29 March 2016

From Reagan's Cyber Plan To Apple Vs. FBI: 'Everything Is Up For Grabs'

Updated March 23, 2016

A pedestrian walks by an Apple store in New York City on Feb. 23. Protesters demonstrated against the FBI's efforts to require the company to make it easier to unlock the encrypted 

The heated debate between the FBI and Apple over the encryption of the iPhone used by Syed Rizwan Farook, one of the two people who massacred 14 people in San Bernardino in December, took an unexpected turn Monday when the FBI announced that a third party had come forward with a way to possibly unlock the phone without Apple's involvement.

Journalist Fred Kaplan tells Fresh Air's Terry Gross that the third party in question is "almost certainly a private security company that specializes in breaking into systems."

Kaplan, who writes about the history of cyberwar in his new book Dark Territory, has been following the Apple encryption debate closely in his Slate column War Stories. He says Apple's reputation for security made it "kind of inevitable" that a professional hacker firm would cooperate with the FBI in the effort to unlock Farook's phone.

But Kaplan speculates that the FBI may have some reservations about a third party's involvement in the issue. "My guess is ... they wanted to [proceed] with this court case where they thought they had a very good case to establish a new legal precedent for the FBI to get into these kinds of systems whenever they wanted," Kaplan says.

Fred Kaplan was a reporter for The Boston Globe for about 20 years. He is also the author of The Insurgents: David Petraeus and the Plot to Change the American Way of War.

Carol Dronsfield/Simon & Schuster

He adds that the case is about much more than Farook's phone. "I'm not really sure what they think is in this phone," he says. "My strong guess is that the phone has very little to do with it; it's the creation of a precedent for getting into other phones. In that sense, Apple's concerns have some validity."

Regardless of how the Apple encryption issue is resolved, Kaplan warns that we are increasingly living in an age of cyber vulnerability. "Our individual lives are out there on the net," he says. "It's there for anybody who has the talents and resources to pick it up. ... Everything is up for grabs."

Interview Highlights

On why Syed Rizwan Farook's phone is not necessarily a good example for the issue of cybersecurity and privacy

This is not a Fourth Amendment case. Not only did the county own the phone, but the county has given consent for the government to do whatever it wants with this phone. It's not a First Amendment case — it's not a privacy case, because the shooter is dead. You lose your privacy rights when you're dead.


The Secret History of Cyber War


Hardcover, 338 pages


It's not a good political optics case from Apple's point of view. This isn't some two-bit hustler or drug dealer. This is a mass murderer with alleged ties to an international terrorist organization. I don't know, to my mind, Apple has made a big mistake in pursing this as vigorously as they have. ...

I was talking last night with a former senior intelligence official, let's say, who put forth the theory that this outside party that's come up with a solution might, in fact, be someone put up by Apple, so they can avoid going to trial on this. I tend to doubt that. The consequences of that fact leaking would be devastating to Apple's commercial record, but it does give you a sense of how a lot of people in the industry, including I've found many people who agree with Apple on the principles, are puzzled why [Apple's CEO Tim] Cook is making such a big deal out of this test case, which they see as a bad case to propound his principles of privacy.

On Apple's past cooperation with the government

There have been about 70 occasions when Apple has submitted to requests or court orders by the Foreign Intelligence Surveillance Court to open up phones. This leads to a broader point, and a larger point about what this case is really about: Communications companies have cooperated or been complicit with law enforcement and intelligence going back nearly a century.

In the 1920s, a U.S. intelligence agency persuaded Western Union to give them access to every telegraph going in and out of the country. When telephones came along, there was a very active relationship with AT&T, both with the FBI and with the NSA to allow them to tap phones. In the Internet age, it's actually gotten even more interlocked.

If you're a company like, say, Microsoft or Cisco and you've got some products that you want to sell to the Defense Department, these products have to be vetted for security. Who vets them? A section of the NSA called the Information Assurance Directorate.

When Microsoft submitted its first Windows operating system to the NSA for vetting, this Directorate found 1,500 points of vulnerability. Then they helped patch a lot of these vulnerable points. Not all of them — they left a few open — so that when foreign governments or foreign entities bought this operating system, the NSA would know where to go hack them. Microsoft was fine with looking the other way on this. Even as recently as 2009 the Chinese hacked into Google's Chrome system, getting into its source code and the NSA helped Google patch up the flaw.

