Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


10:30 AM
Connect Directly
E-Mail vvv

Better Locks Than Back Doors: Why Apple Is Right About Encryption

What the landmark privacy case and a new documentary about Stuxnet both have to say about the encryption versus government oversight debate.

There’s never a shortage of headlines in the world of cybersecurity and recent weeks have been no exception. I’m referring to the landmark privacy case between the FBI and Apple and the Berlin debut of the documentary “Zero Days,” which delves into the 2010 Stuxnet worm. The two events have brought the encryption vs. government oversight debate into the public arena in a very real way.

At first glance, these are two separate issues. One is allowing the government to get into a device of a suspected terrorist. In the other case, we’re talking about government-backed cyber-warfare. However, I believe the parallels are clear, and in my opinion, both cases have simple resolutions: If governments really want to keep their citizens safe, they need to focus more on defense than offense. 

Offensive cybersecurity tactics offer short term benefits but have long term consequences. A government focused on offense is motivated to hide vulnerabilities for later exploit. This puts every citizen at risk, as bad actors will surely find these holes too.  

Governments too focused on offense are also motivated to weaken security for their own purpose. To use the Apple case as an example, the FBI wants to remove security features designed to keep criminals out of consumer devices for the sake of learning more about one dead terrorist. Unfortunately, purposely weakening defense in this way could expose new risks, which no one can guarantee won’t fall into the wrong hands. This also applies to governments hoping to maintain some “master key” for public encryption solutions.

Not having seen the “Zero Days” documentary yet (it releases in the US in May), I can’t yet comment on its accuracy or content. That said, I’m not surprised to hear that governments—including our own—are planning, or have already carried out offensive cyber campaigns.

If you’ve followed information security the past five or so years, you've seen plenty of evidence showing governments creating “red teams” trained to launch computer and network attacks. You’ve seen the details about Operation Olympic Games, experts have analyzed Stuxnet, you’ve followed the Snowden leaks, you’ve seen government cyber budgets expand, and most recently, you’ve probably heard Ukraine accuse another country of attacking its critical infrastructure. With all of this evidence, it should not come as a surprise that governments are considering cyber attacks… However, it should concern you greatly.

These types of “cyber” attacks—ones that target critical infrastructure and pose physical, real-world ramifications—are not only possible but increasingly probable. Stuxnet proved that. Furthermore, I believe digital attacks can result in real human death. Many of our most critical systems rely heavily on computers and cyber networks, which don’t always have the protection they should. Alex Gibney’s Stuxnet documentary will reportedly suggest that the US government planned to launch a digital attack on the Fordo nuclear facility in Iran. While such a plan might seem like science fiction to some, and would certainly pose difficulties (the facility has more defenses than most), the past has proven that motivated, persistent attackers with money can often breach the strongest defenses. 

Are the governments considering launching such attacks really prepared to defend themselves from these same attacks? The short answer is no. Even the former director of the CIA and NSA says that we’re not prepared. In fact, with calls to create “backdoors” and encryption master keys, they’re actively tearing down our defenses, thus making everyone’s problem worse. 

Government, heal thyself
Countless government breaches, like ones affecting the State Department, White House email, and the OPM, have proven attackers can infiltrate government networks and hijack the accounts of key government employees, showing government defenses are less than perfect. Shouldn’t they be spending more time building their defenses rather than knocking their citizens’ down?

When governments make commercial software and public networks part of their "cyber battleground,” they expose private citizens and organizations to the “war.” Unfortunately, I expect future “state-sponsored" attacks will include private targets, like we saw with Sony Pictures in 2014. With governments weakening the security of consumer products, how will their citizens survive such attacks?

The very act of promoting a red team, responsible for carrying out cyber attacks, is at odds with the motivation of building a defense team. By definition, a red team is motivated to find ways to defeat defenses, and more importantly, stock-pile and hide those attack techniques so that they can continue to use them. How do you fix a problem you don’t know about, when it’s in the red team’s best interest to keep that problem hidden?

If a government red team finds a new zero day flaw in commercial software, will they share it with the world so we can fix it and all be safe, or will they hold onto it for their next attack campaign, leaving the potential for other bad actors to find it and exploit the flaw as well? Do governments realize that leaving their citizens exposed to such flaws will likely affect their own country as well? I would like to think the answer is, yes, but hearing of authorities around the world exploiting blackhat hacking techniques to catch criminals makes me think otherwise.

Yes, I agree that it’s great that we caught a nasty criminal, but do you realize the public safety you might be sacrificing so the police can hang on to their favorite 0day?

