|
 Under the U.S. vulnerabilities equities process, the government is
supposed to err in favor of disclosing security issues so companies
can devise fixes to protect data. The policy has exceptions for law
enforcement, and there are no hard rules about when and how it must
be applied.
Apple Inc has said it would like the government to share how it
cracked the iPhone security protections. But the Federal Bureau of
Investigation, which has been frustrated by its inability to access
data on encrypted phones belonging to criminal suspects, might
prefer to keep secret the technique it used to gain access to gunman
Syed Farook's phone.
The referee is likely to be a White House group formed during the
Obama administration to review computer security flaws discovered by
federal agencies and decide whether they should be disclosed.
Experts said government policy on such reviews was not clear-cut, so
it was hard to predict whether a review would be required. "There
are no hard and fast rules," said White House cybersecurity
coordinator Michael Daniel, in a 2014 blog post about the process.
If a review is conducted, many security researchers expect that the
White House group will not require the FBI to disclose the
vulnerability it exploited.
Some experts said the FBI might be able to avoid a review entirely
if, for instance, it got past the phone's encryption using a
contractor's proprietary technology.
Explaining the policy in 2014, the Office of the Director of
National Security said the government should disclose
vulnerabilities “unless there is a clear national security or law
enforcement need."
The interagency review process also considers whether others are
likely to find the vulnerability. It tends to focus on flaws in
major networks and software, rather than individual devices.
During a press call, a senior Justice Department official declined
to disclose whether the method used on Farook's phone would work on
other phones or would be shared with state and local law
enforcement.
Apple declined to comment beyond saying it would like the government
to provide information about the technique used.
PROTECTING "CRUCIAL INTELLIGENCE"
The government reorganized the review process roughly two years ago
and has not disclosed which agencies regularly participate other
than the Department of Homeland Security and at least one
intelligence agency. A National Security Council spokesman did not
respond to a request for comment about agency participation.
In his April 2014 blog post, White House cybersecurity coordinator
Daniel, who chairs the review group, said secrecy was sometimes
justified.
“Disclosing a vulnerability can mean that we forego an opportunity
to collect crucial intelligence that could thwart a terrorist attack
stop the theft of our nation’s intellectual property,” Daniel wrote.
On Tuesday, a senior administration official said the vulnerability
review process generally applies to flaws detected by any federal
agency.
Paul Rosenzweig, a former deputy assistant secretary at the
Department of Homeland Security, said he would be “shocked” if the
Apple vulnerability is not considered by the group.
[to top of second column] |
“I can’t imagine that on one of this significance that the FBI, even
if it tried to, would succeed in avoiding the review process,” said
Rosenzweig, founder of Red Branch Consulting, a homeland security
consulting firm.
He predicted the FBI would not be forced to disclose the
vulnerability because it appears to require physical possession of a
targeted phone and therefore poses minimal threat to Internet
security more broadly.
Many security researchers have suggested that the phone's content
was probably retrieved after mirroring the device's storage chip to
allow data duplication onto other chips, effectively bypassing
limitations on the number of passcode guesses.
Kevin Bankston, director of the think tank Open Technology
Institute, said there is no public documentation of how the review
process has worked in recent years. He said Congress should consider
legislation to codify and clarify the rules.
Stewart Baker, former general counsel of the NSA and now a lawyer
with Steptoe & Johnson, said the review process could be complicated
if the cracking method is considered proprietary by the third party
that assisted the FBI.
Several security researchers have pointed to the Israel-based mobile
forensics firm Cellebrite as the likely third party that helped the
FBI. That company has repeatedly declined comment.
If the FBI is not required to disclose information about the
vulnerability, Apple might still have a way to pursue details about
the iPhone hack.
The Justice Department has asked a New York court to force Apple to
unlock an iPhone related to a drug investigation. If the government
continues to pursue that case, the technology company could
potentially use legal discovery to force the FBI to reveal what
technique it used, a source familiar with the situation told
Reuters.
At least one expert thinks a government review could require
disclosure. Peter Swire, a professor of law at the Georgia Institute
of Technology who served on the presidential intelligence review
group that recommended the administration disclose most flaws, said
there is “a strong case” for informing Apple about the vulnerability
under the announced guidelines.
“The process emphasizes the importance of defense for widely used,
commercial software,” he said.
(Reporting by Dustin Volz in Washington; Additional reporting by Dan
Levine and Joseph Menn in San Francisco; Editing by Sue Horton,
Peter Henderson and David Gregorio)
[© 2016 Thomson Reuters. All rights
reserved.] Copyright 2016 Reuters. All rights reserved. This material may not be published,
broadcast, rewritten or redistributed. |
