Cybersecurity & Tech Surveillance & Privacy

NSA Isn’t the Going Dark Solution, Part I: Richard Clarke Gets It Wrong

Susan Hennessey
Thursday, March 24, 2016, 2:04 PM

Let’s start with a point that will be significant emotional satisfaction to many readers: Richard Clarke was dead wrong.

In a remarkable statement last week, the former Clinton and early Bush administration counterterrorism official told NPR’s Morning Edition:

Published by The Lawfare Institute
in Cooperation With
Brookings

Let’s start with a point that will be significant emotional satisfaction to many readers: Richard Clarke was dead wrong.

In a remarkable statement last week, the former Clinton and early Bush administration counterterrorism official told NPR’s Morning Edition:

Clarke: If I were in the job now, I would have simply told the FBI to call Fort Meade, the headquarters of the National Security Agency, and NSA would have solved this problem for them. They’re not as interested in solving the problem as they are in getting a legal precedent.

[NPR Reporter] David Greene: Wow, that sounds like quite a charge. You’re suggesting they could have just gone to the NSA to crack this iPhone but they’re presenting this case because they want to set a precedent to be able to do in the future?

Clarke: Every expert I know believes that NSA could crack this phone.

Clarke’s allegation that the FBI is more interested in legal precedent than in solving the problem appears to have been soundly refuted by this week’s events. Not only has the FBI actively sought alternative methods to unlock the phone, but it has apparently found such a method. And it is apparently willing to use it as an alternative to compelling Apple’s assistance under the All Writs Act.

But Clarke may have been wrong on another key point as well: The FBI did not find the new tool by asking the NSA for help, after all, and going to the NSA for help is not at all the simple solution he claims.

Unless you’ve been living in a cave, you know by now that the Justice Department believes it may have a tool to access data on the iPhone at the center of a California legal battle. It says that the method—still under investigation—was not known to authorities before this weekend and that it was provided by a non-governmental source. A number of critics are not buying it, alleging that the last-minute discovery is only further proof that the FBI has known all along how to unlock the phone in question without Apple’s assistance. Others claim the other party—identified in media reports as an Israeli security firm—is actually the NSA itself. Leaving the conspiracy theories aside, it looks like the Israeli technology sector—considered leaders on encryption technologies—may have been a bigger part of the solution than the government’s own expert agency.

The episode raises two big questions: First, should the FBI be required to look to Fort Meade for help, and second, should it be required to look to private companies for assistance before asking a court to make Apple itself help?

Both questions were before the court in California. And the FBI’s voluntarily seeking the assistance of third-party commercial services does not resolve the question of whether it is legally obligated to do so prior to demonstrating “necessity” under the All Writs Act. What’s more, the resolution—if a resolution it turns out to be—leaves open the question of whether the FBI should have done what Clarke suggested or has some obligation to consult with the intelligence community prior to compelling non-party assistance? After all, if the government has to consult the Israelis, it stands to reason that it may also have to consult itself.

Apple argues that in order for help to be truly necessary, the government must attest that even the intelligence community is unable to achieve the goal. On its face, this is an entirely new theory of the scope of “necessity” under the applicable law. I can find no other example of a court’s requiring, or even asking, for the Department of Justice to certify that the whole of government is unable to accomplish the given assistance—though plenty of orders remain under seal. That said, a judge could determine that “necessity” under the New York Telephone Company test should require the government to be certain no other federal agency can accomplish the task.

But in this set of posts, I want to suggest something broader: that the debate surrounding the San Bernardino case is an excellent illustration of why an obligation to exploit intelligence community capacity is a truly terrible idea whose proponents, Clarke most notably, have apparently not considered fully.

The idea that we should just bring in the NSA has some pretty high profile support beyond Clarke. It has far less among those who have a deep understanding of the relationship between intelligence and law enforcement. As Greene notes, what is actually astonishing in Clarke’s comments are his claims regarding NSA’s capabilities. Note that Clarke in that interview was either committing a crime or he has no factual knowledge on which to base these claims—and we should give him the benefit of the doubt: ignorance over criminality. The specific technical capabilities of the intelligence community are some of the most closely guarded secrets in the US government. If Clark—who served on the President’s Review Group but has not actually been in the government in more than 13 years—had any specific classified knowledge, he would not and could not be discussing it. Absent a serious breach of classified information, Clarke and the experts he cites simply do not know what the NSA can do on this or any future device. He is simply speculating.

If we look at the statements of those individuals who are not simply speculating, it is entirely plausible that no part of the IC was aware of the method the FBI is now playing with prior to its recent discovery. For example, in his testimony before the House Judiciary Committee earlier this month, FBI Director Jim Comey was asked whether he had consulted with other federal agencies, including the NSA.

