Intelligence

Here is a quick round-up of this week’s technology headlines and related stories you may have missed: 1. German spy accuses Russia of last year’s Bundestag cyber incident. Hans-Georg Maassen, the head of Germany’s domestic intelligence agency (BfV), accused "the Russian state" of being behind the cyber incident that crippled the German parliament’s computer networks for a few days last year. Maassen said that the incident represented a shift in Russia’s tactics, as Russian intelligence agencies now show "a willingness to conduct sabotage" instead of simply spying. This isn’t the first time the Russia has been accused of engaging in sabotage-related cyber activity. Last year, L’Express reported that French investigators suspected that a Russian-based threat actor, known as APT28, Sofacy, and Pawn Storm--the same group the BfV believes to be behind the Bundestag incident--was behind the incident took TV5 Monde off the air. According to the Wall Street Journal, a Kremlin spokesperson was unavailable for comment though Russia will most likely deny the accusation. 2. Accusations of Facebook bias raise broader questions of algorithmic neutrality. Technology website Gizmodo reports that Facebook allegedly suppresses conservative news content in its "trending" module, located in the top right corner of Facebook’s browser version. The anonymous source on which Gizmodo bases its reporting and who is a self-described conservative alleges that Facebook’s human curators omitted to recognize "Mitt Romney or Glenn Beck or popular conservative topics" as trending. Facebook denied the accusation, though it acknowledged some form of human curation to determine which stories people see in their news feeds (possibly to prevent your news feed from turning into Tay). The debate over neutrality of algorithms and human curation in tech products is not new. Google, given its market dominance in search, has long been accused of curating people’s search results based on user preference and its own search algorithm. It’s unsurprising that Facebook faces similar allegations as it becomes a primary source for news content, something that New York Times columnist Farhad Manjoo says should prod Facebook into developing journalistic standards. 3. Comey no fan of WhatsApp. In a development that will surprise no one, FBI Director Jim Comey said this week that WhatsApp’s deployment of end-to-end encryption will make it harder for law enforcement to implement wiretap orders and use other legal means to investigate national security cases. Comey also said that encryption was "essential tradecraft" for terrorist groups and that, between October 2015 and March 2016, the FBI couldn’t unlock 500 phones among the 4000 it was asked to inspect, a failure rate of about 12 percent. If you want more on the encryption debate sure to check out this CFR event, in which Michael Chertoff, Cyrus Vance and I debate going dark, backdoors, and the value of privacy in the digital age.

Rachel Brown, Lincoln Davidson, Gabriella Meltzer, Gabriel Walker, and Pei-Yu Wei look at five stories from Asia this week. 1. Afghan female athletes forced to the sidelines. Despite annual donations to the tune of $1.5 million from the American government and other Western donors to women’s sports in Afghanistan, these programs have proven to be an abject failure in the promotion of women’s empowerment and equal participation. The efforts have been riddled by corruption; the cricket program “consist[s] of little more than a young woman with a business card and a desk” and the women’s soccer team has not played an international match in years. The most corruption has been in women’s cycling. The cycling program was originally hailed as a model for women’s sports in the Middle East defying prevailing gender norms. However, the National Olympic Committee terminated its coach and manager, Haji Abdul Sediq, once it was revealed that he had married and divorced three young athletes during his tenure. Another rampant problem is growing violence against women in a conservative, patriarchal culture where many women do not feel safe to publicly train and instead often leave the country to pursue their athletic ambitions. Shamila Kohestani, an Afghan soccer star who aspired to return to Kabul to coach, commented that Afghan officials’ support for women’s sports programs was motivated more by their popularity with donors than a belief in female athletes. 2. U.S. Justice Department asserts its oversight over espionage cases. In a private letter to federal prosecutors around the country, Deputy Attorney General Sally Yates wrote that all cases relating to U.S. national security would require “coordination and oversight in Washington.” Although that procedure had always been intended, the explicitness of Yates’ letter was likely due to a growing number of botched espionage cases against Chinese-Americans over the past two years. Among the most prominent were cases—all of which were later dismissed—against two pharmaceutical scientists accused of leaking proprietary information to a Chinese drug manufacturer, a hydrologist accused of stealing national dam data, and a physics professor accused of sharing U.S. superconductor technology with China. But at the same time, there have also been real cases of recent espionage against the United States by Chinese nationals, including Su Bin, who tried to steal information on the F-22 and F-35 jets, and Mo Hailong, who conspired to steal corn seeds engineered by DuPont Pioneer and Monsanto from an Iowa field. Just yesterday, a Chinese businesswoman was indicted for procuring underwater drone equipment for the People’s Liberation Army Navy. Hopefully, increased Washington oversight means fewer legal mistakes for cases that may be driven more by suspicion than actual facts. 3. China reasserts control over web. As China’s National People’s Congress passed a law restricting the activities of non-governmental organizations in China, the Chinese government also reasserted its control of the Internet. On April 19, Chinese Communist Party General Secretary Xi Jinping convened a meeting with top officials and heads of technology companies, where he said that “the fact that core technology is controlled by others is our greatest hidden danger.” Chinese leaders have long expressed fears that the United States uses technology companies to spy on the rest of the world. According to the Wall Street Journal, the Cyberspace Administration of China (CAC), the country’s chief Internet regulator, put forward a proposal this week that the government take a financial stake in major domestic technology companies and be given a seat on the companies’ governing boards. Meanwhile, CAC Director Lu Wei met with his Russian counterpart at the first China-Russia Cyberspace Development and Security Forum in Moscow. At the meeting, Igor Shchegolev, Russia’s top Internet regulator, echoed the Chinese position on technology, reportedly saying that to protect national interests, Russia “can’t rely on transnational IT firms.” As the two governments come together to promote a norm of “cyber sovereignty” in opposition to the norm of openness online promoted by the United States, it remains to be seen if other countries will join them. 4. Papua New Guinea shuts down asylum detention center. Australia’s asylum processing system faced new challenges this week following a ruling by Papua New Guinea’s Supreme Court to close the Manus Island detention center hosted for Australia. Papua New Guinea’s prime minister confirmed the decision, creating a dilemma for Australia over whether to relocate the approximately eight hundred and fifty asylum seekers held on the island. Australia operates a much-criticized policy of “offshore processing” for refugees in which prospective asylum seekers are sent to small Pacific islands. The government argues that this deters migrants from embarking on perilous ocean journeys to Australia.  