When the first plane hit at 8:45AM on September the 11th, 2001 I was somewhere between the 3rd and 4th floors in building 3 of the World Trade Center. A frantic 15 minutes later the second plane hit directly above me as I was exiting the South Tower. I saw the flash, and what seemed like an eternity later, I heard the impact.

Due in large part to my experience on 9/11, I have always fully supported Law Enforcement in their campaign against the agents of terror. We should make sure that Law Enforcement has the tools it needs to combat threats from violent extremists of all kinds. But at the same time, a big part of supporting law enforcement and protecting our national security is that we also must be very careful to not advance solutions that could be used against us at a later date. The FBI request of Apple to create a backdoor into the iPhone for Law Enforcement is exactly the kind of feature that will eventually be used against us. Given how important technology is today in our lives and economy, an effective security strategy, crafted only with short-term in mind, is a liability we simply can't afford.

Opening a Door to Vulnerability

I've been working to help secure computer systems for the entirety of my professional career. It is incredibly difficult to build computer systems that are not vulnerable to attack. As we've seen, a number of companies and governments have had great difficulty protecting the front door of their computer systems. I've dedicated my career to making sure our systems are designed, built, and operated to the most secure standards. And even with that tremendous investment, bugs still happen. Due to the many layers of security controls built into our systems software bugs are usually not damaging or catastrophic in nature. But peeling away those layers of control to create a backdoor means that even the most basic security bug could potentially have a catastrophic effect. This reality is missing from our current debate about the FBI's order to Apple in the San Bernardino tragedy.

And the stakes are only getting higher. While it may feel that this seemingly small breach of our collective privacy is worth it in this case, digital systems today underlie an incredible portion of our daily personal and economic lives. In the context of smart phones, this may be limited to a breach of privacy, but as computer systems come to control airplanes, cars, and industrial facilities, the potential impact is massive. As Judge Orenstein ruled yesterday on a similar case in New York, many more devices are being connected to the web everyday as part of the emerging Internet of Things, everything from lamps and door locks, to appliances. The idea that all the data these devices will create are subject to 'virtually limitless expansion'* goes well beyond our norms, and this new world is already going to be a massive challenge for security professionals to protect these devices from bad actors without this added complexity.

More Security, not less, is the Answer

In this broader context, the answer to this problem is more security, not less. Any backdoor -- no matter how well intentioned -- is just as likely to help those who would commit crimes, or worse, commit violence, than it would those pursuing justice. We need greater investment in encryption and in more fine-grained controls for our digital lives. Industry must partner closely with both Law Enforcement and Congress to ensure that sensible legislation is drafted that both maintains the security of our systems and provides Law Enforcement with the tools to fight crime. Striking this balance, and the tradeoffs and compromises it will require, need to be be made via a rigorous public debate and carefully thought out legislation, not via ad hoc requests from the Judiciary.

Despite my personal experience with 9/11, I would never presume to understand how those affected by the mindless violence in San Bernardino feel, but I do have immense sympathy for them and their community. I would argue that we must remember that their tragedy is part of a global conflict. To win that battle and to ultimately make the world a safer place, we should not yield to the forces that seek to change us through violence and intimidation.

*Page 32, footnote 26

Box Inc. issued this content on 02 March 2016 and is solely responsible for the information contained herein. Distributed by Public, unedited and unaltered, on 02 March 2016 21:21:47 UTC

Original Document: https://www.box.com/blog/chief-information-security-officers-perspective-apple-fbi/