In nearly every great movement in history, there is a moment in which the proverbial tide turns. For CISOs trying to convince their higher-ups to invest in encryption and cybersecurity programs, that moment came when the FBI tried to force Apple to crack open an iPhone 5c used by one of the San Bernardino shooters. And Apple refused.
That case, and others like it, sparked pushback from tech companies, privacy advocates and consumers, but also caught the attention of executives and vaulted IT security front and center, prompting CEOs and other top management to take crash courses to better understand the issues surrounding encryption and IT security technology.
Before Apple and the FBI squared off, frustrated IT staffs bent over backwards to explain to executives the importance of security and scrambled to find creative ways to lobby for its inclusion into the budget. But the high-profile clash, which currently finds the two sides momentarily in uneasy détente, has educated many execs who didn't know what encryption was, says Todd Bell, global CISO at Forticode, a software provider for authentication services. “A lot of novices are knowledgeable now about encryption and that's a good thing,” Bell adds.
Todd Bell, global CISO, Forticode
Stephen Holmes, director, corporate communications, Home Depot
Janet Bishop-Levesque, CISO, RSA, the security division of EMC
Kurt Opsahl, deputy executive director and general counsel, Electronic Frontier Foundation
Bob West, CISO, York Risk Services, CareWorks Tech
Janet Bishop-Levesque, CISO at RSA, the security division of EMC, says there was a lot of buzz about the Apple-FBI case at the RSA Conference this past spring. “What's interesting is that it hasn't just been people in the encryption business having the dialogue on stronger encryption,” she says. “Plus, I think high-profile actions like Amit Yoran, the president of RSA, recently testifying before the House Energy and Commerce Committee, helps bring a lot of attention to the need for strong encryption.”
Bob West, CISO at York Risk Services at CareWorks Tech, says that the Apple-FBI case has validated what he has been telling top management about encryption and IT security for the past several years. “The case underscored that we have to be vigilant in terms of protecting information and it demonstrated that our encryption policies have to be strong if not stronger,” he explains.
West adds that his firm along with many others will need to re-evaluate its polices around the issue of cooperating with law enforcement authorities. While some companies have clear policies on how they respond to authorities, many don't.
Other experts already have policies in place. Stephen Holmes, the director of corporate communications at Home Depot, says there's really no question about his company's policy. “If the FBI asks us if a person bought XX to conduct XX crime, we cooperate,” he says. “We even pull CCTV footage for authorities.”
However, he adds, the tough part with the mobile device angle for a lot of companies is that the overall environment continues to ratchet up security and security training for devices. “It would be hard to say that the most recent privacy events with Apple have made it any more important or aggressive because we're already extremely aggressive.”
Increased security focus
Kurt Opsahl, deputy executive director and general counsel of the Electronic Frontier Foundation, agrees with Holmes that companies need to increase their security, but not necessarily because of the Apple-FBI case. “As John Oliver put it so well, computer security is like dancing at the lip of a volcano,” Opsahl says. “Without constant investment in computer security, a company risks falling behind, falling into that volcano. All the Apple-FBI case really illustrated is that security is hard, and even Apple, with all its resources, was unable to make a phone that couldn't be broken.”
Therefore, Opsahl says all companies should be looking hard at IT support for security, making BYOD policies that manage risk and training staff on security practices, especially anti-phishing. “They needed to do that before the Apple case, and they need to now,” he says.
John Kindervag, a vice president and principal analyst who focuses on security at Forrester, says that the Apple-FBI case was essentially a non-issue for corporate IT. “I'd say it was important for tech companies and for people who focus on privacy issues, but no so much at the IT staff level,” Kindervag says. “For the most part, it's business as usual.”
And as for companies changing their BYOD policies, he doesn't believe they can. “For the most part, that ship has sailed. What are companies going to do, not have BYOD policies?”
One tactic that really hasn't caught on has been for organizations to stop buying iPhones. When the Apple-FBI case first broke, Maricopa County (Arizona) Attorney Bill Montgomery announced that because Apple refused to cooperate with authorities his office would not purchase iPhones.
Jerry Cobb, a spokesman for the county attorney's office says even with the Apple-FBI case being resolved their office has continued its policy of not purchasing new iPhones.
“We run about 366 iPhones and we've decided that as those devices are replaced we will not be replacing them with an iPhone, and as new employees come on board an iPhone won't be an option,” Cobb says.
Of course, if you look around the country, few if any other organizations have made news in quite the same way. If anything, many organizations are in solidarity with Apple and feel the FBI overstepped its bounds.
“I'm really more concerned about the state having too much power,” says West. “If we start giving information to the U.S. government then why not the Chinese or the Russian governments? And once you've created a backdoor it's out there.”
Forticode's Bell (left) adds that entrusting the U.S. government to keep the backdoor keys safe makes him very nervous. Citing the high-profile OPM hack of last year, he says: “If the U.S. government can't keep its own house in order how could it keep the encryption keys safe?”
All eyes are now on the fate of the encryption legislation introduced in early spring by Senators Dianne Feinstein (D-Calif.) and Richard Burr (D-N.C.). Dubbed the Compliance with Court Orders Act of 2016, the legislation would require technology firms to decrypt customer data at a court's request.
Members of Congress on both sides of the aisle have called the proposed bill “anti-encryption” legislation, so any hopes for a resolution on encryption in a presidential election year remain doubtful.
RSA's Bishop-Levesque (right) says more than likely organizations will strengthen their defense-in-depth efforts and improve education so employees are more involved with making decisions on security. “It's gotten to the point where we can't protect everything,” Bishop-Levesque says. “What we want to move is having users prioritize what's important. The owners of the data know best what's important to the organization, so we'll work with them to run an asset classification exercise and better understand the risk to the data. It's just no longer possible to protect everything at the same level.”
The truth is that we don't know what the full impact of the Apple-FBI case will be just yet. This much we know: Apple's refusal to cooperate with the FBI was a “line-in-the-sand” moment for privacy advocates. Whether it was done more for marketing purposes as opposed to privacy principles will be debated for years. The Apple-FBI case stands as one in a long string of incidents that's heightened encryption and IT security issues for all types of organizations. Given the ever-evolving threat landscape, it's unlikely that we'll ever go back to the days of IT security being just a mere insurance policy.
Privacy: Three Questions
When the Electronic Frontier Foundation evaluates companies on their privacy processes and procedures, here are three basic questions they ask. Companies looking to start policies of their own can start with these questions:
- Does the company require the government to obtain a warrant from a judge before handing over the contents of user communications?
- Does the company publish a transparency report; for example, regular, useful data about how many times governments sought user data and how often the company provided user data to governments?
- Does the company publish law enforcement guides explaining how they respond to data demands from the government?