CFR Presents

Net Politics

CFR experts investigate the impact of information and communication technologies on security, privacy, and international affairs.

Print Print Cite Cite
Style: MLA APA Chicago Close


The Real Lesson of the Apple-FBI Showdown: Cybersecurity Isn’t Hopeless

by Robert Knake
February 18, 2016

Apple CFR Net Politics FBI A man walks past a backlit Apple logo during an Apple media event in San Francisco, California, September 9, 2015. (Beck Diefenbach/Reuters).


It may be hard to imagine but there are probably moments when Apple CEO Tim Cook and FBI Director Jim Comey probably have the same fervent wish: Would someone–anyone–please figure out how to hack into Syed Rizwan Farook’s darn iPhone.

Both would likely take up John McAfee on his offer to decrypt the San Bernardino shooters’ phone if anyone understood how social engineering could be used to break into a dead man’s phone.

In the short term, it would solve both their problems if a third party forensics company started selling law enforcement a tool that could access data on iPhones. I’ve written before about lawful hacking as a potential solution to the standoff between law enforcement and the tech companies. It’s a messy solution that pits U.S. companies against the government but it may be the best answer among a lot of bad ones.

The problem with lawful hacking as a solution may turn out to be that Apple and other companies are actually starting to figure out cybersecurity. With all the gloom and doom in cybersecurity marketing, it’s almost hard to believe that any computing device in the world can’t be easily accessed by your average high school kid in a basement. Yet, in almost a year since Apple introduced iOS 9, nothing has hit the market.

It’s not for lack of demand. There are, at last count 94 million iPhones in the United States alone and over 12,000 law enforcement agencies. That’s a nice market that plenty of companies would love to tap into. The Russian cybersecurity firm Elcomsoft used to do brisk business selling a forensic toolkit for iOS at $1,500 a pop. Unfortunately, for them at least, their toolkit won’t work on any iPhone running the current operating system.

The FBI has come up with a technically plausible path by which Apple could retrieve the data on the phone. And security researchers have pointed out ways in which Apple could block that path in future updates—for instance by requiring a passcode to update the iOS software. The long-held belief that offense always wins and defense always loses in cybersecurity has been turned on its head.

Privacy groups arguing against the FBI’s push to access encrypted data on phones are largely relying on an argument that, while encryption may make certain kinds of data inaccessible, the rest of the cyber ecosystem remains so insecure that there are more opportunities than ever for surveillance. The Internet of things will only increase these opportunities as our homes and our lives are filled with dozens of devices recording our every word and move with little to no security.

The current fight over the iPhone offers a glimmer of hope that that dystopian future where privacy is dead does not have to become a reality. Spying and crime may both become harder, not easier, in our digital future. As Apple has shown with its smartphone, smart homes and cars and offices do not have to be the building blocks of the surveillance state or an easy path to blackmail, extortion, and unauthorized fund transfers. That outcome would be a good thing for our society. It would also mean that we might truly have to grapple with the implications of terrorists, child molesters, and criminals also being beyond the reach of law enforcement.

Post a Comment 4 Comments

  • Posted by Don O'Neill

    It seems as though such a powerful technology capable of stymieing
    our best and brightest government technologists should be subject to expert controls.

  • Posted by James Francisco

    I can see the possibility that Apple’s intransigence in this matter could come back to haunt them when the public realizes that as the author states that terrorists, child molesters, and criminals can be beyond the reach of law enforcement.

  • Posted by David Aaron

    It is good to read a article that tries to balance national security and law enforcement with privacy and not merely strike postures. Tim Cook could have proposed some of these solutions but he does not want to, because it does not fit into his marketing and branding strategy. If he genuinely cared about privacy his next operating system would block tracking by websites. As for his claim that if they comply, China could ask them to do the same. China can do that now! And if Apple’s history with China is any guide, Apple would fold like a Shanghi noodle.

  • Posted by DarrylW

    If my understanding is correct, those people who carry out the terrorist acts, typically use disposable phones, are not in an obvious hierarchy, but operate in loose associations, cells or small groups. Thus, any lost cell phone, which was probably a disposable one, would simply be “written off” as collateral damage. All groups in contact with the person who had said disposable phone would probably just dump their phones, get new disposable ones, and therefore, it would be a waste of time for any law enforcement agency to try to decrypt the contents of the first above mentioned phone. That seems obvious, and I’m no expert. What would help the most, as far as curtailing terrorist activities, is to stop, prevent or make illegal the sorts of activities the Bush-Cheney administration carried out against the sovereign nation of Iraq, which was illegally invaded, (against the wishes of The Pope and in violation of UN Treaties with the US), and when Saddam Hussein had absolutely nothing to do with any of the 9/11 events nor had any connections to Al Qaeda, and had no WMDs. For the record, 14 of the 19 hi-jackers on 9/11 were from Saudi Arabia, a nation where GW Bush had personal and business ties with the Saudi Royal Family decades. Was that a coincidence? I doubt it. When the invasion of Iraq was done purely for oil, and for profit? (And Simply to secure artifacts that should stay in the Middle East?) Our US troops were lied to and betrayed. Period. Especially since Iraq had no WMDs, and Bush said so many times that they did have WMDs. Profiteering contractors were paid up to 10 times what our US troops were paid, to do the same jobs. That should have been a crime–to privatize an illegal invasion, at taxpayers expense, for a corrupt political agenda. The actions of the Bush-Cheney administration were directly responsible for creating more terrorists than any other act of the United States of America in the past 50 years. The terrorist actions on 9/11 against the United States of America were (blowback)– the results of countless peoples through out the Middle East who felt powerless against the US, after decades of US intervention in Middle East matters, (such as killing off Heads of State by the US CIA, etc.), after decades of political agendas the US imposed on Middle Eastern nations, and profiteering throughout the Middle East by US multinational corporations. Man-made “disaster capitalism” should be illegal, and dominant Political parties and NGOs should not have any say about US Foreign Policy; US troops should not be sent off continent without a declaration of war; the United Nations should be recognized for what it is: the ONLY agency of organizations on earth with the ability and capacity to rectify any unstable State-to-State political situation, without doing it just for profit.

Post a Comment

CFR seeks to foster civil and informed discussion of foreign policy issues. Opinions expressed on CFR blogs are solely those of the author or commenter, not of CFR, which takes no institutional positions. All comments must abide by CFR's guidelines and will be moderated prior to posting.

* Required