In my opinion, the ends don’t always justify the means. If the means include citizens of a free democracy sacrificing privacy, freedom, and security all for the sake of some vague idea of safety that governments can never really deliver on, I say to heck with those means.

Rather, if governments are really serious about our digital security, they need to get serious about information security. They should spend their time making Apple, and all other public and private vendors’ security features stronger; they should create unbreakable encryption that protects all citizens’ communications; and they should find and plug every zero day vulnerability they can, so no terrorist or nation state can leverage it to gain asymmetric power over others.

As I believe Gibney’s documentary will illustrate (and I argued a year ago), Stuxnet opened the Pandora’s box of the cyber arms race. If we want to close that box, we should focus less on the arms and more on building better armor.

Related Content


Interop 2016 Las VegasFind out more about security threats at Interop 2016, May 2-6, at the Mandalay Bay Convention Center, Las Vegas. Register today and receive an early bird discount of $200.

Corey Nachreiner regularly contributes to security publications and speaks internationally at leading industry trade shows like RSA. He has written thousands of security alerts and educational articles and is the primary contributor to the WatchGuard Security Center blog, ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
3/7/2016 | 8:02:51 PM
Re: John McAfee
BTW.. an update to my response that I thought McAfee's claims about hacking the iPhone 5c was all bluster... Turns out I was on to something... Anew article just came out where he said he lied about it to get more attention on the issue... I can't share the direct link, but you can find it on The Daily Dot, titled: 

John McAfee lied about San Bernardino shooter's iPhone hack to 'get a s**tload of public attention'



User Rank: Apprentice
3/4/2016 | 5:28:30 PM
Re: John McAfee
I think it's all bluster... As another security expert already said, if McAfee really had someone that could crack the iPhone 5c, he'd actually use a real 5c and do a video proof-of-concept (PoC) on that phone to prove it. In other words, pics, or in this case, video or it didn't happen...


That said, sure it's theoretically possible that there is an vulnerability somewhere in iOS that a researcher finds one day, but until McAfee shows a PoC, I assume its all talk...
User Rank: Apprentice
3/4/2016 | 5:24:24 PM
Re: Ends Don't Justify the Means
I actually think intelligence gathering attempts are proper in this case.

I honestly don't care about the privacy of a dead terrorist and murder... So I don't think there is anything wrong with the FBI having all the terrorist's stuff and trying to break into this phone... However, I do think asking an external third party to specifically break a security control and have to take the undue burdern of designing a special operating systems for this one case is too much...

I do care about the privacy of Apple's millions of other customers. So while the FBI does keep insisting this special firmware will only be for this one phone, I think this would set a precident for many others, which may not be as clear cut as this one terrorist case... Plus, it doesn't even discuss how much burden a private company needs to go under to support the authorities... If they do decrypt this one phone, and then authorities come to Apple with hundreds of other phone, next thing you know Apple is spending all time and money on something that is really not their business.. So besides just that fact that the existence of this technique makes everyone's phones less safe, we need to also consider the burden on a private business that had nothing to do with the attack.
User Rank: Ninja
3/2/2016 | 8:20:15 AM
Ends Don't Justify the Means
I agree with you that in this case that the ends do not justify the means because they jeopardize the privacy of so many others. But when is intelligence gathering the proper course of action. The phone in question could harbor data that may lead to potential saving of lives, etc.
User Rank: Ninja
3/2/2016 | 8:13:30 AM
John McAfee
Is there truth in that John McAfee interview around the ability of cracking into an iPhone. Logically what he is saying makes sense but I think he is over simplifying the process of cracking into the phone.
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-10
Broken Authentication in Atlassian Connect Spring Boot (ACSB) in version 1.1.0 before 2.1.3 and from version 2.1.4 before 2.1.5: Atlassian Connect Spring Boot is a Java Spring Boot package for building Atlassian Connect apps. Authentication between Atlassian products and the Atlassian Connect Spring...
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through A stack buffer overflow vulnerability in /goform/setmac allows attackers to execute arbitrary code on the system via a crafted post request.
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through A stack buffer overflow vulnerability in /gofrom/setwanType allows attackers to execute arbitrary code on the system via a crafted post request. This occurs when input vector controlled by malicious attack get copie...
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through A stack buffer overflow vulnerability in /goform/setVLAN allows attackers to execute arbitrary code on the system via a crafted post request.
PUBLISHED: 2021-05-07
An issue was discovered on Tenda AC11 devices with firmware through A stack buffer overflow vulnerability in /goform/setportList allows attackers to execute arbitrary code on the system via a crafted post request.