Giving and taking: DOJ and NIST on opposite sides of cybersecurity

By: William Jackson
February 19, 2016

Facebooktwitterredditpinterestlinkedinmail
William Jackson
William Jackson

What the federal government gives with one hand, it takes away with the other.

The Justice Department has obtained a court order that would force Apple to create a backdoor into encrypted devices (or at least remove safeguards preventing investigators from getting in at the back door), ultimately threatening the security of all iPhones. At the same time, the National Institute of Standards and Technology (NIST) is sponsoring initiatives to improve the security and privacy of electronic medical records and devices.

NIST is soliciting proposals for collaboration through the National Cybersecurity Center of Excellence (NCCoE) in Rockville, Md. It is looking for products and technical expertise to secure wireless medical infusion pumps. The NCCoE already is working on a platform for the secure use of patient information on mobile devices.

“Today, medical devices have operating systems and communication hardware that allow them to connect to networks and other devices,” NIST wrote in its solicitation. “While this technology has created more powerful tools and improved health care, it has led to additional risks in safety and security.” By accelerating the development and dissemination of tools and techniques for protecting IT assets, “the NCCoE will enhance trust in U.S. IT communications, data, and storage systems . . . .”

The program will include risk assessment and analysis, design development and evaluation, and security control mapping. The end product will be a practice guide to help in evaluating the security environment for infusion pumps.

Unfortunately, as NIST is working to enhance trust in U.S. IT, the federal law enforcement community is working just as hard to undermine it. The details of the order from the U.S. District Court for Central California are well known. Apple is being ordered to help “in enabling the search of a cellular telephone” used by one of the shooters in the January attacks in San Bernardino, Calif. The company is not being asked to compromise the encryption itself, but to make it easier for the feds to do it. Specifically, by creating software to:
• Disable the protective function that would erase data after too many failed passcode tries and
• Enable electronic submission of passcodes without enforced delays between attempts.

The risk

The software would include a “unique identifier of the phone so that [the software] would only load and execute on the subject device.”

Unfortunately the order does not say anything about the ownership or copyright of this software or restrictions on its use. There is nothing to prevent the feds from reverse engineering and rewriting it to use it against any iPhone. And history has shown that once the feds obtain the ability to do something, they do it, regardless of legal or ethical considerations. And government cybersecurity is not so good that we can trust this tool would not fall into the hands of others.

The end result is blow to the privacy and security of users of Apple mobile products and a net loss in the confidence of U.S. technology, already suffering from revelations of wholesale eavesdropping by our intelligence agencies.

Apple is fighting this order and we can only hope that the company prevails. In the meantime, let’s also hope that NIST successfully continues in aiding the development of cybersecurity tools and techniques to protect our infrastructure, devices and data.

There might be no way to keep the feds out of our phones and other devices indefinitely. But with help from the courts in delaying and restraining these activities, and with collaboration between agencies such as NIST and the private sector in improving security, we might be able to stay ahead of them for a while longer.