Good cybersecurity protects private information from being accessed by an outside source. However, when that outside source is an intelligence agency and the private information is critical to an investigation, shouldn’t there be a way to quickly access it?
FBI Director Christopher Wray essentially asked that question during a speech he gave at a cybersecurity conference last month at Fordham University. According to Wray, the FBI couldn’t access the contents of 7,775 electronic devices it seized for investigations in 2016 because the machines were protected by secure passwords. Furthermore, the companies that made the devices refused to assist the Bureau with accessing the information, despite the fact that agents had court orders allowing them to do so.
One need only look at the 2015 case of the San Bernardino shooters as an example. The FBI wanted to access information they believed was on one of the shooter’s iPhones, but Apple refused to assist agents with unlocking the devices by bypassing the codes, despite repeated requests. Apple said it couldn’t unlock the iPhones itself because to do so would jeopardize the security of all of its users. The FBI eventually turned to a third party vendor to unlock the phone, so agents could analyze its contents.
Accessing electronic evidence is more critical to federal criminal and terrorism cases than ever before. Cell phones, tablets and computers have replaced traditional phone calls and letters as the primary means of communication for criminals and terrorist cells. As encryption apps and passwords become more secure, it gets more difficult for agents to access information that is essential for their investigations. Even if they are armed with court orders demanding access to the electronic information, agents still need the cooperation of the tech companies who created the devices and the apps to get into them because they’re the ones who would likely know how to get around the encryption codes. Hiring a third party, as the FBI did, creates a security risk because it allows an outside source access not only to the devices, but also to the federal agency that hires it.
The fact that the FBI could not access the contents of nearly 8,000 electronic devices because of encryption codes – more than half of the total amount of devices it seized in 2017 – is indicative of how high-tech companies can influence the arc of an investigation. Companies could conceivably build in access points for local, state and federal authorities to get around the encryption codes faster and access the information, but they have argued that doing so would also allow hackers to access everyone’s devices.
Without these access points, agents are left to either attempt to break the codes themselves or look to an outside source to gain access. This can significantly lengthen the time of the investigation, which could lead to national security risks in some extreme cases. If the crime involves a terrorist cell, spending months trying to access encrypted information could mean the difference between squashing a potential attack and having an attack happen.
This has been – and will continue to be – a problem until agencies such as the FBI have a meaningful discussion with high-tech companies to resolve the matter. There must be a balance between cybersecurity and national security.
Chuck McCullough is the head of Tully Rinckey PLLC’s National Security Practice Group, based in Washington, D.C. McCullough is the former Inspector General for the United States Intelligence Community.