Stupid Is As Stupid Votes: Apple, the FBI, and Our Overlooked Backdoor Cybersecurity Threat

Co-authored by Cyrus Jabbari, USC Student and Researcher

As the Presidential primaries are well underway, foreign policy discourse continues to gravitate toward the Middle East. The Democratic candidates continue to bicker over each other's Iraq War voting record and how much they will listen to Henry Kissinger. Meanwhile, the Republicans brag about how much they will play carpet bomb whack-a-mole with ISIS and how they'll treat Syrian refugees like a bouncer treats unattractive people trying to cut line and get into the hottest iridescent dance club on a Saturday night.

Undoubtedly, ISIS remains an egregious scourge, threatening stability in the Middle East and the international community, as evidenced by November's gruesome Paris Attacks. However, as important as counterterrorism is to American national security, another threat looms large in our digital atmosphere -- cyberterrorism.

Our foreign policy should further include and discuss cybersecurity. With every passing day that leaves our nation more entrenched into the interconnectivity of the Information Age, the U.S. increasingly finds itself embroiled in a two-front conflict: one with visible terrorists in the Middle East and one with concealed identities hidden behind a keyboard.

This increasingly dangerous threat, however, exists beyond the confines of traditional military parameters. It affects governments, businesses, federal agents, and our own personal information. Cyber warfare has intensified since 2010, and remains an existential problem, its significance symbolized by dispute between the FBI and Apple - which could have significant ramifications on not only our personal information, but also our foreign policy.

A Cellular PRms Race

In Dec. 2015, Syed Farook and his wife, Tashveen Malik attacked a San Bernardino County Dept. of Health holiday party, shooting and killing 14 people and seriously wounding 22 more. According to FBI Director James B. Comey, the FBI's investigation revealed the perpetrators were "homegrown violent extremists" inspired by foreign terrorist groups.

Digital Trends reports:

"On Feb. 16, U.S. Magistrate Judge Sheri Pym for the Central District of California ordered Apple to disable the iPhone's auto-erase function, a feature that deletes a smartphone's data after 10 failed passcode attempts. This would help the FBI gain access into San Bernardino shooter Syed Rizwan Farook's phone to see who they were in contact with, and to confirm any ties to ISIS."

The court order was made through the use of a 227-year-old law -- the All Writs Act of 1789, which lets federal courts issue orders forcing third parties to cooperate and be helpful to other court orders.

Although Apple has cooperated in the past, helping the government unlock dozens of iPhones in other cases, Wired notes this particular request is tricky. The phone in question is an iPhone 5c running the iOS9 version of Apple's software, owned by the San Bernardino Dept. of Public Health and used by Farook, who created a password to lock the phone.

Apple doesn't have the means to disable the auto-erase function, which introduced tougher security measures in iOS8 following the NSA-leak by Edward Snowden. Due to these security features built into the software of Farook's iPhone, the FBI is unable to unlock the phone and access its data using a brute-force password-guessing technique. This method involves entering different passcodes repeatedly until the correct one is guessed, without running the risk that the device will permanently lock them out.

Apple's security software erases password guesses after 10 failed attempts. Although the data remains on the device, it cannot be decrypted, rendering the phone inaccessible. This prevents someone from brute-forcing the password.

The FBI's motion notes San Bernardino Country gave the device to Farook with it enabled, and the most recent iCloud backup of his information "showed the function turned on." They have successfully obtained data as recent as a month before the massacre, but assume he disabled iCloud soon after -- preventing them from accessing data closer to the attacks, when he likely used his phone to coordinate the shooting.

Beginning with iOS8, Apple halted its ability to bypass the user's passcode to essentially unlock the device by enabling its software to securely encrypt all of the most important data on a user's iPhone by default -- photos, messages, contacts, call history -- using a custom password. Apple cannot bypass these respective passwords to obtain that data.

Essentially, the FBI is ordering Apple to create a new software tool to eliminate specific security protections the company built into its phone software to protect customer data, enabling law enforcement agencies to unlock iPhones themselves. This case is unique to Apple, because it's one of the few companies that design their own software and hardware including chips, which has paved the way for the extra-strength encryption that the investigators are facing in this case. Apple built the iPhone to only exclusively accept software signed with Apple's own encryption key.

