You probably already have an opinion about whether technology giant Apple Inc. should comply with a government order and provide so-called “backdoor” access to the iPhone used by one of the shooters in the San Bernardino massacre. You may also be asking, “What does this struggle over information access have to do with my midsize business?” You’re not alone.
Apple CEO Tim Cook has challenged the government’s claim to the information, stating in a public letter to customers, “While we believe the FBI’s intentions are good, it would be wrong for the government to force us to build a back door into our products. And ultimately, we fear that this demand would undermine the very freedoms and liberty our government is meant to protect.”
Regardless of where you stand on this issue, the national debate over limits to information privacy will impact all of us as individuals and organizations large and small.
If the federal government wins access to the iPhone in the San Bernardino shooting, via its current request, consider the following:
- The precedent for the government to knock on the door of every technology company in your portfolio and demand the same access, creating additional overhead that could threaten innovation and growth.
- The potential cost and liability for your business if backdoor access to information in your products is subsequently exploited by bad actors.
- Whether creating a back door will make your product less competitive in a global marketplace and give international rivals with more control over their information a competitive edge.
Even if Apple is successful in blocking the government’s request:
- The federal government will not give up, but will instead try new approaches to create systematic monitoring of information in all mediums.
- Technology will more quickly innovate to create encryption that cannot be unlocked by anyone other than primary users, even by the products’ own developers.
- Technology and culture will evolve in a way that begins to meaningfully solve the identity authentication problem that is the source of most cybercrime. If we jointly get to a 99.999 percent, or “five nines,” degree of certainty in authenticating people who should have access to information, much of the cybersecurity threat and cybercrime will begin to wane.
- Apple’s marketing machine will kick into high gear with potentially indeterminable market impact based on the rebuff of the federal outcome.
“Regardless of where you stand on this issue, the national debate over limits to information privacy will impact all of us as individuals and organizations large and small.”
In the meantime, we will watch the Apple case unfold. On Feb. 16, Sheri Pym, a federal judge in California’s Central District, approved an order requiring Apple to provide assistance to agents of the Federal Bureau of Investigation, “in the hopes of gaining crucial evidence” about the Dec. 2 San Bernardino massacre. On its face, the government’s request seems like a reasonable request for the judge to uphold, particularly if the information could be vital to national security.
So why all the public drama? A congressional debate has been attempting to resolve this type of issue through discussion that includes the creation of special universal back doors for government access.
The technical details about how Apple has been ordered to comply this time around are central to the debate. Here’s why: They call for the writing of specific code equivalent to a type of universal key, without limits, that can subsequently be used repeatedly and applied to millions of other Apple iPhones. Specifically:
- The new software would circumvent security controls in the iPhone operating system, known as the iOS.
- The request demands a version of the operating system with built-in time delays that would allow a “brute force” attack on the phone. That is to allow for multiple guesses of the password without timed lockouts.
Our colleagues in the IT world, as well as our own chief technology officer, have made it abundantly clear that the FBI either already has the internal resources or external technology partners that could breach the iPhone in a way that effectively gathers the data, if there is any to be had. In a worst-case scenario—without getting too technical—Apple might need to provide an encrypted key for that to happen. But this approach is not complicated and in fact there is already a precedent. Law enforcement has previously worked with technology partners in cases just as technically complex; closed-door, cooperative arrangements were made and success abounded without violating privacy or security expectations for the greater good.
So what’s really behind the government’s efforts? Some surmise that demands placed on Apple may mark the opening salvo in a strategic push to address a much larger issue that Congress has been wrestling with; that is, whether to require all technology companies to provide a systematic “back door” that gives the government exclusive access to their information.
On Jan. 27 Rep. William Hurd of Texas authored an opinion piece in the Wall Street Journal titled “The Data Breach You Haven’t Heard About.” The congressman, a Republican from Texas, argued foreign hackers may be reading encrypted U.S. government communications due to unauthorized backdoor access established at Juniper Networks. Juniper’s systems direct Internet traffic for customers that include the federal government. “If government systems have yet to be fixed, then adversaries could be stealing sensitive information crucial to national security,” Hurd wrote.
“On its face, the government’s request seems like a reasonable request for the judge to uphold, particularly if the information could be vital to national security.”
We had an opportunity to go over the pros and cons of backdoor government access with Rep. Hurd at the Congressional Hispanic Leadership Institute panel last October. Hurd was formerly with the CIA and currently sits on the House committee exploring who should get access to any back doors legislated by Congress. Here are some of the considerations:
- What most consider a “secure back door” for law enforcement is in practicality just an easy target and weakness for bad actors to exploit. History has proven that back doors are exploited within months. Even systems with no back doors get compromised repeatedly as we see in the media. Bad actors are experts at finding back doors, which to them are weaknesses in security.
- Companies with “secure back doors” are at a global disadvantage. Non-U.S. based companies are not required to have an equivalent for their products. The back door not only creates vulnerabilities but potential liabilities for software developers that now have to spend resources protecting them.
- If U.S. companies are required to have secure back doors they will have to fight the negative perception that “big brother is watching,” which non-U.S. companies do not have. Today, European laws guard privacy much more closely than U.S. laws do.
- Bad actors immediately shift platforms to other products and services when back doors or law enforcement is empowered this way.
The truth is that bad actors’ tools, such as the email encryption program Mujahadeen Secrets, are increasingly powerful, sophisticated and pervasive. Do we want to leave only the good people operating with these back doors, which are basically manufactured security flaws?
In summary, this is just the beginning, and it may be among the first examples of a company declaring a form of sovereignty in cyberspace. Since only countries have been allowed to declare sovereignty in the past, are we now entering an era where more and more companies distance themselves from government oversight? Will this open the door for other governments to make similar requests via international courts, and what does this mean if the request is made by Russia or China? These are the potential unintended consequences of the current request by the DOJ. Make no mistake: The impact of potential fines, operating overhead and privacy can be substantial because we’re all part of the information supply chain.
Running a small or midsize business just isn’t what it used to be, is it? //
Israel Martinez is president and CEO of Axon Global, a cyber-counterintelligence company recognized by the Department of Homeland Security as a leader in its field. He is certified by the DHS in cyber-counterterrorism and defense, and has more than 20 years of experience in enterprise risk management and governance.
Richard Schroth, Ph.D., is managing director for the The Newport Board Group’s global cyberpractice. He actively leads world-class teams of cyberprofessionals and board-level advisers seeking to minimize cyberrisk with public boards and private equity firms. Additionally, Schroth is a senior adviser to the CEO of ACG for cybersecurity and serves as the executive director of The American University’s Kogod School of Business Cyber Governance Center in Washington, D.C.