Monday, the Justice Department removed a claim in federal court seeking to compel Apple, Inc. to create new software providing FBI investigators a backdoor into the phone of Syed Rizwan Farook, the San Bernardino gunman, citing that they discovered an alternative method to hack into the phone.
Cybersecurity analysts now believe that, if the government’s stated position is true, the federal government is actively in violation of the Vulnerabilities Equities Process (VEP) which compels US officials to disclose software vulnerabilities unless there is a compelling reason. The government is now obligated under administrative law to disclose to the company the vulnerability.
It remains unlikely that the US government will act in accordance to the requirements of the VEP, assuming that they have indeed discovered a method to hack into an iPhone, because federal officials would now have a secret way to engage in mass surveillance on iPhone users.
Others speculate, however, that, after Apple challenged the government’s request, claiming it was overbroad, CEO Tim Cook raised the possibility that new software the company was being asked to create would leave all iPhone users vulnerable to government surveillance, the Justice Department dropped the case, for fear of establishing a negative court precedent that would impact future surveillance opportunities.
The Justice Department’s position, however, leaves Apple users and shareholders in a perilous position. Federal officials, under risk of perjury, have said that the company’s vaunted security software has a flaw that leaves users subject to surveillance or hacking.
For that reason, the government’s invasive actions against Apple and the privacy concerns of all iPhone users necessitates that the information be released to the company so that they can adapt their security protocol to prevent future intrusions.
But that vulnerability may not even exist.
The criteria the government uses to determine whether or not a software vulnerability must be disclosed to protect end users from cyberattacks is as follows:
1. Is the system is widely used?
2. Does the vulnerability pose a significant risk to users?
3. Can an adversary nation or criminal group do harm with the vulnerability?
4. How likely is it that you would know the vulnerability was exploited?
5. How necessary is the intelligence that could be gathered by exploiting the vulnerability?
6. Are there other ways to get that intelligence besides exploiting the vulnerability?
7. Could the vulnerability be used for a short period of time before disclosure?
8. How likely is it that somebody else will discover the vulnerability?
9. Can the vulnerability be patched or otherwise mitigated?