Why Digital Security Is An 'Arms Race' Between Firms And The Feds

by NPR Staff

Worcester Polytechnic Institute professor Susan Landau is sworn in alongside Apple General Counsel Bruce Sewell (left) and New York County District Attorney Cyrus Vance at a congressional hearing on encryption on March 1.
Worcester Polytechnic Institute professor Susan Landau is sworn in alongside Apple General Counsel Bruce Sewell (left) and New York County District Attorney Cyrus Vance at a congressional hearing on encryption on March 1. Samuel Corum / Anadolu Agency/Getty Images

The Apple-FBI standoff, where Apple is refusing to write special software that would help investigators crack into an iPhone of one of the San Bernardino shooters, is largely viewed as a battle between privacy and security.

At the high-profile congressional hearing on encryption last week, FBI Director James Comey argued that increasingly strong encryption is making smartphones "warrantproof." Apple's General Counsel Bruce Sewell testified that complying with the FBI's request would create a dangerous tool that the bad guys could abuse.

But Susan Landau, a professor of cybersecurity policy at Worcester Polytechnic Institute, presents another way of looking at the issue:

"(The FBI's) approach has been 'make it simple for us to investigate' instead of 'let's secure communications and devices, and we'll come up with a way to investigate whatever we need to,' " she tells NPR's Ari Shapiro.

She argues that the challenge shouldn't be to make data on iPhones or other devices easier for law enforcement to access — making it also easier for hackers or other governments to access — but to make devices as secure as possible, while funding the FBI's own development of better digital investigation tools.

Below are a few excerpts of Landau's conversation with Shapiro, in addition to the audio above.

Interview Highlights

On why letting Apple resist the FBI's request and urging the FBI to develop tools to access secured data aren't mutually exclusive

That's exactly the situation we've got with the National Security Agency. We know that the NSA breaks into devices and communications that the companies think are secure, and the companies work to make them more secure. I'm asking that the FBI develop that expertise, target it narrowly; when a technology company becomes aware that one of their systems is easy to break into, they then leapfrog and develop better technology.

Security is always an arms race of this sort. But if Apple develops the technology, it becomes a target.

On why the FBI having its own technology to crack into an iPhone is less of a risk than Apple building that technology

We know that the Chinese, the Russians, lots of our opponents are building this technology, too. Each time Apple improves the quality of its security, our opponents have to improve their (tools). So the FBI developing it is of course a security risk that Apple is going to counter. But it's less of a security risk than if Apple has it, where it's a central point for opponents to get into and then break phones that they target.

On what it would take for the FBI to develop the technology

They need expertise in telecommunications, from the physical layer all the way to the virtual layer, that is the computer layer. They also need deep expertise in computer science. They'll need teams of people who understand the different devices. They'll need to have people who understand the technology now, the technology in six months to two years from now and where communications technology is going in the two- to five-year period.

We're talking here of a budget of hundreds of millions, not billions — but not the $40 million that they're currently devoting.

On why the FBI can't just ask the NSA for help in the post-Sept. 11 information-sharing world

Information-sharing is different than technology-sharing. When the NSA builds technology, it doesn't want that technology showing up in court. If the NSA were to share its technology with the FBI, the FBI brings court cases and the technology would have to show up there. So yes, there'll be some duplicative effort, but you don't want the NSA technology in court.

Copyright 2016 NPR. To see more, visit NPR.

Transcript

ARI SHAPIRO, HOST:

For a broader look at this tension between Apple and the FBI, Susan Landau joins us now. She testified last week before the House Judiciary Committee on this issue, and she's a professor of cyber security policy at Worcester Polytechnic Institute. Welcome back to the show.

SUSAN LANDAU: Thanks very much.

SHAPIRO: Now, you've argued that Apple should resist creating the software that the FBI wants and also that the FBI should independently develop technology to get access to the information it's looking for. Explain how this is not contradictory to argue both those things at the same time.

LANDAU: Sure. Just think about the NSA. That's exactly the situation we've got with the National Security Agency. We know that the NSA breaks into devices and communications that the companies think are secure. And the companies work to to make them more secure. I'm asking that the FBI develop that expertise, target it narrowly. When a technology company becomes aware that one of their systems is easy to break into, they then leapfrog and develop better technology. Security is always an arms race of this sort.

SHAPIRO: If the NSA already has the ability to access this sort of stuff, why can't they just share with the FBI? Aren't we supposed to be in a post-9/11 age of information sharing across departments and agencies?

LANDAU: Information sharing is different than technology sharing. When the NSA builds technology, it doesn't want that technology showing up in court. If the NSA were to share its technology with the FBI, the FBI brings court cases, and the technology would have to show up there. So yes, there will be some duplicative effort, but you don't want the NSA technology in court.

SHAPIRO: If Apple giving into the FBI in this case would be, as you argue, a security risk, why is the FBI having technology to access the same information less of a risk?

LANDAU: We know that the Chinese, the Russians, lots of our opponents are building this technology, too. So the FBI developing it is, of course, a security risk that Apple is going to counter but is less of a security risk than if Apple has it where it's a central point for opponents to get into and then break phones that they target, phones that belong to important people, whether the CEO or the secretary to a CEO of an important company or an operator at a power plant and so on.

SHAPIRO: What would it take for the FBI to develop the kind of technology that you would like to see them have?

LANDAU: We're talking here of a budget of hundreds of millions, not billions but not the $40 million that they're currently devoting. Their approach has been, make it simple for us to investigate instead of, let's secure communications and devices, and we'll come up with ways to investigate where we need to.

SHAPIRO: The FBI does not seem to be reasonably looking at an increase of hundreds of millions of dollars in their budget. So is what you're proposing actually realistic?

LANDAU: Given the threats that we face in the United States - the theft of intellectual property, which the Department of Defense has called the greatest transfer of wealth in human history - I think there's no question that this is necessary as a national security initiative. That is, either we make it simple for the FBI to break in and we make it simple for our enemies, or we fund the FBI to do the investigations it needs to do and secure the devices and communications and protect the United States.

SHAPIRO: That's Susan Landau, professor of cyber security policy at Worcester Polytechnic. Thanks for joining us.

LANDAU: Thank you very much. Transcript provided by NPR, Copyright NPR.

300x250 Ad

More All Things Considered

300x250 Ad

Support quality journalism, like the story above, with your gift right now.

Donate