The White House has a procedure for reviewing technology security flaws and deciding which ones should be made public. But it is not set up to handle or reveal flaws that are discovered and owned by private companies, the sources said, raising questions about the effectiveness of the so-called Vulnerabilities Equities Process.
The secretive process was created to let various government interests debate about what should be done with a given technology flaw, rather than leaving it to agencies like the National Security Agency, which generally prefers to keep vulnerabilities secret so they can use them.
The government's efforts to force Apple to help it unlock the San Bernardino iPhone have reignited a national debate about encryption, security and privacy that continues to rage two weeks after the Justice Department said it broke into the phone without Apple's help.
The sources said the technology used to get into the phone was supplied by a non-US company that they declined to identify.
Without cooperation from the company, the FBI would not be able to submit the method to the Vulnerabilities Equities Process even if it wanted to, the sources said on condition they not be named.
The FBI itself probably does not know the details of the technique - just enough to determine that it worked, according to government sources and Rob Knake, who managed the White House process before leaving last year.
The FBI said in February that it was unable to get into the iPhone 5c used by San Bernardino shooter Syed Farook without help from Apple, and it won a court order compelling the Silicon Valley icon to break into the device. Apple, backed by much of the tech industry, complained that the order would in effect make businesses arms of the state.
The Justice Department dropped the matter the day before a crucial court hearing, saying it had found a way to get into the phone.
At the time, Apple said it hoped the maneuver would be disclosed so that it could fix the flaw before it is discovered and exploited by criminals.
In a separate New York case, the Justice Department is trying to force Apple's help in extracting data from a drug dealer's iPhone 5s. For technical reasons, that would be easier for Apple to do, though it would be much harder for the FBI or a contractor, said phone security expert Dan Guido.
The two battles spotlight a long-running but seldom aired conflict over whether information about software security lapses should be kept secret by law enforcement or intelligence agencies, who want the knowledge to snoop, or disclosed to the technology companies so they can patch the holes.
After questions were raised about the Vulnerabilities Equities Process in 2013, White House cyber-security policy coordinator Michael Daniel said it was "reinvigorated," though information as basic as which departments are involved remained undisclosed.
Daniel has written that the factors to be weighed include how easy a flaw would be for outsiders to find and how much danger would be posed to society.
But Knake said the procedure had been created in 2010 to handle situations like an FBI technologist in a lab inventing a method for circumventing security.
"It was not set up for a world of commoditized exploitation," where major defense contractors buy and sell flaws for millions of dollars.
"There is no way the government could force companies to share the methods that they are trying to sell, or any way to stop government agencies from buying from those companies," he said.
Knake said the process could be improved if it were revamped again to deal with the reality of the exploit marketplace.
The White House referred questions to the FBI, which did not respond to emails seeking comment.
© Thomson Reuters 2016