FBI: Zero days aren’t ‘scalable’ enough for law enforcement
Predicting and preparing for tomorrow’s criminal is a critical component of FBI Director James Comey’s job. In this vein, Comey explained to a group of lawmakers last week that it would be impractical for the bureau to repetitively rely on contractors to hack into locked smartphones that contain important evidence.
Instead, the FBI will need to develop its own capabilities and to work with private sector partners, Comey said during a House Judiciary Committee hearing.
Simply put, the FBI’s high profile solution to access data stored on the San Bernardino shooter’s locked iPhone is not scalable. One could argue, for instance, that the costs are too great for the bureau, the public relations battle is too precarious and the capabilities are too valuable to outsource in the future.
“I’ve asked for more money in the ’17 budget, trying to invest in building those capabilities, so when we really need to be able to get into a device, we can. It’s not scalable, and I’m not sure it would be thrilling to companies like Apple to know we’re investing money to try and figure out how to hack into their stuff,” said Comey.
Prepared testimony shared with the committee prior to the hearing also speaks to some of the broader challenges faced by the FBI in its efforts to seize digital evidence. The growing prevalence of encryption-laden commercial communications products — allowing some criminals “go dark” or operate in hidden, surveillance-deterrent forums — poses a significant obstacle for agents to overcome during the course of an investigation, law enforcement officials say.
“The real challenge is in using those [hacking] techniques in the bulk of our work. Because it becomes public and exposed,” Comey said in response to a question levied by Rep. Darrell Issa, R-Calif.
Privacy and digital rights advocates have long warned that creating and then using exploits to break into popular commercial products effectively degrades the basic security of software used by countless consumers.
Prominent advocacy groups like the Electronic Frontier Foundation and Access Now have also warned that such software exploits could be readily stolen by malicious actors, who may then use the tools for nefarious purposes, including surveillance and blackmail.
“Though the administration has decided not to seek a legislative remedy at this time, we will continue the conversations we are having with private industry, State, local, and tribal law enforcement, our foreign partners, and the American people. The FBI thanks the committee members for their engagement on this crucial issue,” Comey’s written testimony for the committee reads.
Whether the answer to Comey’s encryption hurdle is policy, talent, tools, great collaboration with the private sector or all of the above, remains to be seen.
Recent reports have suggested that the FBI and House Homeland Security Committee are among a group of parties that will urge Congress in early 2017 to pursue a legislative, at least partial, remedy to their encryption issue.