It seems the FBI might keep Apple in the dark regarding the particularities of the security vulnerability used to crack open the iPhone in the San Bernardino case. As an article in yesterday’s Wall Street Journal noted, the FBI is mulling over whether to send the security vulnerability to the White House for disclosure review.
The key question, the director said, is whether the FBI is “aware of a vulnerability, or did we just buy a tool and don’t have sufficient knowledge of the vulnerability’’ to launch the White House Vulnerability Equities Process, the policy it uses to decide whether to disclose details of security flaws.
When reading this story, I harkened back to the recent debate over the Cybersecurity Information Sharing Act (CISA) that was passed last fall, and included in the Omnibus bill in late December. After all, if the FBI is truly interested in promoting cybersecurity best practices (as director Comey has indicated) then surely this is a perfect use case for the newly minted law — passed only after a flurry of contention amongst privacy advocates.
Among other provisions, Section 103(a) of the bill states that the government “shall develop and promulgate procedures to facilitate and promote”:
- “the timely sharing of classified cyber threat indicators in the possession of the Federal Government with cleared representatives of relevant entities;
- the timely sharing with relevant entities of cyber threat indicators or information in the possession of the Federal Government that may be declassified and shared at an unclassified level;
- the sharing with relevant entities, or the public if appropriate, of unclassified, including controlled unclassified, cyber threat indicators in the possession of the Federal Government;
- the sharing with entities, if appropriate, of information in the possession of the Federal Government about cybersecurity threats to such entities to prevent or mitigate adverse effects from such cybersecurity threats”
Just to ensure we have all our definitions in proper order, Section 102(8) defines entities as including private companies. In Section 102(6), cyber threat indicator “means information that is necessary to describe or identify … a method of defeating a security control or exploitation of a security vulnerability” or “a security vulnerability, including anomalous activity that appears to indicate the existence of a security vulnerability.” This seems to imply that the FBI, in keeping with both the spirit and letter of this new law, is on the hook to share the security vulnerability with Apple.
Of course, the FBI could always default to the old trope of non-disclosure due to amorphous national security concerns. But that would seem to defeat much of the purpose of the impetus for “information-sharing,” which, after all, is a two-way street. If the private sector is going to be sharing cyber threat indicators with government agencies, it only seems fair (and appropriate, given the statutory text of CISA) to reciprocate — especially in this case, where the vulnerability in question relates to the security of commercial-grade consumer products (the iPhone).
If the FBI won’t press for disclosure, however, perhaps some of CISA’s supporters should be on the ramparts demanding it comply with the law.
No doubt then, those Senators who pushed for the passage of CISA (I’m looking at you, Burr and Feinstein) would back the need for the FBI to permit Apple to know of the particularities of this security flaw. After all, Sen. Feinstein touted that, among the bill’s many benefits, CISA would “allow companies and the government to voluntarily share information about cyber threats and the defensive measures they can implement to protect their networks.” Sen. Burr had similar words in the wake of CISA’s passage, pointing out that:
“American businesses and government agencies face cyber-attacks on a daily basis. We cannot sit idle while foreign agents and criminal gangs continue to steal Americans’ personal information as we saw in the Office of Personnel Management, Target, and Sony hacks.”
So true, Senator.
Let’s see if those elected representatives who pushed so hard for an information-sharing regime between government and the private sector are willing to stand behind their bill. Senator Feinstein and Senator Burr: tell the FBI to begin the review process necessary for disclosure of this vulnerability. If you truly support the bill you helped craft and hoist upon the American people, now’s the time to stand behind it.
Op-ed by Ryan Hagemann; originally in Medium