At first glance, it seems like a case of turnabout being fair play when the Federal Bureau of Investigation (FBI) announced on April 27 that it would not tell Apple how it got into terrorist Syed Farook’s iPhone 5C, which was recovered by authorities following Farook’s December killing rampage in San Bernardino, Calif.
After all, the wording used by FBI Executive Assistant Director Amy Hess seems similar to how Apple said it couldn’t help the FBI in the first place.
In a statement provided to eWEEK by the FBI National Press Office, Hess, who is the executive assistant director for Science and Technology, said the agency has determined it cannot submit the method used to the Vulnerabilities Equities Process (VEP), a method sponsored by the White House to allow federal agencies to tell technology makers about vulnerabilities uncovered during the course of their activities.
The VEP is itself classified, but the Electronic Frontier Foundation was given a redacted version as part of a Freedom of Information Act request.
“The VEP is a disciplined, rigorous and high-level interagency decision-making process for vulnerability disclosure that helps to ensure that all of the pros and cons of disclosing or not disclosing a vulnerability are properly considered and weighed. By necessity, that process requires significant technical insight into a vulnerability,” Hess said in her statement.
The FBI can’t provide the required information to the VEP because it doesn’t actually have the information it would be required to submit, according to the agency. While this might sound like the FBI is pulling a fast one, it’s probably true.
Note that a few days ago, FBI Director James Comey told an audience that his agency had hired a company to retrieve the information at a cost of more than he’d make in the rest of his time at the FBI.
If you multiply his $182,000 per-year salary by the seven years he has remaining in his appointment, the cost to the FBI is at least $1.3 million. Let’s face it, when a company can pull down well over a million bucks in a single job, it’s not going to give away the details.
So it’s highly likely that the FBI had to sign a non-disclosure agreement. While the agency didn’t spell this out, it was clear in Hess’ statement. “The FBI assesses that it cannot submit the method to the VEP. The FBI purchased the method from an outside party so that we could unlock the San Bernardino device,” Hess explained.
FBI Follows Apple’s Example, Says It Doesn’t Have iPhone Hack Info
“We did not, however, purchase the rights to technical details about how the method functions, or the nature and extent of any vulnerability upon which the method may rely in order to operate. As a result, currently we do not have enough technical information about any vulnerability that would permit any meaningful review under the VEP process,” Hess’ statement sad.
Normally the FBI doesn’t comment on such things, Hess noted, but since Comey had discussed the issue in public and because it had such high visibility, she felt that some explanation was needed.
However, perhaps in an attempt to show the FBI still believes in the VEP process, the agency did tell Apple on April 14 that it had discovered a security bug in earlier versions of iOS that had been patched with iOS 9. A similar bug existed in OS X, which also has been patched. Apple, it seems, had already known about the bug before the FBI said anything.
So, while the FBI did in fact, use the VEP to alert Apple about a vulnerability, it came far too late for Apple to actually use it. Unfortunately, this is likely to remain a problem for the federal government because of the competing demands for vulnerability information.
On one hand, it’s important to the government to make sure that U.S. interests are as safe as possible from exploitation by criminals or foreign actors.
However, the intelligence community uses those same vulnerabilities as part of its toolkit for fighting crime and for gathering information from unfriendly foreign powers. If the government tells the tech community about a vulnerability too soon, that vulnerability can’t be used if the owner of the code promptly patches it.
You can see the obvious conflict. For the most part, the intelligence community is going to take advantage of software flaws as long as possible, which means that disclosing it will take some time.
While the tech industry should welcome any information it gets through the VEP—if only as confirmation that everything was found—it should not depend on it as any sort of early warning. That needs to come the same way it always has: through research and through user reports.
Apple, meanwhile, will have to find the particular vulnerability the old-fashioned way: It will have to hire the same company to reveal it. But considering what that company is being paid right now, you can assume the results will be very expensive and not very timely.