recommended reading

FBI Director Gets Schooled on Security Tech by Congressman

FBI Director James Comey testifies on Capitol Hill in Washington.

FBI Director James Comey testifies on Capitol Hill in Washington. // Jose Luis Magana/AP

“I don’t know.”

“I don’t know if that would work.”

“I have no idea.”

“I’m not sure I even fully understand the questions.”

Safe to say, Federal Bureau of Investigation director James Comey was unprepared for a barrage of technical questions by California congressman Darrell Issa (R), during a hearing on iPhone encryption.

The House Judiciary Committee is holding a hearing today (March 1) after Apple refused to comply with a federal court order to help the FBI break into the iPhone 5c of one of the San Bernardino shooters. The phone includes a security feature that erases all its data after too many unsuccessful unlocking attempts. To bypass that limitation and unlock the phone now, said Apple, it would have to create a special version of its mobile operating system.

In his opening statement at the hearing, Comey described the FBI’s request as akin to “asking Apple to take away the vicious guard dog and let[ting] us pick the lock.”

During his five minutes of questioning, Issa repeatedly asked if the FBI had tried other solutions before asking Apple to comply. His questions centered around whether the FBI asked Apple for the source code. Though Issa admitted he didn’t know if it was possible, he suggested the government agency could use the phone’s source code to make copies of its memory, potentially allowing the FBI to try as many unlocking combinations as necessary without losing valuable information.

This, suggested Issa, might be an alternative to compelling Apple to create a “backdoor.”

“I’m doing this because I came out of the security business and this befuddles me that you haven’t looked at the source code, and you don’t really understand the disk drive, at least to answer my dumb questions if you will,” Issa said. “How can you come before this committee, before a federal judge, and demand that someone else invent something if you can’t answer the questions that your people have tried this?”

Comey tried to handle the grilling gracefully, in the end saying, “I’m totally open to suggestions.”

The full transcript of their exchange is below:

Rep. Darrell Issa:
Justice Scalia said it best what I’m going to quote, almost 30 years ago in Arizona v Hicks, in which he said: “There is nothing new in the realization that the Constitution sometimes insulates the criminality of a few in order to protect the privacy of all of us.” I think that stands as a viewpoint that I have to balance when asking you questions. As I understand the case and there’s a lot of brilliant lawyers and experienced people that know about the All Writs Act, but what I understand is you in the case of Apple in California are demanding through a court order that Apple invent something, that they have to create something. If that’s true, then my first question to you is the FBI is the premiere law enforcement organization with laboratories that are second to none in the world. Are you testifying today that you and or contractors that you employ could not achieve this without demanding an unwilling partner doing it?

FBI director James Comey:

And you do so because you have researched this extensively?

Yes we worked very, very hard on this. We’re never going to give up but…

Did you receive the source code from Apple? Did you demand the source code?

Did we ask Apple for their source code? Not that I’m aware of.

So you actually couldn’t hand a software person the source code saying can you modify this to do what we want if you didn’t have the source code. So who did you go to, if you can tell us that you consider an expert on writing source code changes that you want Apple to do for you, you want them to invent it—who would you go to?

I’m not sure I’m following the question.

Well, I’m going to assume that the burden of Apple is X. But before you get to the burden of Apple doing something it doesn’t want to do because it’s not in its economic best interest and they’ve said that they have real ethical beliefs that you’re asking them to something wrong, sort of their moral fiber. You are asking them to do something and there’s a burden. No question at all, they have to invent it. And I’m asking you have you fully viewed the burden to the government. We spend $4.2 trillion every year. You have a multibillion dollar budget. Is the burden so high on you that you could not defeat this product either through getting the source and changing it or some other means. Are you testifying that?

We wouldn’t be litigating if we could. We engaged all parts of the government to see if does anyone have a way short of asking Apple to do this with a 5c running iOS 9 and we do not.

Let’s go through the 5c running iOS 9. Does the 5c have a nonviolatile memory in which all the encrypted data and selection switches for the phone settings are all located in that encrypted data?

I don’t know.

Well, it does. Take my word for it for now. So that means that you can, in fact, remove from the phone all of its memory, all of its nonvolatile memory, its disk drive if you will, and set it over here and have a true copy of it to conduct infinite number of attacks on. Let’s assume that you make an infinite number of copies once you have one copy, right?

I have no idea.

Let’s go through what you asked. I’m doing this because I came out of the security business and this befuddles me that you haven’t looked at the source code, and you don’t really understand the disk drive, at least to answer my dumb questions if you will. There’s only a memory and that memory—that non-violatile memory sits here—and there’s a chip, and the chip does have an encryption code that was burned into it. And you can make 10,000 copies of this chip, this non-violatile memory hard drive, then you can perform the attacks as you want on it.

Now you asked specifically Apple to defeat the finger code so you can attack it automatically so you don’t have to punch in codes. You’ve asked them to eliminate the 10 [attempts] and destroy. But you haven’t ask as far as I know as them, “OK if we make a thousand copies or two thousand copies of this and we put it with the chip and we run five tries, 00 through 04,” and throw that image away and put another one in and do that 2,000 times, won’t we have tried with a non-changing chip and an encryption code that is duplicated 2,000 times? Won’t we have tried all 10,000 possible combinations in a matter of hours? If you haven’t asked that question, the question is: How can you come before this committee before a federal judge and demand that someone else invent something if you can’t answer the questions that your people have tried this?

First, I’m the director of the FBI. If I could answer that question, there would be something dysfunctional in the leadership.

I only asked if your people had done these things. I didn’t ask if that would work. I don’t know if that would work. I asked you who did you go to, did you get the source code, have you asked these questions because you’re expecting somebody to obey an order they don’t want to do and you haven’t even figured out whether you can do it yourself. You just told us well we can’t do it but you didn’t ask for the source code and you didn’t ask the questions I asked here today and I’m just a guy …

[cut off because time for questioning expired]

I did not ask the questions you’re asking me here today. I’m not sure I even fully understand the questions. I have reasonable confidence, in fact I have high confidence that all elements of the US government focused on this problem, and I’ve had great conversations with Apple. Apple has never suggested to us there’s another way to do it other than what they’ve been asked to do in the All Writs Act. It could be when the Apple representative testifies you’ll ask him and we’ll have some great breakthrough, but I don’t think so. But I’m totally open to suggestions. Lots of people have emailed ideas, I’ve heard about mirroring and maybe this is what you’re talking about. We haven’t figured it out, but I’m hoping my folks are watching this and if you’ve said something that makes good sense to them, we’ll jump on it and we’ll let you know.

Threatwatch Alert

Thousands of cyber attacks occur each day

See the latest threats


Close [ x ] More from Nextgov