Encryption , Privacy , Risk Management
Silicon Valley: Crypto Debate Continues Highlights from ISMG's San Francisco Fraud and Breach Prevention Summit
Despite the recent move to put the FBI-obtained court order against Apple on hold, the crypto debate is far from over. So said a panel of experts at Information Security Media Group's Fraud and Breach Prevention Summit, held March 22-23 in San Francisco (see Feds Obtain Delay in Apple Hearing).
See Also: Rethinking Endpoint Security
Sessions at the summit focused on a number of topics, ranging from the fight against malware and fraud to new trends in spotting and stopping network intrusions and data exfiltration.
But one of the hottest sessions was the closing panel on the Apple versus FBI debate, which I moderated. The discussion didn't seem blunted at all by Judge Shari Pym granting a Department of Justice request to delay - and potentially dismiss - her order for Apple to assist the FBI in unlocking an iPhone 5C issued to San Bernardino shooter Syed Rizwan Farook. Federal officials requested the delay because the FBI says it may have found a way to unlock the phone without Apple's assistance.
Supervisory Special Agent Elvis Chan, who's part of the FBI's San Francisco division, emphasized early in the panel how his bureau training began: by literally swearing to uphold the Constitution, including Fourth Amendment protections against "unreasonable searches and seizures." Speaking as a front-line investigator, he noted that complex, cybercrime-related search warrants may take months to complete. And he said it was in everyone's interest to know what type of information can - or cannot - be the subject of a search warrant or court order so that agents can follow the rules as well as focus their energy appropriately. "We're human beings, we're not Big Brother," he said.
Similarly, Scott Swantner, director for global security at Western Union Digital Ventures, urged greater cooperation between the private sector and law enforcement agencies, for example, via the FBI's InfraGard. Swantner, who until recently was a U.S. Secret Service agent, also spoke of investigators' frustration when faced with encrypted data during the course of an investigation and worried about the hit to productivity if more and more data was to become encrypted.
'Extraordinary Access' Problems
In contrast to the investigators' experience, attorney Mark Mao, a Troutman Sanders partner who co-chairs the firm's data privacy practice, said that related crime-fighting crypto proposals offered by FBI Director James Comey and some members of Congress involve seeking a backdoor - a.k.a. "extraordinary access" capability - or else keeping copies of cryptographic keys, via what's known as key escrow, which would be obtainable with a warrant.
But Mao said that so-called backdoors create vulnerabilities that anyone could - and likely would - target. In a nutshell, that's because cryptography works by multiplying together two incredibly large prime numbers, he said. Using less-long numbers to make a cryptographic key easier to crack for law enforcement agencies would mean it would be just as easy for cybercriminals to crack, thus imperiling communications, intellectual property, as well as e-commerce and banking transactions. Meanwhile, key escrow, many panelists agreed, would great a "single point of failure" that attackers would obviously target.
Backdoors could also be bad for the U.S. technology sector, panelists warned. Representing Silicon Valley, Jim Pflaging, the global lead for the technology sector and business strategy practice at the Chertoff Group, referenced an encryption white paper his firm released in time for this year's RSA Conference. The paper concludes "that an extraordinary access requirement is likely to have a negative impact on technological development, the United States' international standing, and the competitiveness of the U.S. economy and will have adverse long-term effects on the security, privacy and civil liberties of citizens" (see Crypto Review: Backdoors Won't Help).
Panel participants also discussed the question of whether a court could order Apple to create a special, backdoored version of iOS - dubbed FBiOS by some - that would allow it to get access to any device. But panelist Joseph Burton, a partner at the law firm Duane Morris who specializes in information security law, said there was no legal precedent for the U.S. government being able to force a technology company to write code of the government's choosing, whatever the time or cost involved. He added that attempting to do so would, in fact, seem to violate the 1994 Communications Assistance for Law Enforcement Act, known as CALEA (see Apple Accuses DOJ of Constitutional, Technical Ignorance).
'Going Dark' Alarmism
Everyone on the panel agreed that U.S. firms want to help U.S. law enforcement agencies stop bad guys. But Mao said that the debate needs to be framed in a different way. Indeed, many panelists noted that the "going dark" alarmism about terrorist risks advanced by some law enforcement agency chiefs isn't conducive to fostering a closer working relationship between private businesses and law enforcement agencies.
"There's been lots of focus on what Apple won't do, and what the technology community doesn't want to do," Chertoff Group's Pflaging told me following the panel. But the more constructive approach, he argued, would be to ask of industry: "What can they do?"
While the Justice Department may no longer attempt to force Apple to help it bypass security features built into one of its devices, the related questions still remain unanswered, the panelists agreed (see Legal Issues Persist as FBI Backs Off in iPhone Case).
"It's disappointing that the can has been kicked down the road," the FBI's Chan said.