Hacking against terrorism

Rather than seeking court orders, the government should transcend its culture to attract and retain the talent capable of leading the cybersecurity arms race.

The logo for the cyber hacking group ‘Anonymous’ is seen on computer screens. (photo credit: REUTERS)
The logo for the cyber hacking group ‘Anonymous’ is seen on computer screens.
(photo credit: REUTERS)
On March 1, 1994, an Arab terrorist, seeking revenge for the Hebron massacre of 29 Muslim worshipers by Baruch Goldstein, emptied two automatic weapons into a van full of yeshiva students driving across the Brooklyn Bridge. My son, 16-year-old Ari Halberstam, died in what the authorities insisted was a criminal act. It took nearly seven years to reclassify Ari’s murder as an act of terrorism.
The difference is critical. Criminals typically hope to benefit from the fruits of their crimes.
Terrorists typically seek spectacular ends; the survival of the individual is secondary to the promotion of the cause. The apprehension, incarceration or death of a single terrorist rarely eliminates the terrorist threat – as it might do to a mere criminal threat. Those fighting terrorism must leverage information to access terrorist cells or networks. The rapid development of technologies provides terrorists with a steady stream of new capabilities; the anti-terrorism authorities must be just as agile.
Four months ago, a couple gunned down an office party in San Bernadino. The FBI, recognizing Islamist terrorism, has focused on collecting information to help prevent further attacks. That focus has led the FBI into a dispute with Apple, whose only connection to the shooting was its sale of an iPhone to the shooter. Though Apple turned over all requested data within its possession, a standard security feature has the FBI stymied: If a user attempts 10 consecutive incorrect passwords, the iPhone concludes that it has fallen into unauthorized hands and wipes clean all of its data.
The FBI, understandably fearing that its attempts to retrieve the data on the terrorist’s cellphone would trigger this auto-erasure, asked Apple to circumvent it. Apple replied that it lacked the ability to do so. Apple also explained that such a master key to an iPhone “back door” might compromise all personal, financial, and governmental data transmitted through (or resident on) Apple devices.
It is not hard to imagine the damage that might arise if such a key fell into the hands of the next Edward Snowden; President Barack Obama recently identified cybersecurity as “among the most urgent dangers to America’s economic and national security.” Nevertheless, the FBI obtained a court order compelling Apple to develop the circumvention technology.
Apple opposed the order immediately, setting in play a debate that has gripped the technological and national security communities for more than a month.
The issues are profound. In addition to the national security concerns on both sides, the court order amounts to a seizure: It commandeers Apple’s time, money, and engineering talent to achieve an important government objective. The dangers inherent in ruling against either side mandate a way back from the precipice. Is there a way to fight terrorism and preserve cybersecurity without seizing private property? The answer goes to the heart of a culture clash. Cybersecurity is an arms race. The minute a new security protocol arises, the race to circumvent it begins. Each circumvention motivates the race for an improved protocol.
Only the best hackers can win those races – and those hackers do not work for the government.
Cybersecurity legend John McAfee highlighted the subtle anomaly in the FBI’s position: The full resources of the federal government are apparently insufficient to circumvent the iPhone’s security, yet the FBI believes that Apple can do it. McAfee volunteered his own services to do what the FBI cannot.
The government may indeed have adopted this one-time solution; the government has agreed to stay the injunction pending the contributions of an unnamed third party.
The deeper problem centers on incentives.
One of President Obama’s key proposals to improve the government’s cybersecurity capabilities involves the formation of an elite corps. To compete for top talent, the president suggested offering scholarships, student loan forgiveness, and relaxed dress codes.
McAfee, however, described a far larger gap between the incentives on offer and those needed: “The FBI will not hire anyone with a 24-inch purple Mohawk, 10-gauge ear piercings, and a tattooed face who demands to smoke weed while working and won’t work for less than a half-million dollars a year.”
On Ari Halberstam’s 22nd yahrzeit, the blood of all terrorism victims cries for advances on many fronts. New technologies enabling new attacks often require new laws, but law moves slowly; cultures and incentives must change faster. Apple should provide the authorities with all available assistance and access, but it should not have to divert private resources to fill a gap in government talent.
Rather than seeking court orders, the government should transcend its culture to attract and retain the talent capable of leading the cybersecurity arms race. A failure to do so risks disrupting the critical balance necessary to fight terrorism fully while preserving personal freedom, private property, and the other classically liberal tenets of the American system. Time is not on our side. And in a victim’s universe, it is a matter of life or death.
Devorah Halberstam is a recognized expert on terrorism and is responsible for anti-terrorism legislative initiatives in the US.
Bruce Abramson, a technology and IP lawyer, holds a PhD in computer science.