Apple’s challenge to the F.B.I. feels like a battle of behemoths—and there’s no clear end in sight. Surely, the Supreme Court will decide. But Apple is an international company, and therefore the issue of cybersecurity is an international one.
In a recent IVY Ideas Night, cybersecurity expert Bruce McConnell discussed some of the major cybersecurity issues that international companies like Apple face in the 21st century. As the former U.S. Deputy Under Secretary for Cybersecurity, Bruce was responsible for aiding all civilian agencies in Cybersecurity protection and has advised the government and other significant entities on cybersecurity for the past 16 years. Bruce now serves as the Global Vice President of the EastWest Institute, a non-profit non-partisan “think and do” tank focusing on international conflict resolution through a variety of means, including cybersecurity.
Read below to learn some of Bruce’s key insights and takeaways.
Governments can’t solve these problems alone.
The Apple debate is a really critical issue. It involves the relationship between the government and the private sector, which is a relationship we’ve got to figure out how to get right, especially in the security area.
Governments can’t solve these problems—governments are tied to territories, and these problems are international, global problems. Companies like Apple, on the other hand, have to do business everywhere, so they have an advantage in thinking globally. And we need to be thinking globally.
It’s exciting that Apple is taking a stand on this particular case. It’s now in the courts, so there’s a process that we’ll go through. Assuming it goes as one might predict, it’ll end up at the Supreme Court in about 2 or 3 years from now, so it’s going to be a long conversation. We have a lot of time to influence the outcome.
Ideally, of course, we don’t make policy in the courts; we make policy in the Congress. So, this also gives Congress some time to manage or try to manage this issue and figure out what they’re going to do, since nothing will happen between now and this time next year at the earliest. (It’s the “silly season” right now, as we say in Washington, the election time.)
The ramifications for this decision are international.
People are saying that there’s a cost to public safety if the FBI can’t get the information off the phone. But really, there are many parts to this conversation. For example, what other information can law enforcement get without unlocking the phone? There are a lot of work-arounds out there. Maybe you can’t get the plaintext, but you do know where this person was, and you know who they called. There’s a lot of metadata out there that’s available to law enforcement that can be pieced together. Law enforcement will even sometimes tell you the metadata is more valuable to investigators than the content of the communications.
This whole issue is about how law enforcement can keep us safe from terrorists, and that’s important. It’s our physical safety, and so as humans, we react to it. But we also are concerned about our cyber safety, and the security of our health data and the security of our business. So, we have to ask ourselves what the trade-off is with those security questions.
Of course, also, it’s great if we make a decision in the U.S.—we’re the leader in cyber and the leader in many things—but our answer is not going to be immediately taken up everywhere else. So one thing we’re doing to help solve this problem on an international basis is holding a workshop with Europol, the European Police Agency, to discuss this on an international level. We’ll try to figure what kind of regime will work for everyone. If Apple, Microsoft, or any of these companies give this permission to the U.S. Government, then other governments will want it too. And they’ll all want something different.
It’s unlikely that cyber warfare will happen independent of a larger conflict.
Cyber weapons are very attractive these days. They tend to be non-lethal, at least at this point. They’re also cheap to use. In fact, anybody can use them. That’s the problem, of course. The barriers to entry are very low. It’s unlike trying to build a nuclear bomb or even a biological weapon where you need huge technical expertise. Because the technology that we’re defending is pretty soft—and then it’s made more soft by the fact that people don’t implement all of their patches—it’s really easy to attack.
Actually, it’s unlikely that someone is going to attack from cyberspace. Why would they want to bring down Wall Street? China and Russia, for example two potential threats, are big participants. They’re big players on Wall Street. They need Wall Street to work. From what we’ve seen so far, cyber-attacks are used as one weapon in a part of a larger conflict. The first piece of the answer is that you’re not going to see a cyber war by itself—you’re going to see it as a part of some larger international conflict. The question is, during peacetime, what is permissible and what is an act of war?
International law doesn’t define cyber attacks.
In international law, an act of war has to include great amounts of physical destruction or the killing of people. There are no rules about cyber threats currently written into the international law. But 20 major countries recently got together and agreed that countries should not attack each other’s critical infrastructure in peacetime and that they should help each other. This isn’t a treaty—it’s a group of experts, but both Obama and Xi Jinping have agreed that this is good policy. I think there is progress in this area.
What’s interesting is that norms of company behavior are starting to appear. Do companies have responsibilities to make the internet more safe as well? For example, companies probably should not build back doors in their products. Similarly, they should not withhold security patches from customers. These emerging corporate norms show how companies are stepping up to do their part to secure cyberspace.
IVY is a social university dedicated to inspiring connection, collaboration, and growth. To learn more, visit IVY.com.