The Australian and Papua New Guinean governments are currently debating who has responsibility in the case. One option would be for Australia to relocate asylum seekers to other detention sites at Christmas Island or Nauru. Troubles also exist on the latter island, however, which hosts over four hundred and fifty asylum seekers in an open camp. A twenty-three year-old Iranian man detained on Nauru died today after setting himself on fire in protest of camp conditions. These two incidents may force Australia to rethink its immigration policies. 5. Party organizers receive jail time in Taiwan.  The organizer of a “Color Play Party” that caused a fire at a Taiwanese water park last June was sentenced to four years and ten months in prison. The party, which took place at Formosa Water Park in New Taipei City, featured colored powders  sprayed into an audience of roughly one thousand guests. A subsequent explosion killed fifteen and injured more than four hundred party goers. Some victims sustained burns to over 80 percent of their bodies. Lu Chung-Chi, owner of Color Play Asia, which organized the party, was found guilty on April 26 of negligence causing death. The families of the victims and many members of the public thought that the sentence was too light, but prosecutors said that under Taiwanese law the maximum prison sentence for workplace negligence is five years and so four years and ten months is comparatively harsh. Relatives of the deceased were also angry that Lu was the only person indicted over the fire and eight other park executives were not charged due to lack of evidence. Some family members protested outside the courthouse on Tuesday. Taiwan’s high prosecutor’s office has ordered the case to be reopened and for the district prosecutors to reexamine the culpability of other suspects in the tragedy. Bonus: Movie studios “whitewash” Asian characters. Upcoming movie adaptations of books have drawn ire in recent weeks following announcements that characters who are Asian in the books will be played by white actresses. Major Motoko Kusanagi, the main character of the Japanese manga, TV show, and animated movie series Ghost in the Shell, will be played by Scarlett Johansson in the show’s live-action adaptation. Marvel Studios’ movie adaptation of the Doctor Strange comics will likewise feature a character who is a Tibetan man in the original being played by Tilda Swinton, a white woman. Critics have accused the studios of continuing the Hollywood tradition of reducing the role of Asian characters in film. Producers of both films argue the casting decision is a business imperative. Ghost in the Shell screenwriter Max Landis defended Johansson’s casting with the argument that “there are no A-list female Asian celebrities right now on an international level.” And Doctor Strange writer Robert Cargill suggested that casting a Tibetan would be too sensitive for the Chinese market.

Two weeks ago, the Financial Times ran a story that suggested China was sticking by its September 2015 commitment to not engage in cyber-enabled economic espionage. It quoted officials from private sector security firms, who pointed out they had seen a marked decline in the number of intrusion attempts from Chinese actors. Despite the seemingly positive news, there are still tons of skeptics. In a recent National Bureau of Asian Research paper, Tang Lan from the China Institutes of Contemporary International Relations and I explore the relationship between both countries on cyber issues. We unpack how China perceives U.S. interests in cyberspace and vice versa. We conclude that, despite wide gaps on issues like Internet governance, supply chain security, and cybersecurity, both sides "appear committed to not letting cyber issues derail the U.S.-China relationship." To manage the cyber relationship and prevent escalatory activity, both countries should: Ensure that discussions on norms continue at the highest levels and aren’t cut off during times of tension; Discuss joint measures such as intelligence exchanges to prevent the proliferation of cyber capabilities to non-state actors; and Expand cooperative research in universities and civil society. You can read the full paper, free of charge until June 19, here.  

Yesterday, Federal Bureau of Investigation Director James Comey revealed that the FBI had paid more than he will make in the remainder of his time at the FBI to break into the phone of San Bernardino shooter Rizwan Farook. Quick research and math by Reuters puts that number at $1.34 million. By any metric, that is a lot of money. It’s also $1.34 million more than Apple would have been willing to pay for it. Unlike many other Silicon Valley firms, Apple has no bug bounty program. If a researcher finds a vulnerability in an Apple product, the most they will get is a polite thank you (possibly on a public website). And while Apple is an outlier for not having a program at all, most other companies are unwilling to pay anywhere near what the FBI paid even for critical vulnerabilities. Instead, companies will offer payment in the low tens of thousands--enough to motivate a researcher to “do the right” thing instead of selling a vulnerability on the black market where it likely could fetch many times that. Payouts are calibrated so tech companies know when vulnerabilities are discovered but don’t motivate their discovery. Companies don’t just want to avoid paying out large sums for vulnerabilities, they also want to avoid having to fix their code. From a public policy perspective, the current setup looks a lot like a market failure. Overall, cybersecurity would be improved if more vulnerabilities were discovered, companies were pressured to fix those vulnerabilities, and (eventually) motivated to write more secure code in the first place. That’s not happening right now. The FBI and other federal agencies that purchase vulnerabilities could play a role in making this market function. Instead of sitting on the current vulnerability, the FBI should put out a million-dollar bounty for another one, targeting currently sold phones. Every time it finds a vulnerability and starts to exploit it, it should plan to disclose it within six months and get to work finding a new vulnerability. Rinse and repeat. Such a program could cost a significant amount of money but according to the latest statistics out of the Office of Management and Budget, the Federal government currently spends nearly $5.6 billion on “Shaping the Security Environment.” Carving off a small portion of that to develop a program to actively find vulnerabilities for the purpose of securing the ecosystem would likely be a wise investment. After all, in addition to a counterterrorism mission, the FBI also has a counterintelligence mission and plenty of foreign spies surely want to access the intel on the iPhones of thousands of government workers. Under current policy, the federal government, in the words of Cyber Czar Michael Daniel, is strongly biased toward disclosing vulnerabilities. Based on press reports, we know that in the last year of about 100 that went through the vulnerabilities equities process, only two were retained. Yet the purpose for which the government is discovering them is exploitation. The benefit to the security of the ecosystem is a secondary effect. If the equation were flipped and the FBI and other Federal agencies recognized a responsibility to find vulnerabilities so they could be fixed not just exploited, the benefits to the ecosystem would likely be far greater. While the government might only need to retain two vulnerabilities, it might discover and disclose 200 or more of the type that are not easily or incidentally discovered. Over time, the effect could be that Apple and other companies learn how to write code with fewer vulnerabilities in the first place.

