A cyber-security expert has come up with a surprisingly simple way for the FBI to gain access to encrypted technology, without the need for legislation to compromise the privacy and security of the entire population. The FBI should be hiring the hackers who are already capable of breaching the security on these devices.
Susan Landau, who is a Professor of Cyber-Security at Worcester Polytechnic Institute, has published her proposals in a paper for the journal Science.
In it she makes a robust case against the need for legislation that requires companies to build a backdoor into any encryption technology saying that this would be catastrophic for the security of every customer.
All systems can be hacked
Instead she argues that all software, no matter how well written, will have vulnerabilities that can be exploited, and argues that the FBI should be hiring those capable of identifying and breaching these security flaws.
Her proposals already have at least one extremely high profile precedent. It was only as recently as March, that the FBI dropped its ongoing and vitriolic legal action against Apple over just such a matter. In that case, they were trying to access the iPhone of one of the San Bernardino terrorists who had killed 14 people in an attack in the city.
The iPhone was however locked, and the FBI couldn’t break the passcode. Apple’s latest security technology means that all data on the phone is wiped if you make excessive incorrect attempts at the passcode.
So instead of risking this, the FBI simply demanded Apple build them a piece of software to get around this. Apple refused, and the case looked like rumbling on for many months.
Then in March the FBI dropped the case after they hired some external hackers who had found a way to get around the iPhones security. The identity of these hackers has still not been revealed but there can be little doubt they were paid handsomely for their work.
The solution seemed to suit both parties as the FBI got the data they wanted and Apple avoided being forced to compromise their own security settings.
This case illustrates that there is no impervious security system and that there will be a hacker out there somewhere who can find a way into any device sooner or later.
FBI should recruit better hackers
Landau also claims that the San Bernardino case suggests that the FBIs current capabilities are lagging behind when compared to the hacking community more generally.
“One can guess from the concerns that the FBI raises that it’s behind. But one doesn’t have explicit examples of that,” she said.
It doesn’t take a great leap of the imagination from this case to reach the conclusion that the body responsible for national security should be hiring hackers with this level of ability, rather than resorting to catch-all solutions like they were in the Apple case.
This type of hacking is not illegal and would certainly be preferable to allowing the FBI access to everybody’s encrypted communications and the obvious privacy issues that would raise.
When you look at the budget and manpower the FBI has available for such work to overcome encryption, anonymization, and similar challenges, there can be little surprise they are not keeping up. They have just 11 agents working on the issue with a budget of $31 million, which is small change by FBI standards.
Landau’s conclusion is a simple one. These resources are not sufficient to deal with one of the biggest challenges the FBI faces today, and the hiring of more hackers would be the most cost-effective and indeed effective way to deal with the issue without compromising the privacy and security of everybody. As she writes, “the FBI must develop 21st Century investigative savvy.”