After years of debate on whether to give the FBI and other federal agencies the tools to bypass smartphone security, it appears we are still light-years away from any resolution. There was a moment a few months ago when proposed legislation appeared imminent, but the FBI dropped the issue when they were able to crack the iPhone belonging to one of the San Bernardino shooters.
Susan Landau, professor of cybersecurity at Worcester Polytechnic Institute, feels how the FBI went about gaining access to the iPhone is, in fact, the correct solution. To explain why, Landau, in her testimony before the U.S. House Judiciary Committee (Landau’s testimony begins at 3:35:44) starts by mentioning it is vital to keep smartphones backdoor free. Smartphones are poised to become the best way to authenticate computing systems and online services. However, she adds, “But not if it’s easy to get into the data on the smartphone.”
Why backdoors are a problem
According to Landau, creating updates for smartphone operating systems to change the phone’s security requires a great deal of effort, and the consensus of senior management. And, any time developers make changes to complex operating systems, there is a chance that new vulnerabilities will be introduced.
There’s something else that Landau wants everyone to consider: What happens if it becomes routine to build updates that compromise smartphone security? History shows this kind of behavior makes it easy for organized crime or nation states to obtain such an update, which in turn means smartphones targeted by the update are at risk.
What is the answer?
In her testimony, Landau brings up an interesting point. An NSA colleague once told her that the agency already has the right to break into certain systems. Landau’s colleague quickly added that everyone at the agency also understands there are no guarantees that breaking in will be easy.
Next, Landau mentions that John Michael McConnell, former director of the NSA and former director of National Intelligence, told her that the NSA has better signals intelligence now than any time since 1990. From that one might conclude the NSA does not have the same problems as the FBI.
That said, Landau feels law enforcement, the FBI specifically, needs to take a page from the NSA and develop 21st century capabilities for conducting electronic surveillance. “The FBI already has excellent people and expertise, but not at the skill level necessary,” mentions Landau. “Rather than asking the industry to weaken protections, law enforcement must develop the capability for conducting sophisticated investigations themselves.”
To accomplish that Landau suggests Congress help by creating an investigative center and thoroughly train FBI agents in modern communications technology. Since smartphones are computers, Landau also feels FBI agents need an excellent understanding of computer science. Interestingly, Landau does not believe the entire workload needs to stay in-house, saying, “The FBI could pursue a solution where some expertise is in-house, along with closely managed contractors doing some of the work.”
Landau’s theory is definitely “outside the box” thinking, but she needs to be taken seriously. She has more than enough street cred. Before joining Worcester Polytechnic Institute, Landau was a senior staff privacy analyst at Google and a Distinguished Engineer at Sun Microsystems. Landau is a fellow of the Association for Computing Machinery and the American Association for the Advancement of Science, and in October of 2015, Professor Landau was inducted into the National Cybersecurity Hall of Fame.
In conclusion, Landau sees this as the only way going forward that does not put America’s digital security at risk. It enables law enforcement investigations while encouraging the information-security industry to do all it can to develop better and more effective technology for securing data and devices. Landau ends by saying, “That is the way to win and where we should be going.”
That said, does Landau’s idea of what might be construed as competition between law enforcement and the information-security industry make sense? Share your thoughts in the discussion.