With yesterday’s announcement that the FBI had gained access to the phone used by Syed Rizwan Farook, the San Bernardino gunman, the tech community is clamoring to find out how they did it. Many commenters believe that any vulnerability used to access the data must be subject to the Vulnerabilities Equities Process (VEP), the process by which the U.S. government decides whether to disclose a computer vulnerability (partially declassified here). Drawing on a blog post that laid out the criteria for disclosure by Michael Daniel, the president’s cybersecurity advisor, many have also concluded that it must be disclosed. Having helped to run the process at the White House, I’d say they have a good case. Daniel laid out nine criteria. A quick run-down suggests that seven of nine favor disclosure: iPhones are widely used in the U.S. economy; With knowledge of the vulnerability, data could be extracted off of phones used by military personnel, diplomats traveling abroad, corporate executives, and just about anybody else; The ramifications of this kind of data theft could be devastating to national security; It would be hard to know whether someone else was exploiting the vulnerability given that it isn’t a remote exploit; Assuming it only applies to an older model, the utility of protecting the capability goes down each day, recommending using it on the phone in question and then disclosing; Someone is likely to figure out how to do it now that everyone knows it is possible; and It probably can’t be patched by anyone other than Apple. Against disclosure, there are really only two arguments: The U.S. government badly needs the intelligence it can get from phones; and That there aren’t other ways the U.S. government can get it. The FBI have made a pretty convincing case that data from iCloud and metadata from service providers doesn’t meet all the needs of the investigation; moreover, cloud providers seem to be moving toward engineering their way out of answering requests for data as fast as they can. If the FBI could demonstrate through the VEP that the exploit in question only works on iPhone 5Cs running iOS 9, they’d probably have a stronger case for retaining the knowledge. None of this really matters though. I doubt that the Equities Review Board will ever have a chance to review the vulnerability and weigh these criteria. If a brilliant GS-14 in an FBI forensics lab discovered the vulnerability, no doubt it would be entered into the process; if the FBI contracted with a defense contractor to find an exploitable vulnerability, the same would be true. When the policy was written in 2010, those scenarios likely covered most vulnerabilities exploited by the federal government. Today, however, vulnerabilities are big business. The vendor, whether Cellebrite or another forensics firm, likely did not disclose the details on how they extracted the data. Given that Apple is no longer helping law enforcement for free, extracting data off of iPhones is shaping up to be a revenue stream for companies that can figure out how to crack them. Companies aren’t selling the know-how so law enforcement and intelligence agencies can roll their own; they are packaging them up as products complete with customer service and slick graphical-user interfaces. The vendor probably demonstrated they could access data off of a phone but refused to share the details on how they did it to protect their future market. The week it took to validate the approach likely had less to do with confirming whether it worked and more to do with sorting out the contract details, complete with an industry standard non-disclosure agreement. All the FBI can likely tell Apple is what they have already made public: there’s a vulnerability in iOS. Good luck finding it.

Late Wednesday, the Department of Justice announced that Su Bin, a Chinese national living in Canada, had plead guilty to "participating in a years-long conspiracy to hack into the computer networks of major U.S. defense contractors, steal sensitive military and export-controlled data and send the stolen data to China." Over several years, under Su’s direction, two hackers stole some 630,000 files from Boeing related to the C-17 military transport aircraft as well as data from the F-35 and F-22 fighter jets. The information included detailed drawings; measurements of the wings, fuselage, and other parts; outlines of the pipeline and electric wiring systems; and flight test data. Su’s conspirators remain unidentified and at large. The 2014 indictment refers to the co-conspirators as "affiliated with multiple organizations and entities." The plea announcement refers to them as "two persons in China" and says nothing more about them. But in documents submitted as part of Su’s extradition hearing, the U.S. government identified them as People’s Liberation Army (PLA) hackers. The documents included intercepted emails with digital images attached that showed military IDs with name, rank, military unit, and date of birth. Still unknown is whether Su and the hackers operated on their own or were directed by Chinese government officials. Were they motivated by profit, patriotism, or some combination of the two? Much of the correspondence makes the hackers sound like PLA freelancers. Marketing themselves, they tell Su they were involved in previous attacks on defense industries as well as Tibetan and pro-democracy activists—targets with no commercial value but of interest to the government. In some emails, the hackers assure Su that the stolen files will not only give his aviation company, Lode Technologies, a competitive edge, but also help Beijing achieve its military modernization goals. Later Su warns the hackers about the size of the payout for their services, telling them that aviation companies are stingy. Is the next step the indictment of the two hackers in China? Last week Admiral Michael Rogers, NSA director and head of U.S. Cyber Command, told the House Armed Service Committee that despite President Xi Jinping’s September 2015 pledge to halt cyber espionage, "cyber operations from China are still targeting and exploiting U.S. government, defense industry, academic, and private computer networks.” Indicting Su’s co-conspirators might be a relatively easy way of sending a signal to China. The United States has already apparently identified them, and it seems likely that Su has provided even more information. Making the situation even more interesting, the United States will reportedly indict about a half a dozen Iranian hackers this week for attacks on a New York dam and several banks in 2012 and 2013 (update: it just happened). No matter the short-term impact on U.S.-Iran and U.S.-China relations, Washington appears intent on trying to strengthen deterrence in cyberspace—to convince potential adversaries that the United States can over time attribute attacks and that there will be consequences for cyberattacks.

