On Wednesday, the FBI confirmed it wouldn’t tell Apple about the security flaw it exploited to break inside the iPhone 5c of San Bernardino gunman Syed Farook in part, because the bureau says it didn’t buy the rights to the technical details of the hacking tool. In a statement provided to eWEEK by the FBI National Press Office, Hess, who is the executive assistant director for science and technology, said that the agency has determined that it can not submit the method used to the Vulnerabilities Equities Process (VEP), a method sponsored by the White House to allow federal agencies to tell technology makers about vulnerabilities uncovered during the course of their activities. The paper also reported that the agency plans to inform the White House shortly that “it knows so little about the hacking tool. that it doesn’t make sense to launch an internal government review” into whether Apple should be informed.
Advertisement
Hess’ statement confirmed information from U.S. government sources on Tuesday that the Federal Bureau of Investigation had provisionally decided not to share the iPhone unlocking mechanism because the agency did not own it.
Jason Healey, who was director for cyber infrastructure protection at the White House from 2003 to 2005, did not mince words when FCW asked for a reaction to the FBI’s decision. Since then, the government has not disclosed the entity or said anything about how the work was done. “As such, they probably have tied the hands of the White House, specifically to subvert [President Barack Obama’s] intent”. This decision is reached by weighing the risk of the vulnerability being exploited with the value to national security in keeping the vulnerability a secret.
America’s three-letter agencies regularly purchase security flaws in consumer software from hackers, defense contractors and researchers. Now, it’s the government’s Vulnerabilities Equities Process that’s being put into question.
Advertisement
This statement brings to an end a highly-publicized and resource-intensive case that placed the security-privacy threshold at the forefront of public debate. “By necessity, that process requires significant technical insight into a vulnerability”, Hess said in her statement. “The VEP can not perform its function without sufficient detail about the nature and extent of a vulnerability”, she said. However, bureau officials chose to break with convention due to “the extraordinary nature of this particular case” and the fact that the FBI had revealed publicly that it had exploited the vulnerability, she added. His reporting on a range of global issues has appeared in publications such as The Atlantic, The Economist, The Washington Diplomat and The Washington Post. He earned his M.A.in global affairs from The Fletcher School of Law and Diplomacy at Tufts University, and his B.A.in public policy from Duke University.
