FBI defends iPhone hacking amid questions over government’s use of exploits

As the FBI continues to withhold details about how it hacked the iPhone of a suspected terrorist in San Bernardino, a former National Security Agency official says the intelligence community has regularly waited months after acquiring an exploit before it alerted affected parties.

Richard “Dickie” George oversaw the NSA’s internal program for deciding whether to disclose software vulnerabilities for 15 years, and said the agency would wait as long as six months before disclosing flaws to the developers who could fix them, The Washington Post reported Wednesday.

By hoarding information about vulnerable computer programs, NSA’s own hackers are able to exploit flaws in software used by foreign criminal suspects in order to gather intelligence before the bug could be patched.

The FBI’s use of vulnerabilities to hack software for the sake of domestic law enforcement operations has received renewed attention after the bureau purchased a tool that allowed it to hack the iPhone of Syed Farook, who investigators say went on a shooting spree in San Bernardino with his wife last year that left 14 dead.

The government established a framework in 2014 for disclosing these flaws to software makers, a “Vulnerability Equities Process.” Prior to his retirement in 2011, however, Mr. George told The Post that the NSA would sometimes hold onto exploit information for six months to see if it could be used for other operations before eventually alerting companies about the bugs.

During his time with the agency, Mr. George said the NSA typically disclosed 300 vulnerabilities a year directly to vendors and withheld an average of three or four annually, often because the companies who could implement a fix had gone out of business.

FBI Director James Comey defended the bureau’s decision not to submit details to the government about the exploits leveraged against Farook’s iPhone, as advised under the relatively new Vulnerability Equities Process.

When that review process was adopted in 2014, the White House’s cybersecurity coordinator said the government had “established principles to guide agency decision-making” including “a disciplined, rigorous and high-level decision-making process for vulnerability disclosure.”

The FBI said in a statement that its handling of iPhone at the center of the San Bernardino case “should not be interpreted as an indication of general FBI policy,” The Post reported.

“We did not in any form or fashion structure the transaction … with an eye toward avoiding” the government review, Mr. Comey said Wednesday during an event at FBI headquarters, The Post reported.