On the eve of oral arguments concerning a court order directing Apple to assist the Department of Justice (DOJ) in accessing an iPhone as part of the investigation into the San Bernardino terrorist attack, the DOJ asked federal court to postpone the hearing. The court granted the request. The DOJ told the court that, on March 20, “an outside party” demonstrated a possible way to unlock the iPhone without Apple’s help. The DOJ informed the court it needed time to test the proposed method, but that, if viable, the method “should eliminate the need for the assistance from Apple.” Such an unexpected development in a case of this importance raises eyebrows. Who or what is this “outside party”? What is this method for unlocking an iPhone the DOJ previously insisted could only be accessed with Apple’s involvement? Why had this party and method only come to DOJ’s attention so late in this unprecedented, contentious, and highly publicized case? Will the method work on other locked iPhones law enforcement agencies seek to access? Will the DOJ share this method of unlocking iPhones with Apple? Does the DOJ’s access to a way of unlocking iPhones without Apple’s assistance or the need for a specific court order create different but still worrying legal and policy concerns? Postponing the oral arguments shifts attention away from law to whether the method the DOJ will test provides access to the iPhone without damaging data on the device. If the methods works, the court will, with the DOJ’s agreement, vacate the order directing Apple to provide assistance to unlock the iPhone. This outcome would end the showdown between the DOJ and Apple over this iPhone, but this case, and the legal questions it raised, was always about more than one iPhone. These questions will resurface with Apple if the proposed method fails or when the DOJ asks a court to compel a different company to assist law enforcement agents in accessing encrypted information on digital devices. The existence of a viable method of unlocking this particular iPhone might provide a way to gain access to other iPhones. In opposing the court order directing it to provide assistance, Apple argued the government was forcing it to create a “backdoor” to software that would render other iPhones vulnerable. Now some “outside party” has handed the DOJ a possible backdoor to iPhones about which Apple apparently knows nothing and, thus, cannot address to protect the privacy of its customers. Given the nightmare Apple conjured in its legal briefs about what the DOJ was trying to force it to do, the appearance of a possible way to hack iPhones might be as alarming as any backdoor it would have created under court order. The positions Apple staked out in its legal briefs mean that it will try to change iPhone software to eliminate vulnerabilities this mysterious method might exploit—and the vulnerabilities will be patched if the DOJ shares the method with Apple. Such counter-measures might make the method effective only for the iPhone connected with the San Bernardino attack. Thus, even if the method proves viable, the legal questions at the heart of the dispute between the DOJ and Apple will remain unanswered and contentious. In addition, use of the method might exacerbate controversies associated with government acquisition, stockpiling, disclosure, and use of software vulnerabilities for law enforcement purposes, such as “lawful hacking.” The encryption conundrum could converge with the software vulnerabilities problem in ways that make effective cybersecurity policy more difficult to achieve. Postponing oral arguments in the Apple litigation might provide Congress with an opportunity to pass legislation settling controversies the iPhone case has stirred up. However, had oral arguments proceeded as scheduled, the court’s decision would, in all likelihood, have been appealed, potentially all the way to the Supreme Court. Thus, delaying the oral arguments does not produce significantly more time for Congress to act on the questions the litigation spawned and that will remain unanswered whether or not the method the DOJ is testing works. The world has been watching the Apple case because of its implications for how other governments might handle challenges presented by encrypted devices and data. The legal briefs by Apple and the DOJ laid out the applicable law, the competing interpretations of statutes and constitutional principles, and reinforced the central role of law and an independent judiciary in deciding questions of government power and individual rights. Delaying court proceedings because an unidentified party has provided some unexplained way to hack iPhones seems less transparent, cognizable, and exemplary for people in other countries also struggling with accommodating encryption into their social contract.

Here is a quick round-up of this week’s technology headlines and related stories you may have missed: 1. Are you a laid-off PLA hacker looking for work? There has been an uptick in ransomware-based attacks on computers in the United States coming from China in recent months, four cybersecurity firms said this week. According to the firms, the ransomware appears to be the work of “a known advanced threat group from China” and display a level of sophistication similar to that by previous intrusions attributed to state-sponsored groups. This is unusual because ransomware is typically used by criminals, not government hackers. Some have suggested that following last year’s agreement between President Obama and Chinese President Xi Jinping to not support cyber-enabled theft of intellectual property for economic gain, Chinese government hackers have had to turn to other avenues to make some cash. Whether that’s true remains to be seen, especially given that there’s some evidence threat actors are increasingly turning to false flag operations to frustrate attribution efforts. 2. Updates in the Apple-FBI case. The Apple-FBI fight over encryption continues to work its way through the court system as more public figures have come out in support of both sides. Last weekend at SXSW, President Obama urged Apple to not “take an absolutist view” of “fetishizing our phones above every other value.” Comedian John Oliver did a whole segment on the issue, concluding that “strong encryption has its costs,” but “the risks of weakening encryption, even a little bit, even just for the government, are potentially much worse.” Apple’s lawyers filed more court documents saying “the government misunderstands the technology” and that the founding fathers “would be appalled” by the FBI’s request. And Apple engineers told the New York Times they would rather quit their jobs than write the code the government is asking for. Net Politics contributor Alex Grigsby and I even weighed in with an op-ed in the Washington Post. Simultaneously, a similar storm is brewing between the Justice Department and WhatsApp, the world’s most popular messaging app and a Facebook subsidiary. The Department of Justice is trying to figure out what to do when law enforcement officers have a lawful warrant to wiretap calls made with the app, but are stopped by encryption. Welcome to the future, everyone. 3. Encrypt all web traffic! Google released a new section of its transparency report to specifically focus on the deployment of HTTPS, a mechanism that allows web browsers or applications to encrypt its connection with a website. According to the report, a little over 75 percent of all Google server requests are encrypted and the five countries that request the most encrypted connections are Mexico, Brazil, Japan, India and the United Kingdom. Interestingly, the report not only examines Google’s own traffic but also surveys the use of HTTPS in the top 100 sites on the web that, according to Google, account for 25 percent of all web traffic. Of the 100, only about 33 use modern HTTPS and encrypt their traffic by default. Want to see if your favorite websites offer encryption? Check out the full list here. 4. A new type of commercial attaché. The Department of Commerce announced that it is piloting a "Digital Attachés" program, with the aim of helping U.S. companies navigate "digital policy and regulatory issues in foreign markets and expand exports through global e-commerce channels." The program seems targeted at small and medium enterprises that are less likely to have in-house regulatory affairs and compliance officers to help them navigate potential trade barriers, such as data localization and lawful access requirements.

