The Cybersecurity Legacy of James ComeyFired FBI Director Led Fight to Bypass Encryption on Mobile Devices
James Comey's cybersecurity epitaph as FBI director could read something like this: "He showed courage to take on Apple."
See Also: Passwords Alone Aren't Enough
Comey, whom President Trump fired May 9 (see Comey's Gone: Will the Russian Hacking Probe Stall?), was a vocal proponent of getting the tech industry to help law enforcement to gain access to locked and encrypted mobile devices seized from suspected criminals and terrorist.
"He's going to be remembered more for the encryption fight than anything else. He made himself the face of that."
"He's going to be remembered more for the encryption fight than anything else," says Robert Knake, senior fellow at the Council on Foreign Relations and former cybersecurity policy director at the National Security Council. "He made himself the face of that."
Comey grabbed headlines in early 2016 when he went mano y mano with Apple CEO Tim Cook. That's when the FBI sought the help of Apple to unlock the iPhone used by the terrorist who shot and killed 14 people in San Bernardino, Calif., in December 2015 (see FBI-Apple Aftermath: Finding the Elusive Compromise). Apple refused to help the FBI, contending the bureau wanted it to build a backdoor, a term Comey didn't use, to bypass the iPhone's encryption. Doing so, Apple CEO Tim Cook said, would have meant the "same engineers who built strong encryption into the iPhone ... would, ironically, be ordered to weaken those protections and make our users less safe." The Justice Department sued Apple, but dropped the case when an unidentified third-party (reportedly paid at least $1.3 million by the FBI) helped unlock the encrypted iPhone.
In a letter published in the Wall Street Journal, Comey wrote: "The San Bernardino case was not about trying to send a message or set a precedent; it was and is about fully investigating a terrorist attack." (See FBI Versus Apple: A Lose-Lose Situation).
Advocating 'Exceptional Access'
Even before the San Bernardino shootings, Comey advocated for what he characterized as "exceptional access."
"He pushed that view hard, and he gave a national platform to those concerns," says Herbert Lin, a senior research scholar for cyber policy at the think tank Hoover Institution.
Many security experts contend creating a way for law enforcement to bypass encryption would eventually allow terrorist and criminals to do so, too. Although Comey never offered a means to allow only law enforcement - with a warrant - to gain access, he never bought into the argument proffered by the security experts.
"You hear lots of folks say it's too hard; it can't be fixed. My reaction to that is, 'Really?'" Comey testified at a July 8, 2015, hearing before the Senate Judiciary Committee (see FBI's Comey Rejects Cryptographers' View on Technical Barriers). "I think Silicon Valley is full of folks who, when they stood in their garages years ago [and] were told that their dreams were too hard to achieve, thank goodness, they didn't listen and they built remarkable things that changed all of our lives."
Last week, at the same Senate Judiciary Committee hearing where he confessed he felt "mildly nauseous" that his notification of Congress to reopen the Hillary Clinton email server investigation might have swayed last fall's presidential election, Comey said the FBI and tech leaders have held talks on seeking ways to gain access to devices without sacrificing individual privacy rights (see 5 Cyber-Tied Takeaways from Comey's Senate Testimony). "We care about the same things," he said. "We all love privacy. We all care about public safety. And none of - at least people that I hang around with - none of us want back doors. We don't want access to devices built-in in some way."
Still, how effective are those talks? And is Comey campaigning for "exceptional access" or "warrant-proof encryption" doing more damage than good for his cause? "On balance, ultimately, it was more harmful than not because what it did was increase the level of distrust between the feds and Silicon Valley," says Lin, who served on President Obama's Commission on Enhancing National Cybersecurity.
Cryptography expert and cybersecurity author Bruce Schneier suggests Comey, as leader of the FBI, should have spent more time building the bureau's cyber forensics skills rather than advocating for an encryption bypass. Cyber forensics skills, Schneier contends, have been lacking at the FBI for a generation. "They had 20 years of not having to learn real forensics, and that's the average career length of an FBI officer," he says. "Comey has no legacy here. He didn't do anything good or bad."
But the Council on Foreign Relation's Knake says Comey has left his mark on the FBI beyond the encryption battles. In some respects, Comey's leadership help foster improved cooperation with the private sector on cybersecurity.
The FBI worked closely with the business community to "take down" botnets. Knake cites FBI efforts to weaken the botnets Gameover Zeus, at least temporarily and Kelihos (see Lessons from Gameover Zeus Takedown and Russian Receives Record-Setting US Hacking Sentence).
Also, Knake says the bureau, during Comey's tenure as FBI director, made notification of cybercrime victims a priority over simply investigating online attacks. "That became one of the FBI's main responsibilities, to use their presence throughout the United States to knock on an awful lot of doors and tell people, 'Look, we have reason to believe that an advanced adversary has compromised your network,'" Knake says. "He deserves credit. It happened on his watch."