This FBI order prompted Apple CEO Tim Cook to deny the court order via a letter to his customers, stating:

"Once created, the technique could be used over and over again, on any number of devices. In the physical world, it would be the equivalent of a master key, capable of opening hundreds of millions of locks - from restaurants and banks to stores and homes."

Cook's response has drawn backing from some prominent members of the tech industry. Snowden Tweeted, "The @FBI is creating a world where citizens rely on #Apple to defend their rights, rather than the other way around." Google CEO Sundar Pichai also took a public stand in support of Apple as well in a series of Tweets, saying, "forcing companies to enable hacking could compromise users' privacy" and would set a "troubling precedent."

Conversely, the Department of Justice chimed in, siding with the FBI, dubbing Apple's refusal to cooperate in this investigation a "marketing strategy." In its 25-page motion to urge the company to accommodate, the Department of Justice also appears to be attempting to sway public opinion.

"Rather than assist the effort to fully investigate a deadly terrorist attack by obeying this court's order, Apple has responded by publicly repudiating that order," prosecutors wrote. "At no point has Apple ever said that it does not have the technical ability to comply with the order or that the order asks Apple to undertake an unreasonably challenging software development task. On this point, Apple's silence speaks volumes."

The Justice Department also said Apple's claim of this "unprecedented demand" placing pressure on its engineers to create a new operating system from scratch was a significant overstatement. Prosecutors argue the technology was no more difficult than passing a new software update to their iPhones -- something they regularly do.

Lastly, the Justice Department continuously suggested Apple has put its "marketing concerns" over its corporate responsibility to assist law enforcement.

A few days after this spat made national headlines, Michael Fertlik, founder and cyber security expert, appeared on CNBC and described this confrontation between Apple and the FBI as a "PR war."

"The FBI could crack this on its own. In fact, the Chinese government may have already created software that allows it to defeat the encryption on the Apple iPhone," Fartlik said. "The NSA may have already have done it as well, and the FBI may not have access to this technology, should it exist. More or less, the FBI is just asking Apple to do the heavy lifting for it."

Fertlik also added that Apple has complied with law enforcement in previous cases, but this one raises the bar in terms of workload, and is a matter of securing the public trust.

"It's not beyond the capabilities of a government agency like the FBI or CIA or NSA or certainly the Chinese to do. Tim Cook is saying, 'Look public. We are not going to give you up if you are living your life. We want you to feel safe in our hands.'"

Fertlik concludes both Apple and the FBI have drawn respective "lines in the sand" because Apple requested the FBI make a request to the court very privately. Since the FBI and DOJ broadcasted this case, Apple was forced to refute in a very public manner.

The privacy image is very valuable to Apple, especially since it's a multinational corporation with bountiful overseas profits.

The New York Times reports China is Apple's second-largest market after the United States -- Chinese consumers spent $59 billion on Apple products in the last fiscal year. The iPhone has "become both a status symbol and a form of personal security, given how difficult the device is to break into in a country where people increasingly worry about hacking and cybercrime." The company reaps two-thirds of its sales internationally, totaling $234 billion per year.

Their main concern is the precedent this particular request sets -- if the U.S. government can instruct Apple to hack into its own smartphones, then other governments of countries in which the company operates can follow suit. This could potentially damper the Apple's future enterprise.

Concomitantly, this could be a public relations battle for the White House. Is President Obama trying to display the power of the American government to suppress terrorism?

If Fertlik's analysis is correct, the U.S. can be capable of bypassing the security measures on Farook's iPhone, but is it possible they want this procedure to be public or transparent? If so, this could be a deterrent to potential terrorists, as it stipulates anyone plotting an attack will be found.

After Snowden gained national infamy as a NSA whistleblower, Americans have become wary of government surveillance, perceiving it as an impediment to privacy rights. Is this a political maneuver to bring accountability to national security? Or is this a statement to private industry that their public statements are irrelevant because the government has the ability to discern communications?

