The FBI is using a federal court to compel Apple to create a special version of its operating system so it can get inside the iPhone 5c used by one of the San Bernardino terrorists. But when it did that, the law enforcement agency showed remarkable ignorance in exactly how smartphone technologies work, according to a veteran of Atlanta’s famed hub of cybersecurity companies.
“There’s a court order asking for something that is technologically impossible but is easily understandable,” said Adam Ghetti, founder and CEO of Ionic Security. “They said, ‘Build me software that will only run on this phone for one time to get me access.’ I can’t do that, I just can’t do it.”
Ghetti’s remarks were part of a spirited conversation that took place Wednesday night at the MIT Enterprise Forum panel in Midtown Atlanta. Ghetti was one of five participants selected as leaders of the city’s cluster of established and startup cybersecurity companies – a cluster that is celebrating its 30th year in 2016 (SecureWare, a local provider of security for Unix workstations, was founded in 1986.)
Others on the panel included Derek Harp, co-founder and executive chairman of NexDefense; David Mayron, chief scientist at Bastille Networks; Kerry Armistead, vice president of product management for Lancope, recently acquired by Cisco; and Glenn McGonnigle, general partner at TechOperators, who also served as the panel’s moderator.
Most of those taking part in the “2016 Trends in Cybersecurity” forum are serial entrepreneurs, and McGonnigle said their companies had raised nearly $200 million in venture funding. The enterprise cybersecurity market is expected to be a $170 billion business by 2020, and news about the latest threats, vulnerabilities and data breaches now regularly cross over into mainstream media coverage.
That has included the showdown underway between Apple and the FBI – the “elephant in the room” as McGonnigle called it.
“If you have a legally supplied court order to do something, you should comply with it, but I’m not sure this mechanism really addresses it,” said Mayron. “I don’t think (the issue) is worth the ink written about it. If I can figure it out in my den in 15 minutes, I would think the FBI could do it too.”
Ghetti told the audience he had a recent discussion with “a senior administration official” about the Apple/FBI standoff. He told the official, “if you really want access to that data, a firmware patch will get it for you. You guys have tens of thousands of highly skilled engineers, and several hundred of them I can name that can build you that patch. You could have kept it classified. Why are you trying to compel the commercial developer to do that? It was a short conversation.”
McGonnigle followed up: “Did you get an answer?”
“I did,” Ghetti said. “He said he hadn’t thought of that before.”
Ghetti, others on the panel and members of the audience are heading to San Francisco next week for the RSA Conference, the cybersecurity industry’s largest annual trade show. McGonnigle asked the panelists what he expected would be the main discussion topics (besides Apple vs. the FBI) at the show.
Harp says a late December attack by suspected Russian hackers that shut down power in the Ukraine should prompt discussions at RSA.
NexDefense’s mission is to protect “networks that contain pumps and valves and turbines, and they have a whole bunch of differences,” Harp said. “They still have switches and routers, but from that moment they start to diverge. They use proprietary networking protocols, and they’re managed by non-IT people.” Harp got a laugh from the audience when he said that some of the industrial operating networks are still powered by unsupported Windows XP or DOS.
Harp said three different geographic regions of the Ukraine were taken down at the same time, and the hackers included attacks on call centers. “It probably started with a Word document macro,” he said, referring to someone opening up something in an email that they shouldn’t have. “Stealing credentials is the way this gets going.”
Since the Internet of Things played a big role in last month’s International Consumer Electronics Show in Las Vegas – all kinds of connected devices and household appliances were on display – Mayron expects IoT security to be talked about a lot at RSA. Mayron’s Bastille Networks, one of the few cybersecurity companies focusing on IoT and connected devices, made news this week when it uncovered “mousejacking” flaws in wireless keyboards and computer mice that could allow a hacker access to personal and business data from up to 110 meters away.
Bastille’s mission is to first help companies find wireless access points and related devices that they may not be aware are within their networks. “We’re educating people on what threats they already have in what they’ve already bought,” Mayron said. “People say, ‘Well, IoT’s interesting but we’re not going to be buying anything like that until 2017 or 2018.’ Well, you’ve already bought it and that’s the problem we’re trying to solve. We’re predicting we’ll see these vulnerabilities in networks in companies until 2020, 2021.”