In former CIA and NSA director Gen. Michael Hayden’s new memoir, Playing to the Edge: American Intelligence in the Age of Terror, he describes the case of Al Kibar, in which Israeli officials informed the United States in 2007 about a building under construction in Syria that they thought was a nuclear reactor. Hayden writes, “Then we gave the data to a red team, dedicated contrarians, and directed they come up with an alternative explanation. Build an alternative case as to why it’s not a nuclear reactor; why it’s not intended to produce plutonium for a weapon; why North Korea is not involved.” (p. 258) For the full story of the red teaming of Al Kibar, read this excerpt from my book—based upon interviews with senior Bush administration officials—Red Team: How to Succeed by Thinking Like the Enemy. Red teaming is not only about using a devil’s advocate to scrutinize and challenge day-to-day operations. For institutions facing a significant decision, red teaming may also be a one-time effort. We can see how a properly administrated red team can help ensure that a crucial decision is the right one by studying the following example found in recent national security decision making. In April 2007, Israeli national security officials surprised their American counterparts by informing them about a large building under construction at Al Kibar in a valley in the eastern desert of Syria. In oneon- one briefings, the Israeli officials provided dozens of internal and external color photographs dating back to before 2003. The evidence strongly suggested that the building was a nuclear reactor, remarkably similar to the gas-cooled, graphite-moderated reactor in Yongbyon, North Korea. Israeli Prime Minister Ehud Olmert then delivered his request to President George W. Bush: “George, I’m asking you to bomb the compound.” Senior Bush administration officials were deeply troubled. North Korea had conducted its first nuclear weapons test the previous October using plutonium produced in the Yongbyon reactor. The Israeli briefings reinforced the US intelligence community (IC) assessments of “sustained nuclear cooperation” between North Korea and Syria. Though the IC had been monitoring the construction of a facility that they had described as “enigmatic” since 2005, the new Israeli photographs cast the compound in Al Kibar under a harsh new light. Immediately, a Central Intelligence Agency (CIA)-led task force reevaluated all of the available intelligence related to Al Kibar and North Korea’s nuclear cooperation with Syria. Given the flawed intelligence assessment that resulted in the incorrect conclusion in 2002 about Iraq possessing weapons of mass destruction (WMD), nobody wanted to be wrong again. As Bush told his intelligence chiefs: “Gotta be secret, and gotta be sure.” The CIA task force reaffirmed the Israeli officials’ claims, but Bush administration officials took extraordinary measures to increase their confidence level. To ensure that they could be nearly certain in their assessment of Al Kibar, they employed devil’s advocate techniques markedly similar to those invented by the Vatican centuries earlier. National Security Advisor Stephen Hadley told IC officials to assemble some of their best analysts to review the data to see if the facility could be anything other than a reactor. The CIA director, General Michael Hayden, was similarly concerned given that “we had a poor record of assessing the WMD programs of countries bordering the Euphrates River.” He noted, “You increase your certainty by widening the circle, but we still had to keep the circle small to keep it a secret.” To do this, the IC employed two red teams that were totally independent from the task force and had not yet been “read in” on the intelligence regarding Al Kibar. Bush’s intelligence chiefs so thoroughly bought into the concept of red teaming that they issued the two groups opposing goals: one would be commissioned to prove “yes” and the other to prove “no.” The “yes” red team assessment came from a private sector analyst who held a top-secret security clearance and was well known for his proficiency in monitoring nuclear weapons programs. The analyst was not told where the facility was located, but was provided with the Israeli and American internal and overhead imagery of it. The obvious efforts to camouflage the reactor vessel and the spent fuel pools within a building that had nearly an identical footprint to that of the Yongbyon reactor, and the trenches and pipes leading to a nearby water source (the Euphrates) were among several telltale giveaways. Within a few days, the analyst informed the IC officials, “That’s a North Korean reactor.” Hayden’s “no” red team was composed of senior analysts from the CIA’s Weapons Intelligence, Nonproliferation, and Arms Control Center (WINPAC). This team received the same access to all the available data and intelligence as its counterpart, but was explicitly instructed to reach a hypothesis that the facility in Syria was not a nuclear reactor. “Prove to me that it is something else,” the CIA director told them. Over the course of the following week, the WINPAC group considered whether Al Kibar could contain a chemical weapons production or storage site, or something related to missile or rocket programs. Anything was plausible—they even investigated the possibility that it might be some sort of secretive nonweapons- related vanity project of Syrian President Bashar al-Assad. They also explored whether al-Assad had directed that a mock-up of a reactor be built, simply because he wanted it to be bombed for some reason. Another senior CIA official recalled that they had particular difficulty finding an alternative explanation for the internal photographs of the facility, which not only closely resembled Yongbyon but also even contained what appeared to be North Korean workers. “The alternative hypothesis that they came up with, for which the most evidence unquestionably and markedly lined up behind, was that it was a fake nuclear reactor,” Hayden recalled. At the weekly Tuesday afternoon meeting in Hadley’s office, a handful of senior officials met to discuss what to do about the purported Syrian reactor. The results of the red-teaming exercises gave officials a high degree of confidence that they had their facts straight. They took comfort in the additional levels of scrutiny that had been applied to the initial intelligence estimates. “It gave us more confidence about the instinct and conclusion of the intelligence community regarding whether it was a reactor. Every other alternative explanation was not plausible,” according to Hadley. Secretary of Defense Robert Gates, who attended all of these meetings, also recalled, “Everybody agreed that we could not find an alternative to this being a nuclear reactor.” However, even though the Al Kibar compound was all but confirmed to be a nuclear reactor, this did not mean that the United States should accede to Prime Minister Olmert’s request to destroy it. While Hayden could comfortably declare, “That’s a reactor. I have high confidence,” the red teams had notably found no evidence of a facility required to separate spent reactor fuel into bomb-grade plutonium or of weaponization work, which further led him to state, “On [the question whether] it is part of a nuclear weapons program, I have low confidence.” Bush subsequently told Olmert that the United States would not participate in a military attack: “I cannot justify an attack on a sovereign nation unless my intelligence agencies stand up and say it’s a weapons program.” The two independent intelligence assessments provided Bush administration officials with far greater confidence about what was being constructed in the Syrian desert. They informed Bush’s decision-making calculus, even though his primary concern remained the risks to US interests in the Middle East if he authorized another preemptive attack on a Muslim country. With bombing now off the table, the CIA developed options to covertly sabotage the reactor before it went critical; however, CIA Deputy Director Stephen Kappes told the White House that sabotage had a low likelihood of success. Therefore, Bush chose to pursue diplomatic channels by going public with the intelligence to the United Nations Security Council and International Atomic Energy Agency, in order to pressure Syria to verifiably dismantle the reactor. Before this could happen, four Israeli fighter jets destroyed the suspected reactor at Al Kibar on September 6, 2007, without any resistance from Syria’s air defenses or overt support from the United States. In this case, the findings of the two devil’s advocates, based on their independent analysis of available intelligence, greatly enhanced the credibility of the intelligence estimates regarding the existence of a nuclear reactor, and enabled Bush to make up his mind on the basis of more complete and vetted information. Ultimately, the president decided to refrain from launching strikes. This was a classic example of red teaming in action—having outsiders test the validity of the intelligence and consider the possibility of alternate hypotheses.

