海角大神

Skip to footer
Passcode
Modern field guide to security and privacy

Opinion: Why the FBI will eventually reveal its iPhone hack to Apple

Because of a two-year-old policy known as the Vulnerability Equities Process, the government may be compelled to disclose the flaw it is attempting to use for unlocking the San Bernardino shooter's iPhone. 

|
Stephen Lam/Reuters
The new iPhone SE displayed at an Apple launch event at the company's Cupertino, Calif., headquarters. REUTERS/Stephen Lam

The FBI has听hit the pause button in its battle royale with Apple听over the iPhone used by San Bernardino, Calif., gunman听Syed听Rizwan听Farook. In a twist to the intense legal drama,听an unknown "third party" may have a way to hack the phone.听

If it turns out the bureau can successfully crack the iPhone after all, will it reveal the software vulnerability to Apple?

It may seem unlikely. After all, why would the FBI buy such a capability only then to give it up? There are no laws forcing its hand, and the听FBI has no more commitment to Apple than other government organizations, like the听National Security Agency, that collect arsenals of听software vulnerabilities.听

But based on a two-year old policy, the听FBI and听Department of Justice are subject to what's known as a听White House听听or VEP, which kicks in听whenever an agency comes across "newly discovered" vulnerabilities, called zero-days.

The VEP is meant to be a "disciplined, rigorous, and high-level decisionmaking process" so that the National Security Council can balance the benefits to law enforcement or intelligence听of using the bug versus听the broader security听value of protecting听industry and consumers.

According to听听made available through a Freedom of Information Act request, the VEP "applies to all components, civilian and military personnel, and contractors of the United States government." The FBI听can鈥檛 find much of a loophole there.

Nor is there a loophole that the iPhone bug is somehow not "newly discovered."听Even if the third-party hackers helping the FBI have known about it, it's听new to the US government.听

With everything we know about the Apple v. FBI iPhone battle,听the White House will let the FBI off the hook very easily. That would set a dangerous precedent giving the National Security Agency, CIA, and others more reasons to听delay or obfuscate.

The VEP Equities Review Board headed up by White House cybersecurity czar听Michael Daniel should make the call on whether 鈥 or when 鈥 to disclose the bug to Apple. 听, the VEP Equities Review Board seeks to answer to the following questions:

  1. How much is the vulnerable system used in the core Internet infrastructure, in other critical infrastructure systems, in the US economy, and/or in national security systems?
  2. Does the vulnerability, if left unpatched, impose significant risk?
  3. How much harm could an adversary nation or criminal group do with knowledge of this vulnerability?
  4. How likely is it that we would know if someone else was exploiting it?
  5. How badly do we need the intelligence we think we can get from exploiting the vulnerability?
  6. Are there other ways we can get it?
  7. Could we utilize the vulnerability for a short period of time before we disclose it?
  8. How likely is it that someone else will discover the vulnerability?
  9. Can the vulnerability be patched or otherwise mitigated?

The answer to several of these questions 鈥 chiefly when it comes to the broader harm that could come from a flaw in the iPhone 鈥 seems to indicate the government would be听driven听to disclose the security hole to Apple.听Unpatched iPhones听pose a serious risk 鈥 allowing听other nations or criminal groups to cause significant harm to consumers. Moreover, the bug won鈥檛 stay for secret for long, certainly not with the media attention on this single phone.听

The FBI could try out the vulnerability to see if it unlocks the phone used by Mr. Farook, and potentially听听the FBI has said听it wants to unlock, before revealing the flaw to Apple.

That's probably the fairest way to handle this particular vulnerability. The FBI probably won't like it. And Apple will discover a bug courtesy of the federal government all the better since听the company听听who uncover听its software flaws.

But even though the FBI may have to reveal the apparent gift from its "third party" helper, it doesn't mean the agency should stop seeking out zero-days for when it may need them again. Discovering new vulnerabilities for temporary use is how everyone, from hackers and security researchers to intelligence agencies, play the game.听听If the FBI wants to join the field, they can鈥檛 claim special privilege any more than NSA.听

In short, if the FBI uses a zero day to access the terrorist鈥檚 iPhone, neither they nor the US government as a whole听must听tell Apple about how they did it. But if they follow the White House鈥檚 own policy, it appears they should.

Jason Healey is senior research scholar at Columbia University鈥檚 School of International and Public Affairs and senior fellow at the Atlantic Council. He began his career as a US Air Force signals intelligence officer in Alaska, NSA, and the Pentagon. Follow him on Twitter听.

You've read  of  free articles. Subscribe to continue.
Real news can be honest, hopeful, credible, constructive.
海角大神 was founded in 1908 to lift the standard of journalism and uplift humanity. We aim to 鈥渟peak the truth in love.鈥 Our goal is not to tell you what to think, but to give you the essential knowledge and understanding to come to your own intelligent conclusions. Join us in this mission by subscribing.
QR Code to Opinion: Why the FBI will eventually reveal its iPhone hack to Apple
Read this article in
/World/Passcode/2016/0325/Opinion-Why-the-FBI-will-eventually-reveal-its-iPhone-hack-to-Apple
QR Code to Subscription page
Start your subscription today
/subscribe