WPI’s Susan Landau On What the FBI Needs to Learn About Security

January 13, 2017

Landau testifies before Congress in March 2016.

It was a battle of security vs. security, as Susan Landau saw it. On the surface, it was about the fate of one encrypted iPhone. But for Landau, PhD, professor of cybersecurity policy at WPI, the stakes were far higher: the potential to put the private information

of millions of smartphone users at risk and the likelihood of undermining a powerful new security tool: using smartphones as trusted authenticators for accessing online information.


After the December 2015 attack on the Inland Regional Center in San Bernardino, Calif., the FBI recovered a smartphone used by the terrorists. The phone was encrypted and protected by a passcode. Knowing that attempting to break the code by brute force would result in the phone’s contents being deleted, the FBI won a court order directing Apple to write new software that would have given the agency the ability to circumvent the iPhone’s security safeguards. Apple contested the order, arguing that the software “would be the equivalent of a master key, capable of opening hundreds of millions of locks.”


The skirmish set the stage for a hearing before the U.S. House Judiciary Committee in March 2016, titled “The Encryption Tightrope: Balancing Americans’ Security and Privacy.” FBI director James Comey testified, as did Apple senior vice president and general

counsel Bruce Sewell. In her testimony, Landau argued that technology that keeps mobile devices secure is vital to national security and that instead of seeking to weaken those protections to make law enforcement investigations easier, Congress should invest in strengthening the FBI’s technological capabilities.


She countered the FBI’s argument that encrypted devices (which Comey called “warrant-proof spaces”) hinder the agency’s ability to investigate crimes. Landau says the FBI is looking at smartphones through a 20th century lens, a perspective that is particularly troubling given that companies like Facebook and Google (and even some high-level government agencies) are using smartphones as authenticators for logging into computers or accessing online accounts. Using smartphones to bolster login credentials (a favored target of hackers) can work only if smartphones, themselves, are secure, Landau noted. “We need 21st century techniques to secure the data that 21st century enemies — organized crime and nation-state attackers — seek to steal and exploit,” she said in her testimony. “Twentieth century approaches that provide law enforcement with the ability to investigate but also simplify exploitations and attacks are not in our national security interest. Instead of laws and regulations that weaken

our protections, we should enable law enforcement to develop 21st century capabilities for conducting investigations.”


She expanded on that theme in an essay published in Science magazine in June 2016, in which she wrote that the FBI’s efforts to weaken smartphone security reflect its outdated approach to investigating crime and its inadequate resources for conducting modern cyber investigations. Landau argued that the agency (which ultimately purchased a software tool for unlocking the San Bernardino terrorists’ iPhones) needs to invest in building up its own “21st century investigative savvy,” including creating “an investigative center with agents with deep technical understanding of modern communications technologies and computer science.”


With the ability to develop new surveillance approaches and tools matched to the latest advances in communications technologies, the agency will no longer need to seek to weaken the devices that people, corporations, and government agencies worldwide depend on to securely communicate, transact business, and transmit sensitive information.


The FBI’s attempt to force Apple to unlock a phone was part of a broader campaign for what the agency has called “exceptional access” to encrypted communications and, more recently, devices. Landau and 14 other pre-eminent experts on electronic security and privacy addressed the risks inherent in that pursuit in a July 2015 report, “Keys Under Doormats: Mandating Insecurity by Requiring Government Access to All Data and Communications.” They noted that not only is such access technically infeasible, it would actually increase the risk of foreign governments, criminals, and terrorists gaining access to confidential information, critical infrastructure, and government secrets.


The report and its authors were honored with the 2015 J.D. Falk Award from the Messaging Malware Mobile Anti-Abuse Working Group (M3AAWG) and a 2016 Pioneer Award from the Electronic Frontier Foundation. At the Pioneer Award ceremony, Landau spoke for the authors. A member of the Cybersecurity Hall of Fame and the author (with Whitfield Diffie, the inventor of public-key cryptography) of Privacy on the Line: The Politics of Wiretapping and Encryption (MIT Press 1998; revised in 2007), she recalled a 1997 report written by the same group that argued against an earlier attempt by the federal government to compromise the integrity of digital information in the name of security: the Clipper chip, promoted by the Clinton administration as a way to give the NSA back-door access to encrypted communication over telecommunications systems.


Any effort to give the government exceptional access will not only undo encryption and forward secrecy, but open the door for other law enforcement agencies, at all levels, as well as foreign governments with poor records on human rights and espionage to demand the same access. The fight about encryption, Landau said, “is, at its core, about freedom and liberty.”