A new top cyber official at the FBI could be a moderating voice in the protracted standoff between the agency and tech companies over how to address the spread of encrypted devices.
Amy Hess, a longtime bureau official, was appointed on Tuesday to head the FBI's Criminal, Cyber, Response, and Services Branch. She is known for playing a prominent role in one of the most high profile flash points in the encryption debate so far: She challenged her colleagues during the FBI's fight with Apple over access to the San Bernardino shooter's iPhone in 2016. Hess was worried about whether investigators were trying hard enough to find a way to open the encrypted device before seeking a court order forcing Apple to do so — and she brought her concerns to the FBI's watchdog.
The debate in Washington still rages on whether the government should have a built-in way to access devices with encryption so strong even the company doesn't have the key. But while Hess, like other bureau officials, has argued that the spread of strong encryption can hinder investigations, her reputation for being willing to pursue other investigative tools seems to set her apart at a time when other law enforcement officials have suggested that legislation forcing companies to create a so-called “back door” into encryption may be the only solution.
“The FBI has been stuck on ‘going dark,’ even while one, we have an increasing cyber crime issue, and two, increasing amounts of digital evidence that law enforcement isn't using well,” said Susan Landau, a cybersecurity and national security professor at Tufts University, told me in an email. “Hess is smart; I would hope that she would aim at much better use of digital evidence.”
What we know about Hess's role in the Apple case comes from an inspector general report released earlier this year. Hess was serving as the bureau’s executive assistant director for science and technology when the FBI tried to break into the iPhone of Syed Rizwan Farook, one of the two terrorists who killed 14 people in San Bernardino, Calif.
During the investigation, Hess worried she wasn’t getting a “straight answer” about whether the FBI’s technical experts had a way of accessing the device, according to the report. She also feared the chief of the FBI’s Cryptographic and Electronic Analysis Unit “knew of a solution but remained silent in order to pursue his own agenda of obtaining a favorable court ruling against Apple,” the report said. The San Bernardino case was the “poster child” for the “going dark challenge,” she told the inspector general. After she pressed her concerns with her colleagues, the FBI found a contractor that helped investigators crack the phone without the company building a new way in, ending the legal battle with Apple.
Ultimately, the inspector general found that no one at the FBI withheld any information, but said the bureau didn't “pursue all possible avenues” in its search for a solution.
The episode is a compelling example of Hess playing by the book as her agency faced immense pressure to produce evidence in a high-profile terrorism investigation. And it offers a window into how she might approach a similar case in her new role.
Still, it doesn't mean Hess is a dove on encryption. In other settings she has bemoaned the spread of increasingly sophisticated encryption technology and argued in favor of expanding law enforcement access to encrypted devices. During a congressional hearing in 2015, she sidestepped a question about whether she supported an encryption-breaking mandate. Motherboard wrote about the exchange at the time:
“When asked directly if the FBI wants a backdoor, Hess dodged the question and did not describe in detail what actual solution the FBI is seeking.
'We are simply asking for information that we seek in response to a lawful order in a readable format,' Hess responded, while also repeating that the Bureau supports strong encryption. 'But how that actually happens should be the decision of the provider.'
When pressed again, Hess said that it would be okay for the FBI not to have a key to decrypt data, if the provider 'can get us that information by maintaining the key themselves.'”
“She wouldn't outright say, ‘Yes, I want a backdoor,’ yet she voiced support for the idea of providers keeping the keys to decrypt data,” Riana Pfefferkorn, cryptography fellow at Stanford Center for Internet and Society, told me. “None of that really suggests to me that she's going to be better on ‘going dark’ or on surveillance and government access more generally.”
In addition to Hess, the FBI made several other leadership appointments yesterday, including Matt Gorham, another longtime bureau official, as assistant director of the Cyber Division.
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: Researchers have found a new Intel processor vulnerability that they call Foreshadow. Here's a description of the flaw by Wired's Lily Hay Newman on Tuesday: “Intel's Software Guard Extensions feature, known as SGX, allows programs to establish so-called secure enclaves on Intel processors. These are regions of a chip that are cordoned off to run code that the computer's operating system can't access or change. The secure enclave creates a safe haven for sensitive data, even if malware or another malady compromises the main computer. But a group of researchers, hailing from five academic institutions around the world, found that although SGX can mostly repel Spectre and Meltdown attacks, a related attack can bypass its defenses.”
However, most users don't rely on SGX, and successfully exploiting the Foreshadow vulnerability would be no easy feat. “The Foreshadow researchers stress the limitations and challenges of actually carrying out the attack in the wild, though,” according to Wired. “They say that cheap, easy, and effective techniques like phishing and malware distribution are still the obvious and most cost-effective choice for targeting individuals. Compared to those, Foreshadow would be impractical.”
PATCHED: Four Democrats on the House Energy Committee on Tuesday sought answers from Federal Communications Commission Chairman Ajit Pai after an investigation found that the agency was not hit by a cyberattack in 2017 despite claims to the contrary by the FCC. In a letter to Pai, the lawmakers said they were “deeply disturbed” by the findings of an FCC inspector general report released earlier this month. The report said that a distributed denial-of-service attack was not the cause for the disruption of the FCC's computer systems.
“Given the significant media, public, and Congressional attention this alleged cyberattack received for over a year, it is hard to believe that the release of the IG’s Report was the first time that you and your staff realized that no cyberattack occurred,” Reps. Frank Pallone Jr. (N.J.), the committee's ranking Democrat, Mike Doyle (Pa.), Jerry McNerney (Calif.) and Debbie Dingell (Mich.) wrote to Pai. “Such ignorance would signify a dereliction of your duty as the head of the FCC, particularly due to the severity of the allegations and the blatant lack of evidence.”
