The Cable

The Cable goes inside the foreign policy machine, from Foggy Bottom to Turtle Bay, the White House to Embassy Row.

FBI Confirms it Won’t Reveal iPhone Exploit to Apple

The bureau says it has too little information about the exploit used to hack the San Bernardino gunman's device.

GettyImages-524458868crop
GettyImages-524458868crop

Unable to penetrate the iPhone of San Bernardino shooter Syed Rizwan Farook, the FBI turned to a hacking firm to bypass its security measures and break into the device. But the bureau won’t tell Apple how, saying it doesn’t know enough about the hacking tool to be helpful to the company.

In a statement Wednesday, Amy Hess, the FBI’s top scientist, said the bureau has little information about the tool it paid more than $1.3 million to acquire and unlock Farook’s iPhone 5c. She said the FBI did not “purchase the rights to technical details about how the method functions, or the nature and extent of any vulnerability upon which the method may rely in order to operate.”

The Justice Department had sought a court order demanding that Apple undermine the phone’s security features. When Apple resisted the order it sparked a national debate about the government’s ability to access encrypted data. The government dropped its case after being contacted by a still-unidentified third party that provided the ability to access the phone surreptitiously.

Unable to penetrate the iPhone of San Bernardino shooter Syed Rizwan Farook, the FBI turned to a hacking firm to bypass its security measures and break into the device. But the bureau won’t tell Apple how, saying it doesn’t know enough about the hacking tool to be helpful to the company.

In a statement Wednesday, Amy Hess, the FBI’s top scientist, said the bureau has little information about the tool it paid more than $1.3 million to acquire and unlock Farook’s iPhone 5c. She said the FBI did not “purchase the rights to technical details about how the method functions, or the nature and extent of any vulnerability upon which the method may rely in order to operate.”

The Justice Department had sought a court order demanding that Apple undermine the phone’s security features. When Apple resisted the order it sparked a national debate about the government’s ability to access encrypted data. The government dropped its case after being contacted by a still-unidentified third party that provided the ability to access the phone surreptitiously.

Indeed, U.S. agencies such as the FBI and the National Security Agency routinely exploit computer vulnerabilities to carry out investigations and collect intelligence. But doing so raises an ethical question for the government: Should it disclose a vulnerability to a software or hardware manufacturer?

That decision can carry profound consequences for individuals both in the United States and abroad, as such vulnerabilities can put the data of millions of individuals at risk. Just as the government’s investigatory and intelligence arms have an interest in using computer vulnerabilities for investigations and spying, other branches responsible for cybersecurity have a competing interest in promoting a secure Internet.

To weigh these competing priorities, the Obama administration has established what it calls the “vulnerabilities equities process,” which brings together different agencies to consider whether the government has an overriding interest in keeping an exploit secret– or disclosing it to a tech company.

This month, the FBI made its first disclosure to Apple through that process, Reuters reported Wednesday.

In a 2014 blog post, White House chief cybersecurity advisor Michael Daniel outlined general guidelines for when the government will disclose a computer vulnerability. The government, he said, weighs the risk to critical infrastructure like power plants and banks against the value of the intelligence that would be obtained from the hack — and whether the information could be collected in other ways. Officials also consider whether the vulnerability can be fixed before it is revealed.

The lack of technical information about the San Bernardino vulnerability means the government cannot answer these questions, Hess said in her statement.

Photo credit: YURI GRIPAS/AFP/Getty Images

Twitter: @EliasGroll

More from Foreign Policy

A Panzerhaubitze 2000 tank howitzer fires during a mission in Ukraine’s Donetsk region.
A Panzerhaubitze 2000 tank howitzer fires during a mission in Ukraine’s Donetsk region.

Lessons for the Next War

Twelve experts weigh in on how to prevent, deter, and—if necessary—fight the next conflict.

An illustration showing a torn Russian flag and Russian President Vladimir Putin.
An illustration showing a torn Russian flag and Russian President Vladimir Putin.

It’s High Time to Prepare for Russia’s Collapse

Not planning for the possibility of disintegration betrays a dangerous lack of imagination.

An unexploded tail section of a cluster bomb is seen in Ukraine.
An unexploded tail section of a cluster bomb is seen in Ukraine.

Turkey Is Sending Cold War-Era Cluster Bombs to Ukraine

The artillery-fired cluster munitions could be lethal to Russian troops—and Ukrainian civilians.

A joint session of Congress meets to count the Electoral College vote from the 2008 presidential election the House Chamber in the U.S. Capitol  January 8, 2009 in Washington.
A joint session of Congress meets to count the Electoral College vote from the 2008 presidential election the House Chamber in the U.S. Capitol January 8, 2009 in Washington.

Congrats, You’re a Member of Congress. Now Listen Up.

Some brief foreign-policy advice for the newest members of the U.S. legislature.