Back in February 2016, the FBI wanted very badly to see the contents of San Bernadino murderer Syed Farook’s iPhone. The Feds demanded that Apple engineer a back door to get around the iPhone’s security features. The U.S. Department of Justice invoked the All Writs Act of 1789 to try to compel Apple to open the smartphone. The law itself is very broad; some would say unconstitutionally broad: “The Supreme Court and all courts established by Act of Congress may issue all writs necessary or appropriate in aid of their respective jurisdictions and agreeable to the usages and principles of law.”
Tim Cook, the CEO of Apple, refused to comply. Apple said it had might have the technical capability to obey the government’s order, but it was “something we believe is too dangerous to do.” Cook said if such a system were developed, the company would try to protect it from being released, but it “would be relentlessly attacked by hackers and cybercriminals”. Cook said: “The only way to guarantee such a powerful tool isn’t abused and doesn’t fall into the wrong hands is to never create it.”
The confrontation was defused when a third party got into Farook’s iPhone.
Fast forward to summer 2016. A group of hackers calling themselves The Shadow Brokers announced they had stolen a whole portfolio of hacking tools used by the National Security Agency. The story didn’t get much attention at the time. But in April 2017, The Shadow Brokers posted dozens of those NSA tools on-line. For the past two months, we’ve seen an increasing number of attacks by cyber-thieves using those stolen NSA hacking tools. As far as the identities of The Shadow Brokers goes, the leading theory appears to be that it might have been an NSA insider. But at this point it is almost irrelevant. Today, anyone with a grudge and a modicum of programming skills has the ability to bring anyone they dislike to their knees.
In the last sixty days, those hacking tools have been used thousands of times to disrupt, extort and shut down U.S. allies, international businesses and critical health care systems. The cyberthieves have gone after some 2,000 global targets in more than 65 countries, including Merck, the American drug giant, Maersk, the Danish shipping company, and Rosneft, the Russian state owned energy giant. The attack so crippled operations at a subsidiary of Federal Express that trading had to be briefly halted in FedEx stock. On June 27, the eve of Ukraine’s Constitution Day, commemorating the country’s first constitution after breaking away from the Soviet Union, attackers used those NSA-developed techniques to freeze computers in Ukrainian hospitals, supermarkets, and even the systems for radiation monitoring at the old Chernobyl nuclear plant.
Can you imagine the reaction if the Air Force allowed some of its most sophisticated missiles to be stolen and then we discovered an enemy was launching them against American allies and businesses? And then pretended the missiles didn’t exist, even as they were exploded in U.S. businesses? That’s what has happened and what is continuing to happen.
It’s morally abhorrent that the NSA built tools around unreported flaws in computer operating systems, instead of reporting the flaws so they could be patched. But that will have to be the focus for another blog post.
What’s completely clear from this chain of events is that the U.S. government cannot be trusted to keep cyber secrets. Tim Cook was exactly right: The only way to guarantee that a powerful hacking tool isn’t abused and doesn’t fall into the wrong hands is to never create it.