The couple who killed fourteen people in San Bernardino in December 2015 had destroyed their personal smartphones, but a work iPhone was later found and the FBI wanted to get inside it. The trouble was, if investigators failed to figure out its four-digit password in ten attempts, the phone was programmed to destroy its data.
So the FBI implored Apple to create an update that would undo the phone’s security protections. The company refused, saying the update would weaken security for all users. As the case wended its way through the courts, the US House of Representatives Judiciary Committee held hearings. One of the key experts testifying was Susan Landau, now Bridge Professor in Cybersecurity at Tufts, where she splits her time between the Fletcher School and the School of Engineering. Her take was unequivocal: weakening the security on one iPhone weakens it on all iPhones, and that’s bad for US security.
Landau details her concerns in a new book, Listening In: Cybersecurity in an Insecure Age, which furthers her argument that securing our data is essential for securing us. At the same time, improving security means that the data of bad actors—from terrorists to garden-variety criminals—is also secure, and increasingly hidden from law enforcement. So does secure data for all mean that law enforcement and national security take a back seat to privacy?
The answer, according to Landau, is no. “The NSA says they’re doing better than ever. They know that most things they want to investigate will be dark—not accessible,” she said. “That’s just the way things are going, regardless of how the US tries to constrain manufacturers.”
There is no way a manufacturer can create a backdoor for law enforcement, Landau said, without it being found and exploited by hackers, giving them carte blanche to access everyone’s computer systems, and in the long run do serious damage to national security.
Landau, whose specialty is surveillance, writes about the trouble with insecure data. “I think everybody has a sense that it won’t happen to me,” she said. “Nobody thinks about what their particular threats are, nobody thinks about what it is that they need to protect.” She cited the breach at Sony Pictures in 2014, when hackers broke into the company’s computer systems and stole huge amounts of information, including embarassing corporate memos and copies of unreleased movies. “Sony was making films, and thought of itself as a film company,” Landau said. “The mental model of the executives was probably a canister of film, not bits—computer data.”
Banks, however, quickly realized that money “is all about the bits,” she said. “When you do a money transfer, nobody carries bills from bank A to bank B, they just do a bit transaction. They have known for a long time they need to protect the bits.”
What can we personally do to keep our data secure? “The most important thing is to do automatic updates for everything you use,” Landau said. “Don’t say, I’m too busy now—just do it.” Use two-factor authentication when it’s available, and, of course, think before you click on a link or open an attachment—that’s the way most cyber exploits work.
The same is true for governments and businesses—only more so. Security measures should be built into every system, Landau said, and access to critical pieces should be limited to a very small number of trusted—and careful—people.
After all, it’s not if but when the next attack will occur. “Cybersecurity protections, including encrypted communications and secured communications, are far more critical now than they were even five years ago,” Landau said.