FBI Tech Boss: Govt. Hacking Won’t Solve Encryption Crisis
Amy Hess, the FBI’s executive assistant director for science and technology, says the bureau lacks the chops to consistently hack devices.
Unable to pull data from an iPhone belonging to one of the San Bernardino killers, the FBI borrowed a technique from the digital criminal underworld and got someone to hack the device for them.
But speaking to lawmakers Tuesday, the FBI’s top science official said that such hacking techniques aren’t a viable long-term solution for what is emerging as a one of law enforcement’s biggest challenges: the widespread availability of sophisticated encryption technology that makes it harder to intercept the communications of would-be terrorists or to investigate crimes after they’ve occurred.
In an exchange with Rep. Diana DeGette (D-Colo.), Amy Hess, the FBI’s executive assistant director for science and technology, said the government lacks the ability to consistently break into encrypted phones, computers, and other devices.
“These types of solutions that we do employ, they require a lot of high-skilled, specialized resources that we may not have immediately available to us,” Hess said in testimony before the House Subcommittee on Oversight and Investigations. Instead, she argued that companies should be able to provide the FBI with clear-text copies of data when presented with a court order.
The FBI had sought a court order compelling Apple to undermine the security features of the gunman’s phone and sparked an intense legal battle in doing so. But the bureau backed down when an “unidentified third-party” came forward with a solution for hacking the device. The FBI has refused to disclose exactly how it cracked the iPhone belonging to Syed Rizwan Farook and has only said that it relied on an “unidentified third-party” to hack the device and extract the data.
Some computer experts argue that such government hacking may represent a way for the FBI and other law enforcement agencies to get access data they seek without requiring that companies backdoor their own encryption. Draft legislation in the Senate would require companies to be able to provide clear-text copies of data when served with a court order asking for it, and computer security experts are concerned that such proposals would have devastating consequences for computer security.
Even as her investigators have been deluged in data, Hess’s Operational Technology Division, with a budget somewhere between $600 million and $800 million — the bureau won’t disclose the exact figure — has struggled to cope with the spread of encryption technology. On Tuesday, Hess effectively said her bureau lacked the ability to up its hacking game even if was given more money to do so.
Asked whether the government might be able to get around suspects’ use of encryption more consistently if the FBI received more resources to carry out hacking, Hess said she doubted that was possible. “We really need the cooperation of industry,” she said.
In saying Tuesday that she doubts the bureau will be able to develop in-house hacking abilities, Hess acknowledged that the FBI will continue to rely on outside contractors to hack devices in cases where companies aren’t able to help.
Law enforcement officials have said they are facing significant obstacles as a result of suspects increasingly relying on encrypted forms of communication and storage. FBI Director James Comey has said that his agents’ investigations are increasingly “going dark” as a result of suspects – both ordinary criminals and terrorists – using encrypted tools.
Michael Rogers, director of the National Security Agency, has said that encrypted messaging tools were used by the Islamic State operatives who carried out November’s attacks in Paris and that their use of that technology made it harder for authorities to foil the plot.
In the San Bernardino case, Apple assisted the FBI in providing data from Farook’s phone that had been backed up the company’s iCloud service. The company was unable, however, to decrypt data stored on the phone and not backed up to the cloud.
To better protect customer information, the company allows users to encrypt data stored on the phone using its pass code. Without the pass code, Apple does not have the ability to provide such data to law enforcement when served with a warrant.
There have been conflicting reports on whether the FBI was able to obtain any useful information from Farook’s phone. CBS reported last week that nothing significant was found on the device. CNN reported Tuesday that hacking the device “has helped the investigators answer some remaining questions in the ongoing probe.”
Hess testified alongside Charles Cohen, the commander of the office of intelligence and investigative technologies of the Indiana State Police, and Thomas Galati, the head of the New York City Police Department’s intelligence bureau. Galati and Cohen said the widespread availability of encryption technology had undermined their agency’s ability to investigate and solve crimes, including child pornography, police shootings, and drug cases.
In testimony alongside a group of cryptography experts following the law enforcement panel, Apple General Counsel Bruce Sewell angrily rebutted several claims leveled at his company during the day’s testimony. Contrary to claims by Cohen, the Indiana police official, Sewell said his company had not turned over the source code for its mobile operating system to China. Sewell said that Apple had been asked to do so within the last two years and had refused.
Sewell also said Cohen was incorrect in claiming that Apple has announced plans to fully encrypt its iCloud service. Data stored on that service has been turned over to law enforcement, and encrypting it would close one of the main ways in which Apple cooperates with law enforcement requests for data.
In instances where the FBI is unable to access encrypted data, Hess acknowledged that the FBI sometimes relies on vulnerabilities in software and hardware to get around security features on phones, computers, and other devices.
At the same time, Hess said the Internet also provides the government with additional tools to investigate crimes. The so-called Internet of Things – the connection of ordinary devices such as cars and toasters – offers law enforcement additional sources of data and ways to investigate crimes, Hess said.
“The haystack has gotten bigger, but we are still looking for the same needle,” Hess said.
Photo credit: SAUL LOEB/AFP/Getty Images