Skip to main content


How 2020 Presidential Candidates Can Guard Against Cyberattacks

The 2016 presidential election witnessed unprecedented Russian cyberattacks and disinformation campaigns designed to disrupt the U.S. electoral system by influencing public opinion. The Russian goal is intended to destabilize the U.S.  through ideological activism, advancing their interest and further their political agenda. Their methods compromised computer systems of candidates and political parties using the exfiltrated data to spread disinformation and influence presidential elections.

On January 6, 2017, the U.S. Director of National Intelligence released a declassified report “Assessing Russian Activities and Intentions in Recent U.S. Elections.” According to the report, Vladimir Putin ordered a massive campaign orchestrating attacks from multiple fronts that involved spreading pro-Trump propaganda on social media to hacking the Democratic National Committee (DNC). Their methods resulted in massive data breaches within the DNC that included access to John Podesta's email f…

Has Apple and the Security Industry Gone Mad?

Many in the security and privacy industries along with government have foreseen this coming and have warned of the outcome. And so it begins with the government unleashing its fury trying to compel Apple to assist them in cracking into one government-owned iPhone that a mass murdering terrorist had in their possession.

Trusting Government and Industry

Arguments what Edward Snowden did is nothing new; there have been countless like him everywhere that turned against their country and communities. What he did exasperate an already known issue that cascaded globally leading to what we are dealing with today.

Hardware-Based Encryption

To further protect mobile devices layered encryption techniques were developed allowing users to scan a fingerprint and/or enter pin passcodes that the manufacturers themselves cannot decipher.  For example, at the root of each iPhone is a unique identifier (UID) sometimes called a “DeviceID.”  It is an AES 256-bit key burned into the device’s processor that cannot be physically tampered with, is not recorded anywhere and no app or firmware can access or read it. Only the crypto engine can access it making encryption unique in every device.
The fingerprint and/or a PIN  (alphanumeric passcode) together with the UID become inextricably enmeshed to create iOS encryption keys that are more resistant to hacking efforts.  Also at issue is the mobile device management (MDM) system which is always part of the security infrastructure installed in many organizations that manage the mobile devices. The system was available and in operation in the county government.  In conjunction with security endpoint apps, it enables organizations to remotely control the phone, oversee contents, monitor, backup and reset or wipe the device as needed. This particular device was not equipped with it; a few fell through the cracks so to speak when this particular one was provisioned. Obviously sound compliance to security policies and practices were neglected. The iPhone has an auto-wipe mechanism that erases the device with 10 attempts by brute force and would completely destroy the forensic evidence.

Terrorism – Advocating Privacy Over Physical Harm

The government has a valid point and I don’t think our industry is right when the security technology provided is used by criminals and terrorists to murder others in cold blood. Regardless, the general populations use these mobile devices and the vast majority of them are not managed by MDM systems.  We can say most of us are law-abiding but how can law enforcement distinguish the good from the bad apples?  Are we advocating that our privacy and civil liberties are more important than human life?  If so, the industry then becomes an involuntary accessory to murder or complicity by not cooperating, not sitting down and figuring out a solution that would enable our government to do its job protecting us from physical harm, upholding the rights to privacy and much more. 
Yet with all this craziness, everyone seems to forget the irony that Apple bowed to China’s demands, and so did IBM.  This weakens the government’s ability to combat terrorism on its soil and its global security posture. Why should American companies bow to our adversaries and prohibit our law enforcement and military from protecting us? Profit and greed at the expense of our security in the name of privacy.

To the industry’s defense, even if our government enacts special access to these devices, there is no guarantee that it would be the practical solution law enforcement wants. Criminals and terrorists could just acquire other products that do not have a backdoor. American companies would be at a disadvantage Apple, Google and others may be required to provide exclusive access. Yet our laws would not hold up with companies outside U.S. jurisdiction that sell end-to-end encryption communications applications. Criminals and Terrorists would just use other means.

Encryption Debate Letting the Genie Out of the Bottle

The industry knows well the FBI wants some sort of exclusive access to encrypted systems, which will give law enforcement access to a master encryption key (or keys) needed to decrypt data residing on or passing through a network. This unique access creates a single point of vulnerability into systems, precisely what organizations and individuals are increasingly trying to avoid. According to a recent report produced by encryption experts, special access not only undermines the confidentiality of data but also its authenticity, i.e., hackers who acquire the master keys would be able to forge communications and make them look legitimate.


Here are solutions some are currently in use and more innovative ones on the horizon, but stressing the need for special tools that law enforcement wants is extremely important.
  • Access Keys – The large technology service providers like Google, Microsoft, and Apple are able to securely hold the individual access keys, giving law enforcement special access to encrypted communications possible without jeopardizing the security of that data. Until this is determined or other solutions are presented, the cybersecurity stakes are much too high to provide exclusive access. Exclusive access to decrypt systems and communications cannot be feasible until the security of such access is assured.
  • Biometrics – The use of encryption with a biometric lock provides adequate protection for the decryption key. This would allow law enforcement to break encryption through direct interaction with the individual being investigated or charged. Moreover, the vast government database of fingerprints and other biometrics can be utilized.
  • GPS Telemetry – A GPS database can be used for a variety of different purposes and is an integral part of law enforcement software. Primarily, database-driven GPS (Global Positioning System) mobile devices are used for navigation and tracking in the civilian world. Criminals can be tracked and quickly apprehended.
  • Mandatory Cloud Backup – The entire contents of the device is encrypted and automatically backed up to the service provider’s cloud. The user is prohibited from disabling this feature.  In a criminal case, law enforcement with a proper court order may serve the service provider and gain access to the contents of the backup.
This is a legal, moral and ethical explosion that many have warned would happen yet we never addressed it until a calamity occurs. Then and only then do we become mobilized beginning with turf battles, lawsuits and future legislation not in anyone’s best interests instead of rational thinking that should have been addressed years ago.