Two weeks ago, a California hospital paid $17,000 to cyber criminals who had broken into its computer network and taken its data hostage. The attackers used ransomware, a type of malicious software, to encrypt the files at Hollywood Presbyterian Medical Center, and would only provide the decryption key upon payment in bitcoin of the ransom. Payments like these, while the most expedient (and possibly the only) way to regain access to the targeted data have fostered what many experts believe is a billion-dollar criminal market that continues to grow. The criminals behind ransomware are savvy business people. They set the ransom price for corporate targets well below what it would cost to prevent the attacks through investments in cybersecurity. For individuals, they target an affordable amount for the average American that has no backup of baby photos and home videos. For the victims of this crime, it usually makes sense to pay the ransom, get their data back, and then start to think about what it would take to prevent a second incident. With little ability to arrest the overseas criminals behind these attacks and no ability to break the strong encryption used by the malware, that is often what law enforcement suggests. “To be honest, we often advise people just to pay the ransom,” said Joseph Bonavolonta, assistant special agent in charge of the cyber and counterintelligence program in the FBI’s Boston office. Yet, following the lead of the Presbyterian Medical Center will only lead to many more hospitals and many more individuals being the victims of this same crime. I won’t argue that paying these ransoms is feeding terrorism or crimes other than further ransomware attacks. The payments are likely just funding lots of Kim Dotcom-style shenanigans in Eastern Europe. But left unchecked, ransomware could become a crippling problem for many more companies. The best way to prevent that from happening is to criminalize the payment of ransoms to cybercriminals. Opponents of this proposal will no doubt deride it as a “blame the victim” approach. Indeed. While a moral argument could be made that the victims are not innocent--that they have shown negligence in failing to protect their data and the data of their customers and patients--, I won’t make that case. One could make an argument that by paying ransoms they are perpetuating a criminal conspiracy that will go on to take on other victims. I will leave that to others to argue. What I will argue is that when looking at a public policy problem, the best place to create liability is where it will have the desired impact. If the goal is to stop ransomware attacks, raising the costs of paying ransoms beyond what the criminals are demanding is the best way to do that. Those costs could come in the form of civil fines or misdemeanor charges. For most American companies and most individuals, simply knowing that paying a ransom would violate the law might be enough to dissuade them. If enough victims are persuaded to forgo payment and accept the consequences, there will be fewer future victims. And while there are legal arguments that paying ransoms may already be considered a crime, let’s avoid the current debacle introduced by applying centuries old laws to modern day technology problems and introduce some clean legislation that will make the law clear for once.

Former director of the Central Intelligence Agency (CIA) Gen. Michael Hayden has an op-ed in today’s New York Times: “To Keep America Safe, Embrace Drone Warfare.” The two-thousand-word piece provides some unique insights into the process by which CIA directors authorize—including over the phone—individual drone strikes and even order the specific munition to be used. Moreover, Hayden provides a more plausible and granular defense than those offered by other former CIA chiefs, including George Tenet, Leon Panetta, and Michael Morrell. He even makes some effort to engage directly with certain prominent criticisms of these lethal operations. It should be acknowledged that it is difficult to evaluate Hayden’s op-ed, because he refers to intelligence reports that the American public will never see. Moreover, it is impossible to know whether everything Hayden wanted to reveal is included in the published Times piece, since the content of the op-ed must have been approved by the CIA Publications Review Board, whether as a stand-alone piece or an excerpt from his forthcoming book. Nevertheless, there are a few troubling aspects to the op-ed, which are consistent with all U.S. government officials’ arguments in support of drone strikes: how the program is framed and what complicating bits of information that are left out. First, he writes, “Critics assert that a high percentage of the people killed in drone strikes are civilians—a claim totally at odds with the intelligence I have reviewed.” Without identifying the critics or the numerical percentage, it is difficult to know precisely how many civilians he believes were killed. But, based upon the averages provided by three non-governmental organizations that monitor counterterrorism operations, as director of the CIA Hayden personally authorized an estimated 48 drone strikes, which killed 532 people, 144 of whom were civilians. At 27 percent, this is more than twice the 12 percent of estimated civilian deaths from all of the U.S. drone strikes conducted through January 2016. Sources: New America Foundation (2007-08); Long War Journal (2007-08); The Bureau of Investigative Journalism (2006, 2009); Although there were air strikes in Yemen while Hayden was director of the CIA, they were conducted under Department of Defense authorities. Second, Hayden emphasizes that targeted individuals were “senior,” “operatives,” or “Al Qaeda,” and that their primary motivation was to attack the U.S. homeland. He omits the fact that some of the suspected militants targeted were not involved in plotting attacks against the United States. According to top-secret intelligence reports obtained by Jonathan Landay, Pakistan’s Inter-Services Intelligence Directorate (ISI) requested one drone strike in 2006, and five more in 2007. One of these strikes occurred on May 22, 2007 “after a Pakistani army assault on the [militant] compound was repulsed.” Landay continues, “The Pakistani army sought the strike even though it had been told that drones wouldn’t be used to support Pakistani troops in combat, said an individual familiar with the episode.” Despite these side-payment strikes, Hayden does not admit that the CIA provided close air support for the Pakistani Army, presumably because it erodes the narrative that drone strikes are being exclusively used for U.S. counterterrorism missions. Third, he raises the controversial issue of “so-called signature strikes…when the identities of the people present were not known,” which is notable as the U.S. government has never acknowledged this practice. Just three months ago, retired CIA director David Petraeus stated, “I can’t talk about signature strikes...if they are even taken...I don’t know what they are.” Hayden claims they were not indiscriminate, as “Intelligence for signature strikes always had multiple threads and deep history. The data was near encyclopedic.” Since signature strikes were first revealed in February 2008, a great deal of information has emerged that conflicts with Hayden’s confidence.  For example, classified intelligence reports obtained by NBC News showed that, “one of every four of those killed by drones in Pakistan between Sept. 3, 2010, and Oct. 30, 2011 [after Hayden retired], were classified as ‘other militants’.” In addition, of eight U.S. citizens killed in U.S. drone strikes, only one was knowingly targeted: Anwar al-Awlaki. The other seven were not definitively known to have been at the location of the attack. One way that the CIA has attempted to deal with the controversial practice is through better branding. According to Daniel Klaidman, author of Kill or Capture, after Hayden retired, “CIA actually changed the name of signature strikes to something called TADS...terrorist attack disruption strike.” Fourth, the byline in the online version of the op-ed omits Hayden’s current employers. Sixty days after his tenure ended, Hayden was announced as a principle of The Cherthoff Group, and later was named to the boards at Alion Science and Technology, Motorola Solutions, and Mike Baker International. This is completely legal and consistent with many former CIA directors, who leave government service for private sector jobs or rotate back into government, like current CIA Director John Brennan, who stepped down as president and chief executive officer of The Analysis Corporation in January 2009 to become President Obama’s senior counterterrorism advisor. However, any such strong defense of a government program by a former government official should mention the potential conflicts of interest when the author is employed by corporations that provide analytical, technical, and/or logistic support for the U.S. military, intelligence community, and homeland security agencies. Finally, Hayden opens the piece by proclaiming, “The longer they have gone on, however, the more controversial drone strikes have become.” As somebody who has studied U.S. drone strike policies and practices for ten years, I would say that they have never been less controversial. The Obama administration’s appearance of “reforms” presented in 2013 succeeded in permanently institutionalizing and normalizing what was—under Hayden’s early tenure at the CIA—a rarely used tactic. Drone strikes are generally supported by Americans (though opposed outside of the United States), and there is no plan for or interest from Congressional members to fully investigate covert drones strikes, as was the case for the CIA’s far more limited rendition and enhanced interrogation program. Today, drone strikes are a settled policy, but that does not mean Americans should accept everything a former CIA director tells us about them.

