with Tonya Riley
Attorney General William P. Barr just ratcheted up the government’s fight against encryption.
Barr slammed Apple for its apparent refusal to help unlock unlock the devices of a Saudi air force student who opened fire last year at a U.S. military base in Pensacola, Fla. He said the strong encryption meant it took law enforcement five months to access evidence tying the shooter, Ahmed Mohammed al-Shamrani, to the terrorist group al-Qaeda in the Arabian Peninsula.
Barr presented the case as proof positive that the longstanding refusal by Apple and other tech firms to build in law enforcement access to encrypted communications is endangering Americans’ safety by allowing terrorists to recruit and plan operations in digital secrecy. Information on the devices helped launch a counterterrorism operation against an associate of Alshamrani in Yemen, Abdullah al-Maliki, Devlin Barrett reports.
“The bottom line: Our national security cannot remain in the hands of big corporations who put dollars over lawful access and public safety,” he said in a statement. “The time has come for a legislative solution.”
But Apple and other defenders of encryption drew the opposite conclusion about the case.
They focused on the fact that the FBI was able to ultimately get the information it needed without Apple’s help. This, they say, proves there’s no need for Apple or other companies to give law enforcement a backdoor into its encryption – which, they say, would make everyone using these devices vulnerable to criminal hackers or U.S. adversaries, and make American products less competitive on the world stage.
“It is because we take our responsibility to national security so seriously that we do not believe in the creation of a backdoor — one which will make every device vulnerable to bad actors who threaten our national security and the data security of our customers,” the company said. “There is no such thing as a backdoor just for the good guys, and the American people do not have to choose between weakening encryption and effective investigations.”
The case provides a stunning example of how far apart the two sides have become in six years of battle.
Barr didn’t say how the FBI got into the Pensacola shooter’s phone, but it was likely with the help of a company that offers hacking tools that exploit bugs that Apple doesn’t know about.
In many cases those tools can break through powerful encryption that shields people’s digital communications even from the company that runs the communications platform.
“This is just confirmation that the FBI and the Justice Department have long had the ability to get into these phones. It just takes time and resources,” Hannah Quay-de la Vallee, senior technologist at the Center for Democracy and Technology think tank, told me.
Many encryption advocates say the FBI should focus on beefing up its resources to do this faster, versus forcing the companies to undermine their own security.
This marks the second time federal investigators have sought Apple’s help cracking into an encrypted iPhone but ultimately got in on their own.
The FBI went to court in 2015 to try to force Apple to help it access the contents of an encrypted iPhone used by San Bernardino, Calif., shooter Syed Farook. But the bureau dropped its efforts when an unnamed company offered a hacking tool that could break in without Apple’s assistance.
Nevertheless, Barr and other law enforcement officials repeatedly called on Apple to help break through its encryption in the Pensacola case. At the same time, they acknowledged they’d largely given up on tech companies helping them voluntarily with encryption and were focusing on seeking legislation that forces companies to cooperate instead.
Encryption defenders accused DOJ of using the Pensacola case to undermine confidence in the security protection.
“Every time there’s a traumatic event requiring investigation into digital devices, the Justice Department loudly claims that it needs backdoors to encryption, and then quietly announces it actually found a way to access information without threatening the security and privacy of the entire world,” American Civil Liberties Union Senior Staff Attorney Brett Max Kaufman said in a statement.
“The boy who cried wolf has nothing on the agency that cried encryption.”
But law enforcement defenders say the fact the FBI ultimately got into the phones doesn’t make up for the long delay.
“How would you have felt if it took us five months to figure out who flew into the World Trade Center?” former National Security Agency general counsel Stewart Baker told me. “That’s an unacceptable price to pay in a terrorism investigation and in many law enforcement investigations where capturing a kidnapper or murderer is going to be almost impossible after five months.”
Sen. Tom Cotton (R-Ark.) thrashed Apple on Twitter, accusing the company of “siding with terrorists over law enforcement”:
Despite Apple’s stonewalling, the FBI was finally able to access critical data from the iPhone of a terrorist. I applaud their determination & hard work. But it’s work that wouldn’t need to be done if Apple would ‘Think Different’ about siding with terrorists over law enforcement https://t.co/1eDehIou95
— Tom Cotton (@SenTomCotton) May 18, 2020
Proponents of law enforcement access to encryption say the tide is turning their way.
They point to a slew of scandals at major tech companies since 2016 that has stoked public distrust.
Barr and other top Justice Department officials have also refocused many of their public arguments on how encrypted systems allow extensive sharing of child pornography and other material that exploits children, which has helped rally support in Congress. A bill with bipartisan support would remove tech companies’ liability shield for what their users share and post if they don’t follow a new set of rules that could include weakening encryption.
“There is a growing lack of patience among people who are not already ideologically committed to Silicon Valley on this issue,” Baker told me. “I’m of the opinion that Apple’s position doesn’t get stronger over time because the number of people whose lives have been touched in a way their encryption policies makes worse continues to grow.”
The coronavirus crisis could give a boost for the anti-backdoor movement.
Public support for strong encryption might be strengthened as Americans are even more reliant on the Internet and their personal devices during the coronavirus pandemic.