The FCC's comment system was overwhelmed last year after HBO host John Oliver suggested in a segment about net neutrality airing late on May 7 that viewers leave comments on the agency's website, according to the inspector general report. In their letter on Tuesday, the four Democrats told Pai that they want to know when he and his staff found out that the disruption of the FCC's systems didn't result from a cyberattack. “It is troubling that you allowed the public myth created by the FCC to persist and your misrepresentations to remain uncorrected for over a year,” the lawmakers said in their letter.
PWNED: The operatives behind the 32 inauthentic pages and accounts that Facebook recently shut down ahead of the midterm elections employed tactics that are similar to marketing strategies, except their goal was to pit Americans against one another, the Associated Press's Mae Anderson reported Tuesday. “The aim of these possibly Russia-linked perpetrators appears to be to draw in as many people as possible with emotional appeals and then spur them to action,” according to the AP. “In this case, though, the action is public protest rather than affinity marketing, and the goal is to sow dissension rather than to build brand awareness.”
Moreover, this online propaganda operation did translate into the physical world because those behind the inauthentic accounts created events for people to attend. “Overall, the 32 accounts Facebook deleted recently tried to organize about 25 events,” Anderson wrote. “About half took place, even though the unknown agents behind them had no one on the ground and had to coerce people into attending the events purely through Facebook.” Jay Van Bavel, a psychology professor at New York University, told the AP that the pages and account that were taken down were targeting Americans' emotions. “The conflict already existed but they’re stirring it up, picking at a scab,” Van Bavel said.
— “Sen. Rand Paul (R-Ky.) said on Tuesday that Russian officials refused to acknowledge interfering in the 2016 presidential campaign during his recent trip to Moscow and Saint Petersburg, which was encouraged by President Trump,” my colleague Robert Costa reported. “But Paul, a top Trump ally, called hopes that Russia would eventually admit to the interference ‘naive’ and said the United States should cease expecting a diplomatic confession from Russian President Vladimir Putin or members of his government.”
— Sen. Bill Nelson (D-Fla.) continues to defend his claim last week that Russian hackers “have already penetrated certain counties” in Florida even though he has not provided evidence for the allegation. “It would be foolish to think that the Russians are not continuing to do what they did in Florida in 2016,” Nelson said while campaigning to keep his Senate seat, the Associated Press's Gary Fineout reported on Tuesday. “It is unfortunate that some Florida officials are trying to use this for partisan purposes.” Florida Gov. Rick Scott (R) on Friday chided Nelson for ringing alarms about Russian hacking without backing up his claim with specifics, my colleagues Michael Scherer and Felicia Sonmez reported.
— Researchers found that significant security issues were more common on the websites of candidates running for the House of Representatives than of those vying for a Senate seat, CyberScoop's Sean Lyngaas reported on Tuesday. “The House has significantly more candidates running and that provides more opportunities for security errors,” cybersecurity researcher Joshua Franklin told Lyngaas.
“A majority of candidates received good grades overall, with 55 percent of House candidates and 81 percent of Senate candidates receiving an A grade for website security, meaning they had trusted digital certificates and no known vulnerabilities in their security protocols,” according to CyberScoop.
— More cybersecurity news from the public sector:
Uber tapped Matt Olsen, the former general counsel of the National Security Agency and director of the National Counterterrorism Center, to serve as its chief security officer, the New York Times reports. The move comes after Uber faced criticism for failing to immediately disclose a breach of 57 million customer records last year. "Mr. Olsen joins Uber as it is trying to repair the reputation of its security team," the Times reports. "In addition to the data breach, Uber’s practice of routinely surveilling its competitors physically and online came under scrutiny in federal court, when Uber was being sued for trade secret theft by Waymo, the autonomous-driving car company owned by Alphabet."
— More cybersecurity news from the private sector:
— There are two kinds of laptop users in the world: those who put stickers on their computer, and those who don't. So, what if you're part of the former group? “That’s all well and good, but a laptop lid full of stickers also arguably provides something of a red flag to authorities or hackers who may want to access sensitive information stored on that computer, or otherwise cause the owner hassle,” Motherboard's Joseph Cox's wrote Tuesday. Cox's report elicited numerous reactions, with members of both groups making their case on Twitter.
Alternate title: In 2018 America, expressing yourself with a laptop sticker can have severe consequences. https://t.co/4zMcYu4eSS— Matt Gray R. (@graymattr) August 15, 2018
I always smirk at those who stick stickers on their laptops. Instantly tell me how valuable they are. https://t.co/7FEBaLVpsD— Avadiax (@avadiax) August 14, 2018
We don't put stickers on our work horses. If you break into a building you don't want to stand out at all, I use a plastic case over the laptop that pops on/off like a sleeve for conferences on a non work system.— Hacker Fantastic (@hackerfantastic) August 14, 2018
You appear to be ignoring opportunists.— Joseph Cox (@josephfcox) August 14, 2018
I believe if I was ever at the level of worrying about stickers in my threat model, I would be using a typewriter.— VoidMOSity (@voidMOSity) August 14, 2018
turn your laptop upside down when going through security.. it's what I do!!— Stu🔨 (@cybersecstu) August 14, 2018
- Usenix Security Symposium in Baltimore through Aug. 17.
- Senate Commerce Committee hearing to conduct oversight of the Federal Communications Commission tomorrow.
- Senate Rules and Administration Committee business meeting about the Secure Elections Act on Aug. 22.
Who is Ilhan Omar?
Antifa harass press at “Unite the Right” rally:
An idyllic N.Y. waterfall transformed into a raging torrent: