somehow not "newly discovered." Even if the third-party hackers helping the FBI have known about it, it's new to the US government.
With everything we know about the Apple v. FBI iPhone battle, the White House will let the FBI off the hook very easily. That would set a dangerous precedent – giving the National Security Agency, CIA, and others more reasons to delay or obfuscate.
The VEP Equities Review Board headed up by White House cybersecurity czar Michael Daniel should make the call on whether – or when – to disclose the bug to Apple. According to Mr. Daniel, the VEP Equities Review Board seeks to answer to the following questions:
- How much is the vulnerable system used in the core Internet infrastructure, in other critical infrastructure systems, in the US economy, and/or in national security systems?
- Does the vulnerability, if left unpatched, impose significant risk?
- How much harm could an adversary nation or criminal group do with knowledge of this vulnerability?
- How likely is it that we would know if someone else was exploiting it?
- How badly do we need the intelligence we think we can get from exploiting the vulnerability?
- Are there other ways we can get it?
- Could we utilize the vulnerability for a short period of time before we disclose it?
- How likely is it that someone else will discover the vulnerability?
- Can the vulnerability be patched or otherwise mitigated?
The answer to several of these questions – chiefly when it comes to the broader harm that could come from a flaw in the iPhone – seems to indicate the government would be driven to disclose the security hole to Apple. Unpatched iPhones pose a serious risk – allowing other nations or criminal groups to cause significant harm to consumers. Moreover, the bug won’t stay for secret for long, certainly not with the media attention on this single phone.
The FBI could try out the vulnerability to see if it unlocks the phone used by Mr. Farook, and potentially many other phones the FBI has said it wants to unlock, before revealing the flaw to Apple.
That's probably the fairest way to handle this particular vulnerability. The FBI probably won't like it. And Apple will discover a bug courtesy of the federal government – all the better since the company does not reward hackers who uncover its software flaws.
But even though the FBI may have to reveal the apparent gift from its "third party" helper, it doesn't mean the agency should stop seeking out zero-days for when it may need them again. Discovering new vulnerabilities for temporary use is how everyone, from hackers and security researchers to intelligence agencies, play the game. If the FBI wants to join the field, they can’t claim special privilege any more than NSA.
In short, if the FBI uses a zero day to access the terrorist’s iPhone, neither they nor the US government as a whole must tell Apple about how they did it. But if they follow the White House’s own policy, it appears they should.
Jason Healey is senior research scholar at Columbia University’s School of International and Public Affairs and senior fellow at the Atlantic Council. He began his career as a US Air Force signals intelligence officer in Alaska, NSA, and the Pentagon. Follow him on Twitter @Jason_Healey.