Harry Oppenheimer and Aaron Picozzi are research associates at the Council on Foreign Relations. An unparalleled, indiscriminate and growing wave of transparency is exposing the deployment of military assets—once found only through labored searches of technical publications—and high definition, near-real-time images of geographical locations worldwide, are obtainable through the click of a mouse. As tensions rise between the United States and potential state and non-state adversaries, the veil of secrecy that at one time could only be lifted by intelligence agencies is now accessible to virtually anyone via the worldwide web. Many news outlets picked up on the recent expansion of an airstrip in Remeillan, Syria—a Kurdish-controlled area 365 miles from NATO Incirlik air base in Turkey. The strip, that was just 2,300 feet long by 82 feet wide on April 17, 2015, has been expanded to 4,330 feet by 190 feet wide, with an 82 feet by 92 feet apron, as of December 18, 2015. CNN placed a reporter on the ground to give an eyewitness account of the activities taking place near the strip—described as herdsmen with sheep, oil pumps, and mud brick houses. Yet, this leaves many unanswered questions. Why does the expansion of an isolated airstrip warrant attention? It is not only the improvement of the airstrip, but also how it was discovered. The construction was observed by IHS Janes using commercial satellite imagery gathered, in this case, from Airbus Defence and Space, but which could be purchased from a number of sources for a few thousand dollars. What are the deeper implications of this runway? Without taking a trip to Syria or accessing classified sources, can a person answer this question using only open sources? Considering the old dimensions of the airstrip, the most functional American fixed-wing cargo aircraft with the technical capability to land at the strip is the C-27J. With a required runway length of 2,400 feet, it fits close to the specifications. Special Operations Command (SOCOM) took control of these planes in 2014 after they failed to meet air force requirements. Otherwise, only helicopters or V-22s could operate out of the old strip, a fact that has been reported by news sources. With the expanded dimensions of the strip, the most versatile airplane that could be used in this space is the C-130—a multi-role, long-range tactical aircraft. An assault landing, a technique used when faced with a short landing strip or when taking enemy fire it is likely, requires only a 3,000- by 60-foot airstrip. The other aircraft capable of landing on this strip is the C-17—a cargo and transport aircraft larger than the C-130 that requires a 3,000- by 90-foot airstrip for an assault landing. Though landing either of these aircrafts was impossible on the old strip, it is well within the limits of the new field. A C-17 is more efficient at delivering cargo, but less flexible, and the air force prefers to use them for inter-theater transport. As a baseline, the C-27J has a max payload of 25,000 pounds and can carry a Jackal, a versatile ground vehicle. So, what additional capabilities do the C-130 and C-17 provide that are worth the effort of expanding an airstrip in remote Syria? There are several capabilities the United States might want to have with these new platforms. The C-130 can now be parked on the apron and used as a force-multiplier to provide rapid ground refueling for helicopters, fast attack vehicles (FAVs), or Ospreys. This C-130 could also be utilized for aeromedical evacuation, to bring in six FAVs, such as Flyers or Ranger Special Operations Vehicle, at a time, fly as part of a Unified Command Suite to coordinate efforts on the ground and provide a central link to fighters in the area, or drop off a High Mobility Artillery Rocket System (HIMARS) to provide a precision strike capability in northern Syria. If the military just wants to drop off supplies, a C-17 can deliver 73,000 pounds of equipment at a time with a 90-minute turnaround. Those pallets could carry in weapons, ammunition, light vehicles, drones, or other supplies. Each set of capabilities is linked to a different mission. The higher payload capacity could provide increased material support for Kurdish Forces, faster refueling capabilities could better enable air operations to support allies on the ground, and FAVs could strengthen snatch and grab capabilities in the area. Individuals can purchase commercial surveillance images of specific areas of concern. They are able to “roll back time,” looking at images from present to inception, to answer the questions of who, what, when, and where. The United States has repeated employed this strategy, both stateside and overseas, with satellites, blimps, and conventional airplanes. Following an improvised explosive device (IED) blast, or the murder of a law enforcement official, U.S. authorities such as the National Geospatial-Intelligence Agency (NGA) often utilize imagery to track the parties involved. An interested party can do this analysis from the comfort of their office without access to classified information, contacts on the ground, or even any database subscriptions. This data comes without the burden launching and managing satellites, or gathering primary intelligence. While it’s nothing new that a Russian military intelligence unit could complete a comprehensive study of a Syrian airstrip, it is novel that a supporter of the self-declared Islamic State could use open-source information to perform this type of analysis full time. They could now purchase satellite images to track similar scenarios and to inform grand strategy and prioritize targets. A radical jihadist version of Elliott Higgins, the British citizen journalist who has exposed Russian actions in Ukraine and Syria using open-source intelligence, would be a prized asset for any extremist group.

It may be hard to imagine but there are probably moments when Apple CEO Tim Cook and FBI Director Jim Comey probably have the same fervent wish: Would someone--anyone--please figure out how to hack into Syed Rizwan Farook’s darn iPhone. Both would likely take up John McAfee on his offer to decrypt the San Bernardino shooters’ phone if anyone understood how social engineering could be used to break into a dead man’s phone. In the short term, it would solve both their problems if a third party forensics company started selling law enforcement a tool that could access data on iPhones. I’ve written before about lawful hacking as a potential solution to the standoff between law enforcement and the tech companies. It’s a messy solution that pits U.S. companies against the government but it may be the best answer among a lot of bad ones. The problem with lawful hacking as a solution may turn out to be that Apple and other companies are actually starting to figure out cybersecurity. With all the gloom and doom in cybersecurity marketing, it’s almost hard to believe that any computing device in the world can’t be easily accessed by your average high school kid in a basement. Yet, in almost a year since Apple introduced iOS 9, nothing has hit the market. It’s not for lack of demand. There are, at last count 94 million iPhones in the United States alone and over 12,000 law enforcement agencies. That’s a nice market that plenty of companies would love to tap into. The Russian cybersecurity firm Elcomsoft used to do brisk business selling a forensic toolkit for iOS at $1,500 a pop. Unfortunately, for them at least, their toolkit won’t work on any iPhone running the current operating system. The FBI has come up with a technically plausible path by which Apple could retrieve the data on the phone. And security researchers have pointed out ways in which Apple could block that path in future updates—for instance by requiring a passcode to update the iOS software. The long-held belief that offense always wins and defense always loses in cybersecurity has been turned on its head. Privacy groups arguing against the FBI’s push to access encrypted data on phones are largely relying on an argument that, while encryption may make certain kinds of data inaccessible, the rest of the cyber ecosystem remains so insecure that there are more opportunities than ever for surveillance. The Internet of things will only increase these opportunities as our homes and our lives are filled with dozens of devices recording our every word and move with little to no security. The current fight over the iPhone offers a glimmer of hope that that dystopian future where privacy is dead does not have to become a reality. Spying and crime may both become harder, not easier, in our digital future. As Apple has shown with its smartphone, smart homes and cars and offices do not have to be the building blocks of the surveillance state or an easy path to blackmail, extortion, and unauthorized fund transfers. That outcome would be a good thing for our society. It would also mean that we might truly have to grapple with the implications of terrorists, child molesters, and criminals also being beyond the reach of law enforcement.