The San Bernardino mass shooting broke the threshold of violence in the U.S. particular to the context of the international conflict with ISIS -- terrorists no longer have to be formally instructed by an organization, but can simply claim their gruesome acts of bloodshed are in honor of them.

It is quite possible the American government realized the grave implications of the power of social media in disseminating a violent perversion of an ideology to lone wolves waiting to pounce on this depraved mentality. A form of psychological deterrence could be necessary through exhibiting that cyberspace is not a safe haven for criminal activity.

In dealing with a convicted terrorist, the government has an endless warrant to determine how the crime was committed and the perpetrator's criminal ties. Asking a corporate entity that does business, and is headquartered, in the U.S for cooperation to help law enforcement gain greater insight on this crime is within established legal framework. But demanding a "backdoor" into every iPhone displays both the disconnect between government and industry and our mass misperception of the seriousness of cyber warfare.

The Big Picture

In a recent Business Insider op-ed, McAfee antivirus software creator John McAfee offered to decrypt the information on Farook's iPhone exclusively, free of charge. He estimated the process would take three weeks to complete, and wouldn't dismantle privacy rights in America.

In a CNBC interview McAfee described the FBI's request for a backdoor as "idiotic," stating that giving access to everyone's iPhones would make our personal information vulnerable to hackers.

Russel Brandom of the Verge reported the federal government doesn't pose danger, but criminals do. The lockscreen prevents thieves from accessing data on the phone, as they resort to wiping a phone entirely after it's been stolen. "If those thieves had a way to unlock the stolen phones, victims could be exposed to anything from identity theft to extortion, depending on how much sensitive data is on the stolen phone."

This threat was a key motivator in Apple's shift to stronger encryption in iOS8 - any software that unravels its safeguards can have serious consequences for iPhone users.

The FBI proposed a number of protections to ensure its passcode hack can't be used by anyone else - Apple has to sign any automatic firmware updates before a given iPhone will accept them, and the FBI's proposed update would be coded to an individual phone, so unless the phone's serial number matches the serial number in the code, the software won't install.

This method is specific to the 5c, which lacks the Secure Enclave chip that ties lockscreen protections to hardware in more recent iPhones.

Even though the precise software proposed by the FBI can't be used to unlock other phones, its value to thieves can't be understated.

According to Brandom,

"If the code fell into the wrong hands, it could potentially be reverse-engineered into a generic version, removing the code that ties the attack to a specific phone. That reverse-engineered version would still need Apple's signature before it could be installed -- something thieves are not likely to have -- but that signature system would be the only thing protecting a stolen iPhone and the information inside it."

"There has never been a backdoor that has not been hacked into by bad hackers or foreign nations. So really, what the government is asking Apple to do is to make every individual who uses an iPhone susceptible to hacking by bad people," McAfee argued on CNBC.

McAfee added the U.S. government is "20 years behind the rest of the world" on cyber security. "All of the great hackers are not the type who want to wear suits, shine their shoes and show up to work every day."

Furthermore, Foreign Policy reports the federal government has a fundamental misunderstanding of "white hat" hackers, arguing they don't properly value their contributions to security systems by exposing their vulnerabilities and displaying that no system is ever permanently impenetrable.

The iPad was first released in the spring of 2010, several months prior to the first revelation of the Stuxnet cyber weapon, believed to have crippled thousands of Iranian nuclear centrifuges. Since then, notable hacks have been launched on Google, Adobe Systems, Morgan Stanley, Lockheed Martin, Sony, Ashley Madison, Home Depot, eBay, JP Morgan and Chase, Target, the Pentagon, and many more.

Let's contemplate the amount of people who use the iPhone - business leaders, doctors, government agents, law enforcement, the military, engineers, etc. It's not just mundane personal information, detailing the routine actions of the average citizens', that's only at stake here. This threat exists beyond lewd texts and narcissistic selfies; it pertains to our supply chains, power grids, infrastructure, telecommunications, defense mechanisms, business deals, stock information, personal credit, intellectual property, Social Security, bank accounts, and individual privacy.

