 |
Siobhan Gorman, Yochi J. Dreazen, and August Cole have broken the story “Insurgents Hack U.S. Drones” in today’s Wall Street Journal. The story provides several interesting points that could provide valuable lessons. Quoting from the article: |
- The U.S. government has known about the flaw since the U.S. campaign in Bosnia in the 1990s, current and former officials said. But the Pentagon assumed local adversaries wouldn’t know how to exploit it, the officials said.
- Last December, U.S. military personnel in Iraq discovered copies of Predator drone feeds on a laptop belonging to a Shiite militant, according to a person familiar with reports on the matter.
- The militants use programs such as SkyGrabber, from Russian company SkySoftware. “It was developed to intercept music, photos, video, programs and other content that other users download from the Internet — no military data or other commercial data, only free legal content,” Andrew Solonikov, one of the software’s developers said by email from Russia.
- The difficulty, officials said, is that adding encryption to a network that is more than a decade old involves more than placing a new piece of equipment on individual drones. Instead, many components of the network linking the drones to their operators in the U.S., Afghanistan or Pakistan have to be upgraded to handle the changes.
- Predator drones are built by General Atomics Aeronautical Systems Inc. of San Diego. Some of its communications technology is proprietary, so widely used encryption systems aren’t readily compatible, said people familiar with the matter.
- Some officials worried that adding encryption would make it harder to quickly share time-sensitive data within the U.S. military, and with allies.
- The Air Force has staked its future on unmanned aerial vehicles. Drones account for 36% of the planes in the service’s proposed 2010 budget.
- Today, the Air Force is buying hundreds of Reaper drones, a newer model, whose video feeds could be intercepted in much the same way as with the Predators, according to people familiar with the matter. A Reaper costs between $10 million and $12 million each and is faster and better armed than the Predator. General Atomics expects the Air Force to buy as many as 375 Reapers.
What lessons are applicable to your organization? Three points to think about:
- Design, cost, and risk. There is no doubt that there are many difficulties with adding encryption to drones. Design of these systems involves many factors (power, weight, security, transmission rates, etc.). The problem is that the risk of snooping due to the lack of encryption has been known about since the 1990s. With each drone costing $10-12 million, and the Air Force expected to buy 375, that is a sizable investment. When making design decisions, organizations can expect to have to defend their choices.
- Developing with standards. Future development with possible different contractors seems unlikely if widely used encryption systems are not readily compatible with the current contractor’s proprietary communications technology. Companies should want to foster flexibility and avoid vendor lock-in. It is also unlikely that sharing information will be possible with allies unless widely encryptions systems can be used.
- Being realistic when assessing the risk. Companies need to avoid reports that they failed to understand the risk. In this article, the worse statement is that the “Pentagon assumed local adversaries wouldn’t know how to exploit it.”
Underestimating risk is a constant threat in security. It is wise to remember the words of Sun Tzu from The Art of War, “It is said that if you know your enemies and know yourself, you will not be imperiled in a hundred battles; if you do not know your enemies but do know yourself, you will win one and lose one; if you do not know your enemies nor yourself, you will be imperiled in every single battle.”
John
it is obviously acceptable saying “Underestimating risk is a constant threat in security”.
Smith