Why Digital Security Is An 'Arms Race' Between Firms And The Feds
The Apple-FBI standoff, where Apple is refusing to write special software that would help investigators crack into an iPhone of one of the San Bernardino shooters, is largely viewed as a battle between privacy and security.
At the high-profile congressional hearing on encryption last week, FBI Director James Comey argued that increasingly strong encryption is making smartphones "warrantproof." Apple's General Counsel Bruce Sewell testified that complying with the FBI's request would create a dangerous tool that the bad guys could abuse.
But Susan Landau, a professor of cybersecurity policy at Worcester Polytechnic Institute, presents another way of looking at the issue:
"(The FBI's) approach has been 'make it simple for us to investigate' instead of 'let's secure communications and devices, and we'll come up with a way to investigate whatever we need to,' " she tells NPR's Ari Shapiro.
She argues that the challenge shouldn't be to make data on iPhones or other devices easier for law enforcement to access — making it also easier for hackers or other governments to access — but to make devices as secure as possible, while funding the FBI's own development of better digital investigation tools.
Below are a few excerpts of Landau's conversation with Shapiro, in addition to the audio above.
On why letting Apple resist the FBI's request and urging the FBI to develop tools to access secured data aren't mutually exclusive
That's exactly the situation we've got with the National Security Agency. We know that the NSA breaks into devices and communications that the companies think are secure, and the companies work to make them more secure. I'm asking that the FBI develop that expertise, target it narrowly; when a technology company becomes aware that one of their systems is easy to break into, they then leapfrog and develop better technology.
Security is always an arms race of this sort. But if Apple develops the technology, it becomes a target.
On why the FBI having its own technology to crack into an iPhone is less of a risk than Apple building that technology
We know that the Chinese, the Russians, lots of our opponents are building this technology, too. Each time Apple improves the quality of its security, our opponents have to improve their (tools). So the FBI developing it is of course a security risk that Apple is going to counter. But it's less of a security risk than if Apple has it, where it's a central point for opponents to get into and then break phones that they target.
On what it would take for the FBI to develop the technology
They need expertise in telecommunications, from the physical layer all the way to the virtual layer, that is the computer layer. They also need deep expertise in computer science. They'll need teams of people who understand the different devices. They'll need to have people who understand the technology now, the technology in six months to two years from now and where communications technology is going in the two- to five-year period.
We're talking here of a budget of hundreds of millions, not billions — but not the $40 million that they're currently devoting.
On why the FBI can't just ask the NSA for help in the post-Sept. 11 information-sharing world
Information-sharing is different than technology-sharing. When the NSA builds technology, it doesn't want that technology showing up in court. If the NSA were to share its technology with the FBI, the FBI brings court cases and the technology would have to show up there. So yes, there'll be some duplicative effort, but you don't want the NSA technology in court.