Enterprises should take a step back to decide what Apple vs. the FBI means to them

The U.S. Federal Bureau of Investigation (FBI)’s desire to have the world’s most popular smartphone creator build a backdoor is a politically charged one, but enterprises should focus on how it might affect their own business from a security risk perspective.

That was the overarching advice of Pete Lindstrom, vice president of security research for IDC’s IT executive programs. In a recent webinar, he described the Apple vs. FBI situation as the second round of crypto wars that he has seen in 25-year career that includes experience as a security auditor.

The law enforcement agency’s recent request for Apple to create a backdoor to its iconic iPhone in order to solve a high profile shooting prompted Apple to take a stand, Lindstrom said. “That’s when all the brouhaha started.”

Since then, the FBI says it’s been able to gain access to the phone without Apple’s help, while the controversial proposed Burr-Feinstein Encryption Bill would require device manufacturers, software developers, ISPs, online services and others to decrypt encrypted data or offer “such technical assistance as is necessary” if ordered to do so by any court anywhere in the country.

Lindstrom acknowledges there are lots of opinions in the security field and would prefer to leave the legal elements to the lawyers. His focus is on understanding the risks to IT based on four possible scenarios and whether Apple customers would ultimately be exposed to a greater risk of attack should it be required to offer some avenue for law enforcement to gain access to devices. “We need to figure out how to assess the risk and understand the impact.”

The first scenario, said Lindstrom, would be the status quo, and pointed out that means we have already accepted a certain level of risk, which provides a baseline. The second scenario is that Apple assists the FBI with a customer software update for that particular phone. The third is that the FBI is able (and already has been able) to hack the phone in question, thereby potentially being able to hack other phones. And, finally, that Apple and other smartphone makes be required to build a backdoor specifically for law enforcement.

Lindstrom has devised five steps to IT adversarial risk management: identify the unwanted outcomes; estimate the risk; determine the protection options; conduct economic analysis; and implement controls. While all four are applicable, he recommended IT departments focus the most on estimating the risk of the various possible scenarios.

It’s never possible to eliminate or ignore risk, said Lindstrom, it’s about managing it and living with it. Regardless of the specific situation involving Apple, adding users and administrators to any system always increases risk because it creates larger attack surfaces. And exposing vulnerabilities can actually expose yourself to broader attack.

Mobile devices are different than other enterprise systems when it comes to vulnerabilities, which are made possible through five main avenues: the physical form factor, the service provider, the operating system, including the update process; user behaviour; app stores, which a system that’s fairly unique to the mobile world as compared with other IT environments where process is more controlled; and, the apps themselves.

When you factor in the possibility of law enforcement or other organizations with legal power getting additional access, Lindstrom said organizations need to decide from their perspective if it increases risk depending on the four potential scenarios. He said the danger of Apple providing a custom software update for a single phone could put other phones at risk even if the FBI claims it would never leak out to a larger environment, for example. “I would rather have the software maker controlling the process.”

Ultimately, Lindstrom believes that vulnerability increases any time more source code or complexity is added, and he also feels the term “backdoor” is driving a lot of the contention, as there are a number of ways data can be accessed that are not backdoor-like, adding that providing third-party access to IT systems in the enterprise is fairly routine, and that the proposed bill is not prescriptive in terms of how access is gained.

“One of my disappointments in this whole process is how brittle the technical community has been,” said Lindstrom. He said everyone is too up in arms about the prospect of backdoor access with all of the negative connotations that comes with it. “There are ways to provide protection that are not being considered because technical community doesn’t want backdoors.”

Given that third party access is often standard from an enterprise perspective, “Government risk is additive but it doesn’t have to be exorbitant,” said Lindstrom. “Technical risk is increasing but it’s not catastrophic.”

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Gary Hilson
Gary Hilson
Gary Hilson is a Toronto-based freelance writer who has written thousands of words for print and pixel in publications across North America. His areas of interest and expertise include software, enterprise and networking technology, memory systems, green energy, sustainable transportation, and research and education. His articles have been published by EE Times, SolarEnergy.Net, Network Computing, InformationWeek, Computing Canada, Computer Dealer News, Toronto Business Times and the Ottawa Citizen, among others.

Featured Article

ADaPT connects employers with highly skilled young workers

Help wanted. That’s what many tech companies across Canada are saying, and research shows that as the demand for skilled workers...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now