A small Israeli company appears to be plugging a big hole in the Federal Bureau of Investigation’s technical capabilities – and the relationship raises questions about the bureau’s evolving role in cybersecurity.
Over the last five years, the FBI has paid $2.5 million to the Israeli company, Cellebrite, for a wide range of services including cracking open and extracting data from locked Apple iPhones and mobile phones from all other major manufacturers, a relationship that illustrates the FBI’s lack of in-house expertise in some areas of digital security.
That’s a surprising gap, given the FBI’s pre-eminent position in a variety of cyber investigations, ranging from breaking up arms-trafficking rings on underground websites and nailing software pirates to tracking down sympathizers of Islamic State extremists.
Whether the Trump administration intends to keep the FBI in that cyber crime role is uncertain, however. A leaked six-page draft of an executive order on cybersecurity policy did not mention the FBI, though the fate of that draft order is also unknown. The signing of the order, once on the White House calendar, has been delayed indefinitely.
Secrecy cloaks several aspects of the relationship between the FBI and Cellebrite, which is headquartered in the Tel Aviv suburb of Petah Tikva, Israel.
Neither the FBI nor Cellebrite will say whether the company was involved last year in unlocking the iPhone 5C of Syed Farook, the shooter in the San Bernardino, California, attack in December 2015 that left 14 people dead and was considered an act of Islamic terrorism.
That case led the FBI to lean heavily on Apple to alter its iPhone operating system to give law enforcement a “back door” into locked devices. In a public letter to Apple customers, Chief Executive Tim Cook decried government “overreach” and said such action “would undermine the very freedoms and liberty our government is meant to protect.”
A year on, the issue has turned to whether the FBI itself has failed to stay up-to-date on needed capabilities to deal with crimes and terrorism in which there is a digital component.
“There’s a consensus in the research community that the FBI has been underinvesting,” said Alan Butler, senior counsel at the Electronic Privacy Information Center, a public interest research group. “It’s not fair for the FBI to demand of Apple and other companies to weaken the security of their consumer products when it’s the agency that hasn’t been investing enough.”
The FBI’s request for Apple’s help in unlocking not just Farook’s phone but at least a dozen others underscores the bureau’s weakness in that kind of work, said one recognized cybersecurity policy expert.
“They have a very small group doing the Going Dark program, which is dealing with encryption and anonymization. It’s very small. I believe its budget request was for $39 million. Thirty-nine million is nowhere near enough,” said Susan Landau, a professor of cybersecurity policy at Worcester Polytechnic Institute in Massachusetts.
The bureau dropped a lawsuit against Apple as soon as Farook’s iPhone was unlocked, and it refuses to say anything about how that was accomplished. The original lawsuit touched on matters of encryption, privacy protections and public safety, all issues that remain unsettled.
“The debate is not resolved,” said Joshua Corman, director of the Cyber Statecraft initiative at the Atlantic Council, a think tank in Washington. “We didn’t get case law. We just postponed that fight till later.”
In a federal court filing last week, the FBI told three news organizations that had sued it to obtain information about the third-party vendor the FBI paid to unlock Farook’s iPhone that releasing such information would “cause serious damage to national security” and allow “hostile entities” to stymie future FBI intelligence gathering.
A section chief in the FBI’s Records Management Division, David M. Hardy, told the federal court the bureau also would not say how much it had paid for the unlocking of the iPhone.
Other high-tech companies have also won business from the FBI, including CrowdStrike, a cyber forensics firm that received a one-year contract for $150,000 beginning in July 2015. That period included the time when Russian state hackers are believed to have penetrated the computers of the Democratic National Committee and tapped into the email of the chairman of Hillary Clinton’s presidential campaign.
The FBI’s role in the subsequent investigation came under fire after the DNC’s deputy communications director, Eric Walker, told the website BuzzFeed last month that FBI agents never came to examine the servers after the hacking, relying only on information from CrowdStrike, which was also under contract to the DNC.
Federal, state and local law enforcement agencies in the United States make up about half of Cellebrite’s global sales. The company was acquired in 2007 by a Japanese holding company, SunCorp, that has extensive interests in pachinko, a mechanical arcade game played in thousands of parlors around Japan.
About half of Cellebrite’s workforce, maybe 300, is in research and development.
A federal registry shows that Cellebrite has signed more than 1,500 contracts since 2008 with a variety of U.S. agencies, including the Drug Enforcement Administration, Customs and Border Protection, the U.S. Marshals Service, the U.S. Forest Service, various branches of the military, the Securities and Exchange Commission and U.S. embassies in places like Tegucigalpa, Jakarta and Brasilia.
As for the FBI’s pressure on Apple, watchdog groups say much has changed since last year. They say legislators now lean against mandating back doors on digital devices.
“Since the FBI’s battle with Apple, there’s been a lot of pushback from Congress and industry,” Butler said.
If U.S. companies provided back doors on devices, at government mandate, they would likely be pummeled by foreign manufacturers that could ensure effective encryption, he said.
Cellebrite’s main device is about the size of a large laptop computer and is known as a universal forensic extraction device. Those wanting to unlock seized cellphones, usually law enforcement agencies with warrants or court orders, must attach the phone to the Cellebrite extractor with a special cable.
Cellebrite’s website suggests that its UFED can unlock all but the most recent models of nearly every manufacturer, and in the case of Apple up to model 5S. Even some more recent cellphones can be unlocked if they are sent to the company’s U.S. laboratory in Parsippany, New Jersey.
Cellebrite’s largest competitor is also a foreign company, Micro Systemation, which has global headquarters in Stockholm.