FBI Director James B. Comey said Wednesday that the bureau did not purposely avoid a government process for determining whether it should share with Apple the way it cracked a terrorist’s iPhone.
In March, the FBI purchased a tool that exploited an Apple software flaw to hack into the phone of a shooter from the attack last year in San Bernardino, Calif.
Many observers expected the bureau to submit the method to a relatively new government process for figuring out when to share software flaws with tech firms so they can be fixed. But the bureau told the White House last month that its understanding of how a third party hacked the phone was so limited that there was no point in undertaking a government review.
Comey said Wednesday that the bureau purchased only the tool, not the rights to the software flaw. The FBI, he said, was focused on getting into the phone.
“We did not in any form or fashion structure the transaction . . . with an eye toward avoiding” the government review, he said.
The FBI spent what Comey said was “a lot of money” to buy the tool from a company that specializes in such exploits. “We bought what was necessary to get into that phone, and we tried not to spend more money than we needed to spend,” he said, suggesting that further information about the exact flaws being exploited would have cost more.
“It might cost you a whole lot of money. And if your interest is in investigating a particular terrorist attack and getting into a particular phone, I don’t know why you would spend that dough,” Comey said. The bureau spent in the high six-figures, according to a person familiar with the matter. “In my view, it was well worth it,” Comey said.
Comey’s comments come a week after senior National Security Agency officials, in a meeting with privacy advocates and academics, described a different approach for how they handle software flaws.
When the agency buys hacking tools or exploits from third parties, “we try to avoid getting into situations where we don’t know the underlying vulnerability” or security flaw, a senior NSA official said, according to several participants at an unusual five-hour meeting last Thursday to discuss security and privacy issues.
One NSA official said he “was not aware that not submitting was an option,” according to Kevin Bankston, director of the New America’s Open Technology Institute and one of about a dozen civil-society leaders present. Under the meeting’s ground rules, participants were allowed to relay comments but not to identify any speakers.
The NSA comments were welcomed by the advocates and academics, who were concerned that software flaws left unfixed can put users at risk of having their computers or phones hacked by criminals or foreign governments.
“It’s heartening to hear that the NSA considers this vulnerability disclosure process to be a mandatory one in contrast to the FBI, which seems to view it as optional,” Bankston said. “This seems to indicate a greater level of technical sophistication at the NSA as compared to the FBI when it comes to understanding the cybersecurity risks of stockpiling the hacking tools that they buy.”
The review process existed on paper for at least six years but didn’t become a reality until spring 2014. In this process, agencies including the FBI, the Justice Department and the NSA weigh whether newly discovered software flaws should be disclosed to the software-maker, balancing the need to gather intelligence against the harm to users if the vulnerability is left unresolved.
In a statement, the FBI said the bureau’s handling of the iPhone used by one of the San Bernardino terrorists “should not be interpreted as an indication of general FBI policy” regarding the government’s review process, which the FBI says it supports.
Before the San Bernardino phone, officials in the White House-led group had never encountered a situation before in which an agency such as the FBI had purchased a tool and not the rights to the technical vulnerability, said one senior administration official. “That was really the first time we’d ever seen that,” said the official, who spoke on the condition of anonymity to discuss a mostly hidden process. “I suspect it won’t be very common.”
The official said there have been instances where a software flaw that’s purchased — rather than discovered — by an agency is submitted for review.
For years, the NSA had its own process for deciding whether to disclose software flaws.
Richard “Dickie” George, who ran the process for 15 years until he retired in 2011, said on average that three or four flaws were withheld a year, usually because the software-maker had gone out of business. The agency typically disclosed about 300 a year directly to vendors, said George, who was technical director for information assurance. In general, he said, it took several months for a company to patch the flaw during which time the agency could exploit it. In some cases, the agency waited as many as six months before disclosing to see whether the flaw would be useful to operators, he said.
Participants at last week’s NSA gathering, sponsored by Carnegie Mellon University’s Institute for Strategic Analysis, said they appreciated the agency’s effort to engage.
Peter Margulies, another meeting participant and a law professor at Roger Williams University in Bristol, R.I., said the NSA officials’ remarks show the agency is “well aware” of how not reporting vulnerabilities to tech companies can leave “the Internet as a whole . . . more vulnerable.”
But Faiza Patel, co-director of the Brennan Center’s Liberty and National Security Program and also a meeting participant, said it’s tough to evaluate how well the process balances intelligence needs against Internet security because it “remains mostly secret.”
On Wednesday, Comey also said that the bureau was working on a way to help state and local law enforcement agencies who might have similar phones they cannot unlock. The tool used in the San Bernardino case will work only on the iPhone 5C running an iOS 9 operating system. The 5c is an older model, meaning there are fewer such phones out there, so the demand for the tool is likely to be low.
In fact, the bureau has about 500 phones it cannot unlock in criminal investigations and none, Comey said, are 5Cs running iOS 9.
Last month, Apple for the first time received information about a software flaw from the FBI through the White House-led review process, as first reported by Reuters.