RENEE MONTAGNE, HOST:
Experts on encryption from Apple, the FBI, law enforcement - they're all on Capitol Hill today to testify at another hearing. It's now well-known that a third party helped the FBI unlock the iPhone used by one of the San Bernardino shooters. At least one of the people involved was a gray hat hacker according to The Washington Post - a professional hacker in it for the money.
ROBERT KNAKE: Now what we're seeing are these third-party groups whose full-time job is to discover vulnerabilities that they can exploit and sell - sometimes back to governments, sometimes back to the companies that make the software and then oftentimes on the black market or on the gray market to criminals or other intelligence agencies.
MONTAGNE: Robert Knake led cyber security policy for the White House National Security Council until last year, and he joined us to talk more about it.
KNAKE: That's one of the challenges that we're seeing today is if this company, this third party, discovered this vulnerability, they probably didn't want to give it to the FBI one time. They probably wanted to keep reselling it to the FBI over and over again and to other law enforcement agencies. And so we may be in a situation where if the government does decide it wants to disclose this vulnerability, it may have to figure out how it can legally do that. Does it have the right to disclose that or are those rights held by the company that discovered the vulnerability in the first place?
MONTAGNE: Right, this is very interesting, the idea being that the hackers would own a potentially valuable product here.
KNAKE: It's something that I think we're going to see intellectual property lawyers fight out over the next couple years because I think Apple certainly would say how can you own a vulnerability in our source code and in our software and in our devices? That seems a little bit off. But it's certainly an area where we don't have a very clear playbook.
MONTAGNE: Although couldn't any tech company buy back the vulnerability itself?
KNAKE: Absolutely, and I think that's been one thing that we've been, in the policy community, looking at very seriously is why don't companies like Apple and Facebook and others who are very, very profitable - why aren't they putting more money into purchasing vulnerabilities so they can be fixed? And I think the answer is these companies don't want to create a situation in which they're really being compelled not only to pay out millions of dollars but also to have to fix their software on an even faster basis than they already do.
MONTAGNE: It also feels, at this moment in time, a little like blackmail.
KNAKE: I think that is how many of the companies would characterize it.
MONTAGNE: You know, FBI director James Comey has said the government is considering whether to disclose to Apple the flaw or flaws in its phone. Aside from questions of whether they own the knowledge, what factors would be considered and who would be making this decision?
KNAKE: So at the top of the vulnerabilities equities process, you've got an equities review board, which is made up of senior members of every agency that might have an equity in this kind of case, right? So you would, for instance, have the FBI Counterterrorism Team advocating probably on behalf of retaining this vulnerability. On the other side of the FBI, you'd have their counterintelligence team probably saying, hey, we've got to protect all those iPhones 5s that have government information on them. We need to disclose this vulnerability to Apple. You would have other law enforcement agencies like the Secret Service at the table. You might have the Commerce Department if they thought they had an equity in it. So this team of people would come together and they'd look at a variety of questions and factors to determine whether they think, on balance, the vulnerability should be disclosed or should be retained.
MONTAGNE: Will we ever know exactly how this particular phone was hacked?
KNAKE: So this is an unusual case. Normally, I would say that there would be very little chance that if the government decides to disclose it, it will disclose anything more than what it knows to Apple and that we would never know that happened. In this case 'cause it's become so public, I think it's possible that the FBI might share details more broadly. So, yes, I think it is in fact possible that we may get to the bottom of what the vulnerability was and get solid assurance from Apple that they fixed it.
MONTAGNE: Rob Knake spent four years as the director of cyber security policy at the National Security Council in the Obama White House. Thanks very much for joining us.
KNAKE: Thank you.
NPR transcripts are created on a rush deadline by Verb8tm, Inc., an NPR contractor, and produced using a proprietary transcription process developed with NPR. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.