Much has been written in the past forty-eight hours on Apple’s refusal to comply with a federal order to assist the FBI access the encrypted contents on a iPhone 5C owned by Syed Rizwan Farook, one of the deceased perpetrators of the San Bernardino terrorist attack. Here’s a quick recap of the events to bring you up to speed: On February 16, a federal magistrate in California ordered Apple to assist the FBI unlock and decrypt Farook’s phone. In siding with the U.S. government, the magistrate accepted the Department of Justice’s interpretation of the All Writs Act, a 200-year old law that allows courts to compel a person to do anything to comply with an order. Specifically, the FBI is looking for Apple to develop a software that will: Disable an iPhone’s ability to automatically wipe its contents if an incorrect password is provided ten times; Allow the FBI to run software that will attempt to guess the iPhone’s password--a technique known as brute force; and Disable software features that would introduce delays after every password attempt. On February 17, Apple published an open letter vowing to oppose the order on two grounds: Complying with the order effectively requires Apple to build malware to defeat the security features of its own products, exposing the security and privacy of its users if a third party got its hands on the malware. Complying with the order would set a bad precedent by using similar orders to "demand that Apple build surveillance software to intercept your messages, access your health records or financial data, track your location, or even access your phone’s microphone or camera without your knowledge." Here are some of the reactions in the... Technical community: Dan Guido over at Trail of Bits argues that it is technically feasible for Apple to comply with the order. Chris Williams over at the Register also argues that Apple could probably comply with the order, but that it’s choosing not to for public relations reasons. Matt Blaze, a cryptographer at the University of Pennsylvania, is skeptical of commentators who argue that it’s easy to develop a new operating system that the FBI requires. The Electronic Frontier Foundation, the Center of Democracy and Technology, and the Open Technology Institute all support Apple’s opposition. Askhan Soltani points out that the FBI already has backups to Farook’s phone as of October 19. The assumption here is that FBI is looking for more data that would have been saved to the phone between that date and the shooting on December 2. Nicholas Weaver thinks the magistrate’s order is worse than a slippery slope, it’s a cliff. Bruce Schneier explains why the public should side with Apple. The Internet Society, a non-profit and institutional home of the standards body that sets the Internet’s technical protocols, expressed support for Apple. Tech companies: Google CEO Sundar Pichai said in a series of tweets that the order could set "a troubling precedent." WhatsApp CEO Jan Koum shared Cook’s letter on Facebook and gave the company his full support, noting that "our freedom and our liberty are at stake." The Information Technology Council, an industry group that represents Dell, Facebook, Google, and others, expressed "worry" at the broader implications of "requiring governments to disable security features." Reform Government Surveillance, an industry group comprised of AOL, Apple, Google, Facebook, Evernote, Yahoo, LinkedIn, Microsoft, Twitter and Dropbox, issued a statement saying that "companies should not be required to build in backdoors to the technologies that keep their users’ information secure." Mozilla’s Mark Surman said that asking Apple to override its own security protections is "massive overreach." Think tank community: Max Boot disagrees with Apple’s position, calling it "sanctimonious and misleading." Robert Chesney at Lawfare notes that the encryption and "going dark" battle is now moving from Congress to the courts. Susan Hennessey and Ben Wittes at Lawfare are saying: "We told you so." Matt Mayer at the American Enterprise Institute argues that absent Congressional action on encryption, Apple is right to fight the magistrate’s order. Julian Sanchez at CATO argues that the Apple-FBI case is all about the precedent it sets. Andrew Woods wouldn’t be surprised if Apple appealed the order on First Amendment grounds given that code is speech. Political establishment: Congressman Ted Lieu (Democrat, California) issued a press release supporting Apple, arguing that the court is effectively asking a private sector company to be an arm of law enforcement. Congressman Justin Amash (Republican, Michigan) tweeted his support for Apple. Senator Tom Cotton (Republican, Arkansas) said that Apple "chose to protect a dead ISIS terrorist’s privacy over the security of the American people." Senator Ron Wyden (Democrat, Oregon), who has clashed with the government on encryption, said that the FBI’s move could "snowball around the world" and give "Russia and China a blueprint for forcing American companies to create a backdoor." Senator Ron Johnson (Republican, Wisconsin) expressed concern that "using the judiciary to require Apple to build a ’master key’ ... could open a Pandora’s box with unforeseen effects." Richard Burr (Republican, North Carolina) and Dianne Feinstein (Democrat, California), the chair and ranking members of the Senate Intelligence Community, sided with the FBI. In a separate op-ed, Burr said Apple has “wrongly chosen to prioritize its business model above compliance with a lawfully issued court order.” 2016 campaign: Donald Trump thinks it’s ridiculous that Apple won’t comply and has called for an Apple boycott. John Kasich said that the magistrate’s order wasn’t a case of government overreach despite acknowledging a month ago at a Council on Foreign Relations event that backdoors in encryption could potentially make people more vulnerable to cybercriminals. Marco Rubio didn’t take any sides, saying the issue was "tough." Ted Cruz said that although Apple shouldn’t be required to put backdoors in all of its phones, terrorism trumps privacy concerns in the San Bernadino case. Hillary Clinton called it a "hard dilemma" but noted that "got to be some way on a very specific basis we could try to help get information around crimes and terrorism." Bernie Sanders said that there has to be a balance and that the United States can fight terrorism without undermining constitutional rights. Newspaper editorials: The Wall Street Journal criticizes the White House’s management of the "going dark" issue and supports the encryption commission proposed by Rep. Michael McCaul (Republican, Texas). The Washington Post argues that Apple shouldn’t be forced to decrypt user data. The New York Times says that Apple is right to challenge the magistrate’s order. We’ll keep this post updated with any additional reactions that we see.