Considering the culprits behind the Sony attacks are alive and well, according to a year-long investigation by Juan Andrés Guerrero-Saade, senior security researcher with Kaspersky Lab's Global Research and Analysis Team, and Jaime Blasco who heads the Lab Intelligence and Research team at AlienVault Labs, how do we know other hackers aren't waiting to seize this information at any given moment?

Fox News reported the Justice Department is offering Apple a compromise; the agency will allow Apple to maintain possession of and later destroy specialized software it was ordered to create to help federal authorities hack into Farook's encrypted iPhone.

This only further cements McAfee's point that the federal government is ill-prepared in handling cyber security. Apple does not want the software created under any circumstance, as it has the potential to be replicated or stolen. If this procedure proves fruitful in obtaining essential information from Farook's phone, why wouldn't the FBI continue this policy?

The Wall Street Journal's coverage of the Pentagon's 30-page classified plan to combat cyber warfare in 2011 illustrates their obsolete strategy, as they overvalue the idea of "equivalence."

If a cyber attack produces the death, damage, destruction or high-level disruption that a traditional military attack would cause, then it would be a candidate for a "use of force" consideration, which could merit retaliation. "If you shut down our power grid, maybe we will put a missile down one of your smokestacks," said a military official.

The Center for Strategic International Studies states the following:

"The Pentagon's declaration that a cyber attack could constitute an act of war suggests how uncertain the military is as to what its cyber policy should be. It looks like a desperate attempt at deterring potential attackers, one which is unlikely to succeed given the difficulties of attributing the source of an attack. The problem of attribution is, of course, common to both nuclear deterrence and cyber warfare. One can only retaliate against an attacker if the source of the attack is known."

What's even more concerning is our political ineptitude in dealing with this issue, the Protecting Cyber Networks Act, a bill seeking to improve public-private information sharing to reduce cyber threats, stalled in the Senate for four years. Although the Obama Administration has established the framework to cyber security policy, this should be a major policy objective for the next President.

McAfee released a report in 2014, estimating cybercrime could cost as many as 200,000 American jobs due to stolen intellectual property and lost exports. CNN Money cites a Hewlett Packard and the U.S.-based Ponemon Institute of Cyber Crime study that found hacking attacks cost the average American firm $15.4 million per year, double the global average of $7.7 million.

It's strange that both the Democratic and Republican parties try to position themselves as economic and national security stewards, but can't find a way to effectively bolster both.

With all the hoopla about ISIS, radical Islamic terrorism and constant impending apocalyptic Armageddon facing America that's abundant in the primaries, it appears our presidential hopefuls should reevaluate their foreign policy priorities.

The only candidate to "seriously" address this is Republican frontrunner, and angry blowhard Cheeto business-ferret, Donald Trump, during a town hall-style event prior to the South Carolina GOP primary.

"Apple ought to give the security for that phone, OK. What I think you ought to do is boycott Apple until such a time as they give that security number. How do you like that? I just thought of it. Boycott Apple."

Notwithstanding the detrimental economic effects that boycotting the world's largest and most valuable corporation would impose, forcing Apple to surrender its security system would completely undermine any semblance of credibility the U.S. government surveillance would have in the midst of public distrust of the NSA.

Trump's appeal is party derived from the perception that he will protect Americans from terrorist threats, yet he's given what's possibly our greatest national hazard roughly five seconds of substantive policy consideration.

It's sad that Trump reduces this pressing issue to a soundbite at best, and an afterthought at worst, in an effort to pander to his base, which boasts the lowest educational attainment, poor grammatical proficiency, and continues to believe Obama is a Muslim born in another country.

If a candidate who once Tweeted, "The concept of global warming was created by and for the Chinese in order to make U.S. manufacturing non-competitive," mentioned this in passing, why aren't other presidential contenders discussing this?

Harvard's Belfer Center notes both the U.S. and China stand to benefit from strengthening, securing and expanding interconnected digital networks to promote commerce and innovation, yet we are unable to find a way to position ourselves to adapt to a vastly changing digital landscape.

So we must collectively ask ourselves, is the greatest risk to American security Muslims entering the country or hackers into our networks? Should we be focusing on preventing refugees from stepping foot on American soil, or faceless threats from breaching our Internet landscape?