We know that a third party helped FBI crack the iPhone used by one of the San Bernardino shooters. But many questions remain. Should the FBI reveal the software loopholes, or vulnerabilities, of the iPhone to Apple? If yes, then what’s the process? Can the hackers hold onto the technique and re-sell it in the future? And who can own a software vulnerability to begin with?
NPR’s Renee Montagne talked to Robert Knake, former director of cybersecurity policy for the National Security Council in the Obama administration, about the complex relationships between technology companies, professional hackers and the government.
“We may be in a situation where, if the government does decide it wants to disclose this vulnerability, it may have to figure out how it can legally do that,” Knake says. “Does it have the right to disclose that or are those rights held by the company that discovered the vulnerability in the first place?”
Below are some highlights of the conversation between Knake and Montagne.
On how the government deals with technical obstacles to investigations
What we’re seeing is sort of a trend away from sort of an old model, in which either government agencies had laboratories and they discovered these vulnerabilities or they would contract with a defense contractor like Lockheed Martin or Boeing to find the vulnerability.
Now what we’re seeing are these third-party groups whose full-time job is to discover vulnerabilities that they can exploit and sell — sometimes back to the government, sometimes back to the companies that make the software, and then oftentimes on the black market or on the grey market to criminals or other intelligence agencies.
On whether hackers own the vulnerabilities they discover
It’s something that we’re going to see intellectual lawyers fight out over the next couple of years, because I think Apple certainly would say, “How can you own a vulnerability in our source code, and in our software, and in our devices?” … It’s certainly an area where we don’t have a very clear playbook on how to handle these kinds of situations.
On the going rate for buying a vulnerability
The reports coming out are that for past vulnerabilities in iOS they fetch upwards of a million dollars. There was a contest that was held by a third-party company to find a vulnerability and they offered that amount of money. … It’s hard to get data on what is going on in the black market, what is going on in the grey market and the amount law enforcement agencies pay for this kind of vulnerabilities is very hard to come by.
On how federal officials decide whether to reveal to the company the vulnerabilities in its software that are known to the government
At the top of the Vulnerabilities Equities Process, you’ve got an equities review board, which is made up of senior members of every agency that might have an equity in this kind of case.
So you would, for instance, have the FBI counterterrorism team advocating probably on behalf of retaining this vulnerability. On the other side of the FBI you’d have their counterintelligence team probably saying, “Hey, we’ve got to protect all those (iPhones) that have government information on them, we need to disclose this vulnerability to Apple (so they can patch it).”
You see the same thing play out within the NSA. Their signals intelligence team would be saying, “Maybe this is a vulnerability we want to exploit.” They might say it’s not, and then the information assurance team in NSA might probably be saying, “We back disclosing this vulnerability and patching it.”
You would have other law enforcement agencies like the Secret Service at the table, you would have the Department of Homeland Security broadly advocating for cybersecurity and supporting strong encryption. That’s been their position all along. You might have the Commerce Department, if they thought they had an equity in it.
So this team of people would come together and they’d look at a variety of questions and factors to determine whether they think, on balance, the vulnerability should be disclosed or should be retained.
On whether the public will ever know how the San Bernardino phone got unlocked
This is an unusual case. Normally, I would say that there would be very little chance that — if the government decides to disclose (the vulnerability) — it will disclose anything more than what it knows to Apple, and that we would never know that happened. In this case, because it has become so public, I think it’s possible that the FBI might share details more broadly, if Apple is comfortable with that, in the event that it decides to disclose it.
So yes, I think it is, in fact, possible that we may get to the bottom of what the vulnerability was and get solid assurance from Apple that they fixed it.