So what's really going on here, at bottom, is that the FBI wants to maintain this longstanding relationship, which was secret, pretty much secret, until Edward Snowden blew the whistle on it. They want to maintain this relationship, going into a new era of stronger encryption, whereas Tim Cook of Apple, who has long had misgivings about cooperating in general, wants to create a technology that disrupts, maybe even shatters this arrangement.

On how cyber defense was created, in part, because President Reagan sawWarGames, a 1983 movie about a teenager who unwittingly hacks into the main computer of the North American Aerospace Defense Command and almost triggers World War III

[Reagan is] up at Camp David on one of his five-day weekends in June of '83 and he watches a lot of movies. He watched WarGames. ... So Reagan's back in the White House the following Wednesday and there's a big national security meeting, not about this, it was about something else completely different. But at one point he puts down his index cards and he says, "Has anybody seen this movie WarGames?"

It had just come out, nobody had seen it. He launches into this very detailed plot description and people are looking around the room, raising their eyebrows, wondering "Where's this going?" So he turns to Gen. John Vessey who is the chairman of the Joint Chiefs of Staff and he says, "General, could something like this really happen?" And Vessey says, "I'll look into that Mr. President." And he comes back a week later and he says, "Mr. President, the problem is much worse than you think." This led, nine months later, to the writing of the first presidential directive on telecommunications and computer security. But then it took a side road.

As it happened, and as you might think is logical, the NSA essentially took over the writing of this directive and they wrote it so that the NSA would be in charge of setting security and standards for all computers in the United States, not just the government but everybody's. Well there were a number of people on Capitol Hill who didn't like that, so they changed it, but that was where it began.

If you read this directive ... it elevated cybersecurity, as it was later called, to a national political level. It raised the first tensions between privacy and national security, at least in this realm. It generated the first active struggles between the NSA and other agencies and branches of government. And so, the [stories] that we are seeing unfold in today's newspapers got their start with this bizarre incident watching WarGamesand then asking a question that made everybody in the room roll their eyeballs.

On a hack into Sheldon Adelson's casino network

In 2013 in a public forum, Obama's nuclear talks with Iran had just begun, and [Adelson] was asked what would you do about this? And he said, "My idea is to drop a nuclear bomb in the Iranian deserts and say, 'There. See that? This is what's going to happen to you if you maintain a hard line on these nuclear talks.' "

A few months later, in February of 2014, he fell victim, his whole hotel chain, fell victim to a massive cyberattack by the Iranian government and they wiped out hard drives, they hacked into Social Security numbers, to bank accounts, to client accounts, and they put up on the screens, "This is what happens when you talk about using weapons of mass destruction." The interesting thing about this attack, well first of all, this guy, he ran a $20 billion casino industry, his cybersecurity staff consisted of five technicians at the time. The second interesting thing about this is if you hack into a casino, you could steal a lot of money, right? These guys did not steal a dime. They didn't touch a dime. They were interested in sending a message, and in protesting a political statement.

So you could see this attack as the first instance when cyberweapons were used not for espionage, not to steal trade secrets, not for hacking into military networks and achieving some kind of advantage in future war, but to send a political message, to object to someone's politics. This was more famously followed just a few months later by North Korea's hack into Sony Pictures for putting out a movie that insulted their leader, Kim Jong-un. So this shows that we're entering a new phase of cyberwar, when anybody can be a target and for any number of purposes. It has become a tool of international relations broadly speaking.

On the NSA's "intrusive powers"

When the Chinese hacked into the federal employment records and the personnel records and made off with tens maybe hundreds of thousands of records of government personnel, Jim Clapper, the director of national intelligence, was asked about this attack in a hearing, a congressional hearing, and he said, "Well, I don't know if it was an attack. It was more an act of espionage, similar to the kinds of things we do too." ...

The Snowden revelations made a big splash probably more abroad than here, but here as well, because it seemed that the NSA was hacking into domestic communications as well. ...

What these people could do if all the legal restrictions were dropped. They just have amazingly intrusive powers. They can get into any network they want to get in — in fact this Apple case, if the NSA saw that this phone represented a national security threat, if there was something in this phone that they needed to get right away, the NSA could hack into this phone without Apple's cooperation. ... The fact that the NSA is not doing this, at this moment, they would have to go get something signed by the attorney general to do it, but the fact that they're not doing it suggests that they don't regard this phone as continuing anything that's terribly useful.

No comments: