The U.S. Federal Bureau of Investigation (FBI)’s desire to have the world’s most popular smartphone creator build a backdoor is a politically charged one, but enterprises should focus on how it might affect their own business from a security risk perspective.
That was the overarching advice of Pete Lindstrom, vice president of security research for IDC’s IT executive programs. In a recent webinar, he described the Apple vs. FBI situation as the second round of crypto wars that he has seen in 25-year career that includes experience as a security auditor.
The law enforcement agency’s recent request for Apple to create a backdoor to its iconic iPhone in order to solve a high profile shooting prompted Apple to take a stand, Lindstrom said. “That’s when all the brouhaha started.”
Since then, the FBI says it’s been able to gain access to the phone without Apple’s help, while the controversial proposed Burr-Feinstein Encryption Bill would require device manufacturers, software developers, ISPs, online services and others to decrypt encrypted data or offer “such technical assistance as is necessary” if ordered to do so by any court anywhere in the country.
Lindstrom acknowledges there are lots of opinions in the security field and would prefer to leave the legal elements to the lawyers. His focus is on understanding the risks to IT based on four possible scenarios and whether Apple customers would ultimately be exposed to a greater risk of attack should it be required to offer some avenue for law enforcement to gain access to devices. “We need to figure out how to assess the risk and understand the impact.”
The first scenario, said Lindstrom, would be the status quo, and pointed out that means we have already accepted a certain level of risk, which provides a baseline. The second scenario is that Apple assists the FBI with a customer software update for that particular phone. The third is that the FBI is able (and already has been able) to hack the phone in question, thereby potentially being able to hack other phones. And, finally, that Apple and other smartphone makes be required to build a backdoor specifically for law enforcement.
Lindstrom has devised five steps to IT adversarial risk management: identify the unwanted outcomes; estimate the risk; determine the protection options; conduct economic analysis; and implement controls. While all four are applicable, he recommended IT departments focus the most on estimating the risk of the various possible scenarios.
It’s never possible to eliminate or ignore risk, said Lindstrom, it’s about managing it and living with it. Regardless of the specific situation involving Apple, adding users and administrators to any system always increases risk because it creates larger attack surfaces. And exposing vulnerabilities can actually expose yourself to broader attack.
Mobile devices are different than other enterprise systems when it comes to vulnerabilities, which are made possible through five main avenues: the physical form factor, the service provider, the operating system, including the update process; user behaviour; app stores, which a system that’s fairly unique to the mobile world as compared with other IT environments where process is more controlled; and, the apps themselves.
When you factor in the possibility of law enforcement or other organizations with legal power getting additional access, Lindstrom said organizations need to decide from their perspective if it increases risk depending on the four potential scenarios. He said the danger of Apple providing a custom software update for a single phone could put other phones at risk even if the FBI claims it would never leak out to a larger environment, for example. “I would rather have the software maker controlling the process.”
Ultimately, Lindstrom believes that vulnerability increases any time more source code or complexity is added, and he also feels the term “backdoor” is driving a lot of the contention, as there are a number of ways data can be accessed that are not backdoor-like, adding that providing third-party access to IT systems in the enterprise is fairly routine, and that the proposed bill is not prescriptive in terms of how access is gained.
“One of my disappointments in this whole process is how brittle the technical community has been,” said Lindstrom. He said everyone is too up in arms about the prospect of backdoor access with all of the negative connotations that comes with it. “There are ways to provide protection that are not being considered because technical community doesn’t want backdoors.”
Given that third party access is often standard from an enterprise perspective, “Government risk is additive but it doesn’t have to be exorbitant,” said Lindstrom. “Technical risk is increasing but it’s not catastrophic.”