“The value of encryption grows as more of our lives move online and you just can’t not be online now,” Quay-de la Vallee told me. “So, the question of what’s the value of encryption just becomes clearer every day.”
Israel was responsible for a cyberattack that brought an Iranian port to a standstill this month, U.S. officials say.
The attack was presumably carried out in retaliation for an attempted hack into Israeli rural water distribution systems earlier this month, officials familiar with the matter told Joby Warrick and Ellen Nakashima.
If Israel was behind the attacks, it could lead to a dangerous escalation in hacking conflict between the regional enemies, Joby and Ellen report.
Officials also say the attack on Iran was more damaging than official accounts suggested. “There was total disarray,” said one official, who spoke on the condition that his identity and national affiliation not be revealed, citing the highly sensitive nature of the intelligence.
“Assuming it’s true, this is in line with Israeli policy of aggressively responding to Iranian provocation, either kinetically or through other means. Any time you see Iranian escalation… you have consistently seen Israeli retaliation,” said Dmitri Alperovitch, a cybersecurity policy fellow at the Harvard Belfer Center and founder and former chief technology officer of cybersecurity firm CrowdStrike.
Sen. Marco Rubio’s temporary appointment as Senate Intelligence Committee chair puts a China hawk in the pivotal post.
Rubio (R-Fla.) has pushed legislation to block U.S. relations with Huawei and other Chinese firms over spying concerns and clashed with the administration over its lax enforcement of policies to blacklist Huawei.
Vice Chairman Mark Warner (D-Va.), who has worked with Rubio on legislation to prevent Chinese security threats, commended his appointment. Reuters’s Jonathan Landay:
SSCI Vice Chairman Mark Warner: “Senator Rubio has been a great partner on intelligence and national security issues and I look forward to working with him in his new role as Acting Chairman.”
— Jonathan Landay (@JonathanLanday) May 18, 2020
Senate Majority Leader Mitch McConnell (R-Ky.) appointed Rubio after Sen. Richard Burr (R-N.C.) temporarily stepped down from the post last week while he’s being investigated for questionable stock trades during the pandemic. Rubio’s first major task will be running a committee vote today on President Trump’s nominee for director of national intelligence, Rep. John Ratcliffe (R-Tex.), Donna Cassata reports.
The Trump administration’s strongest move yet to rein in Huawei may still not be effective.
The administration’s order restricts global computer chip suppliers with U.S. ties from selling to Huawei, but companies can easily get around the rules, China experts told Bob David and Dan Strumpf at the Wall Street Journal.
For instance, those companies could sell chips to Huawei suppliers rather than directly to the Chinese telecom itself. An earlier Commerce Department ban on U.S. companies selling to Huawei also had less impact than expected.
Huawei lambasted the new rule yesterday as “arbitrary and pernicious” and claimed it would put maintenance and expansion of the company’s global networks on hold.
Securing the ballot
New Jersey will not use Internet-based voting in its July primary after piloting it this month.
State officials announced the decision during a hearing yesterday, according to Penny Venetis, the lead attorney for activists challenging the use of such tools.
The New Jersey secretary of state’s office did not respond to an email asking to confirm the decision. New Jersey is among three states that announced plans to pilot Internet voting systems during primaries this year, despite experts’ warnings the systems are highly vulnerable to hacking.
New Jersey’s online system was made available to voters with disabilities in local elections earlier this month, but only one person actually used it to vote, state officials said, according to Venetis, who directs Rutgers University Law School’s International Human Rights Clinic.
HHS is loosening data security requirements for community-based coronavirus testing sites.
The Health and Human Services Department will have more discretion in deciding whether to fine community-based testing sites if they expose user data collected for covid-19 testing purposes, according to a notice posted in the Federal Register. The agency still strongly recommends providers take reasonable precautions including using secure technology to transmit medical records, the notice states.
More government news:
Hackers are targeting an ever-broader array of industries as traditional targets get better at defense, Verizon finds.
Hackers have spent decades trying to steal data from banks and financial services firms but are now expanding to industry sectors that haven’t spent as much effort improving their digital defenses, according to the company’s 2020 Data Breach Investigations Report. Some examples include education services and the hospitality industry.
“There are certain industries where cybersecurity is not as much of a priority because they’ve not been in the crosshairs in the past,” John Loveland, Verizon’s global head of cyebrscurity strategy and marketing, told me.
Verizon also found that money was the prime motivator for more than 80 percent of hacks last year compared with espionage or political motivations. Here’s more on the report from Reuters and CyberScoop.
Brevity is the soul of bits, after all. Yale law professor Scott Shapiro:
Amazing that Shakespeare wrote the line “full of sound and fury, signifying nothing” and he never read an article about cyber strategy
— Scott Shapiro, Grandma Killer (@scottjshapiro) May 17, 2020
- The Center for Strategic and International Studies will host an online event “Who Makes Cyberspace Safe for Democracy?” today at 12:30 p.m.
- The Senate Commerce Committee will mark up the CYBER LEAP Act on Wednesday at 10 a.m.
- The Tech, Law and Security program at the American University Washington Collect of Law and R Street Institute will host a virtual discussion on the challenge of alternative voting systems during the pandemic Wednesday at 2 p.m.
Secure log off
Here’s a cooking “hack” for you 🙂