[Representative Judy] Chu: Has the FBI pursued these other methods or tried to get help from within the federal government such as from agencies like the NSA?

Comey: Yes, is the answer. We've talked to anybody who will talk to us about it and I welcome additional suggestions. Again, you have to be very specific; 5c running iOS-9, what are the capabilities against that phone? There are versions of different phone manufacturers and combinations of model and operating system that it is possible to break a phone without having to ask the manufacturer to do it. We've not found a way to break the 5c running iOS-9.

Certainly Comey was speaking carefully: The FBI has consulted with those federal agencies willing to talk about the subject and none has a method to unlock the phone in question. This is admittedly something short of the strongest possible terms of denial. But the answer isn’t so careful as to be insignificant. The Director of the FBI said, under oath, that at the time he knew of no way to unlock the phone and had consulted with other agencies. Considering that elements of FBI form part of the intelligence community and that Comey testified alongside DNI Director Clapper and NSA Director Rogers on issues related to Going Dark just weeks before, there is reason to believe the FBI, in fact, had sought the counsel of the IC, NSA included, on potential solutions. It would be surprising if it had not.

Comey’s testimony suggests the precise opposite of Clarke’s claim: Just because something is possible in theory, NSA may not be able to do it.

Apple itself has been more careful than Clarke in pointing to NSA as the fix. In that litigation, Apple never alleged that any part of the US government has such a capability. In fact, both Apple and the government’s experts agreed that both the FBI and Apple “were unable to identify any other methods … that are feasible for gaining access to the currently inaccessible data of the SUBJECT DEVICE.” Apple cited to Clarke’s statements, as well as the testimony of Susan Landau, discussed below, in claiming that the government has “an obligation to consult other agencies.” But beyond asserting that the government and third-parties have “come close to developing a tool,” Apple never stated that it believed the data could be obtained without its assistance. So this new tool, if it works, is as much news to Apple as it is to the FBI.

What Apple is proposing in its brief, and what Clarke refers to in saying the FBI should just “call Fort Meade” to “solve the problem,” is based on some awareness of the process of requests for technical assistance (known as RTAs). Under a set of limited and regulated circumstances, federal agencies can provide particular types of technical help to other parts of the government and, in even more limited cases, the private sector. The complex underlying regime, based on statutes, executive orders, and formalized memoranda of agreement, operates differently in different circumstances. But as a general matter, yes, sometimes federal agencies can loan each other tools and experts.

What federal agencies cannot loan one another is legal authorities; to the contrary, in providing technical assistance, they adopt one another’s legal constraints.

This final point is a large one. And those offering NSA as the solution to Going Dark seem to be missing it. Consider the testimony of Landau later in the same hearing as Director Comey—which is cited to in Apple’s brief—wherein she insinuated that even if the NSA did have the capacity, it would not be willing to share such information with the FBI:

LANDAU: So I noticed when Director Comey answered the question, he said, we talk to everyone who will talk with us and as I mentioned earlier, I don't know if you were here at that point, I had a conversation with some senior DOJ people a few years ago about using NSA tools in law enforcement cases and they said, NSA is very [loath] to share because of course when you share a tool, it can get into a court case and then the tool is exposed. And so I don't know in the—we talked with everyone who will talk with us, how much NSA revealed about what they know and what they can do.

What critics Clarke are missing—and what observers might fail to appreciate from Landau's testimony alone—is the limited nature of RTAs, the relevant legal and policy considerations underlying the separation of the intelligence community from domestic law enforcement functions, and the significantly negative consequences of pursuing this path. And there are negative consequences whether or not NSA has a given capability. Intelligence agencies can lend FBI some capacity, but as I’ll explain in Parts II and III of this series, there are big things NSA cannot lend: namely, ongoing support for domestic law enforcement functions nor the legal authorities that empower the development of signals intelligence tools.

For the record, I—like Richard Clarke and Susan Landau—have no personal knowledge of the specific capabilities at issue in the San Bernardino phone (if I did, I wouldn’t be writing about it). But imagine the inevitable future scenario in which the technology has evolved to create new uncertainty over the capabilities of the intelligence community. In the remaining parts of this series, I will consider the possibilities and consequences of Clarke and Landau’s proposed solutions where (in Part II) NSA does not have the capability to unlock the phone, or (in Part III) NSA does have the capability to unlock the phone but will not acknowledge that fact.

Neither scenario is a pretty one.


Susan Hennessey was the Executive Editor of Lawfare and General Counsel of the Lawfare Institute. She was a Brookings Fellow in National Security Law. Prior to joining Brookings, Ms. Hennessey was an attorney in the Office of General Counsel of the National Security Agency. She is a graduate of Harvard Law School and the University of California, Los Angeles.

Subscribe to Lawfare