Prioritizing U.S. Cybersecurity

Revelations that militants in Iraq and Afghanistan used off-the-shelf technology to intercept live Predator drone feeds from the U.S. military have spurred new debate on U.S. dominance of information technology in warfare. James Lewis, a cybersecurity analyst at the Center for Strategic and International Studies in Washington, says the incident also illustrates the U.S. tendency to underestimate its adversaries in the information battle space. Lewis says individual agencies in the Obama administration have made strides in securing data streams, but collectively, the government has been slow in devoting resources and manpower to the cybersecurity fight. The December 22 appointment of a cybersecurity coordinator could speed innovation, but Lewis says the tasks ahead--from increasing domestic security to expanding international cooperation--are massive.

Militants in Iraq and Afghanistan have used off-the-shelf technology to intercept live Predator drone feeds from the U.S. military. Talk about this breach, and whether we should view it as surprising.

The thing that really bothered me the most in that story, the Wall Street Journal story, was [the suggestion that] we assumed our opponents would not be sophisticated enough to take advantage of this. We’ve made that mistake so many times. We have some very sophisticated opponents, and the way this technology works is it’s designed for consumers. And so, what you can buy on the open market is pretty darn good.

So it doesn’t sound like you are that surprised by it?

No. People have known about [the potential vulnerability in the drones’ communication systems] since Bosnia. When I saw it, I immediately thought, "This is what we do for satellites." People probably thought, on the ground, that no one can take over the [Unmanned Aerial Vehicles], and they won’t be sophisticated enough to intercept the downlink. The good news is that we learned our lesson now and not against a more sophisticated opponent. You can assume that if the insurgents were listening in off their laptops, other people were listening in as well.

When you say this is what we do for satellites, what do you mean?

The requirement [for military satellites] is you have to encrypt the uplink, which is [called] a command link. If you want to send instructions to the satellite--turn left, turn right--it has to be encrypted. [With] the downlink, you can see why people didn’t pay attention. [Due to high costs and technology challenges, some downlinks between drones and the ground were not encrypted, allowing for militants to tap into the feeds]. It’s a little more expensive, it’s a little more complicated. So they went with the ease of operation, and we’ve found out the hard way that may not have been a good idea

I’ve read reports that pretty much any aerial surveillance the U.S. military uses is vulnerable to this type of hacking. How serious are these vulnerabilities?

It’s not really even hacking, because these people just bought the program. [In the example detailed by the Wall Street Journal, the publicly available software was called Skygrabber]. Hacking means that they would have had to get in and break into something. It was easier than that. I’m not as worried about it in one sense, because this doesn’t let you control the drones. It’s not like some insurgent is going to take control of the drone or make it do something wrong. What is worrisome, though, is we didn’t change our thinking from the way we used to think about this stuff, to the way we need to think about it now in a very different technological environment. If you assume that your opponents are too dumb to exploit the vulnerability, you’ll eventually pay for it.

Is it just a matter of time before militants or state actors are able to find a way to take control and maneuver these unmanned systems?

That’s probably more than the insurgents could do. But it’s not more than the Russians, the Chinese, or other countries could do. So it is something we have to put attention to. There’s been a lot of effort put into encrypting the command signals so it wouldn’t be an easy target. But this is a good lesson, in that we might want to not assume that our opponents won’t be able to do something.

[In terms of taking control of a drone], that’s sort of a holy grail for people. We don’t have to worry about that one so much. But we do have to worry about the fact that you might be seeing the data that gave you an advantage [falling into enemy hands], so your advantage turns out to be zero. Or they might be able to tweak the data so you make the wrong decision, and then your advantage is in the negative category. That’s what we’re going to see in any future conflict. And the fact that some fellow who didn’t have a huge research facility was able to do it should tell us, "Don’t underestimate our opponents."

Last year you helped author a report (PDF) that suggested a number of fixes President Obama should take to strengthen U.S. cybersecurity. How has the president done during his first year?

Well, it is not a priority for the White House. That’s upset some people. But they have done some good stuff. The good stuff that’s been happening is at the agencies, not necessarily at the White House. The Department of Homeland Security [DHS] has started to rework their strategies, they’ve started to reorganize themselves, they’ve started to try and hire people to fill the gaps. So DHS is doing some good stuff. We all know about [the Pentagon’s] Cyber Command reorganizing and merging the defensive and offensive side. It’s a big improvement. The Department of State is doing a little bit. They are still disorganized, but we’ve started to think about an international strategy, and the Obama administration coming in and saying, "We want to engage with people, we want to talk to the Russians and others," is a positive sign. Overall, a lot of enthusiasm and a lot of effort, but not a lot of coordination.

The Pentagon’s Cyber Command has gotten off to a rather slow start, and its creation comes amid a somewhat failed effort by the Air Force to assume control of the cybersecurity issue. Given what we know about Unmanned Aerial Vehicle vulnerabilities, isn’t a swifter military response in order?

There are some hard issues to work through. You’ve got Cyber Command out of the National Security Agency, which makes sense; they’re the only people that have the capabilities. But you’ve got a question about the different legal authorities. You have intelligence authorities, Title 50, and you have military authorities, Title 10. Well, what does the commander of Cyber Command do? Does he get to pick and choose between them? You need some way to say, "This kind of thing is military, you have to use the military decision chain," versus, "this kind of thing is intelligence, you have to use the intelligence decision chain." I’m not sure they’ve worked through all of that. One of the things to bear in mind is we have an additional set of hoops that some of our opponents don’t have. We have a Constitution. And so we have to think, ’How does this fit constitutionally?’

The New York Times recently reported that the United States and Russia are talking through a UN framework for some kind of international treaty on cyberwarfare. How close is such a treaty?

We are pretty far from agreement. The current play is the United States wants the Russians to cooperate in cybercrime, arresting their hackers. And that’s a good idea, because Russia’s been a sanctuary. The Russians want the United States to agree to constrain Cyber Command. And so, the two sides are still pretty far apart. What’s different is that the Bush administration wouldn’t talk about this at all, and now we see the Obama administration is willing to talk about it. There is this recognition that you have to think about what are the rules for conflict, or for competition, in cyberspace between states.

Moscow is asking the Pentagon to constrain its Cyber Command? How so?

When the Air Force widely announced [in 2006] that they were going to be cyberwarriors who would dominate cyberspace, it scared a lot of other countries. And you have to put that in the context of Iraq. It sounds funny, but that’s how other people thought about it, like, "Hey, we saw you guys invade Iraq, how do we know you guys aren’t going to invade cyberspace?" I actually heard that from an ambassador of a developing country at the UN. And so, the Russians wrote an arms control treaty that basically tries to tie the United States into knots. This is classic arms control stuff. They hear we’re developing a weapon, they write a treaty that would constrain that weapon. Where we failed is we didn’t come back with a counter proposal. That’s where the ball is.

Finally, let’s talk about a different type of cyberwarfare. Just a couple of days ago, a group calling itself the "Iranian Cyber Army" took down Twitter for a few hours, redirecting users to a page with an anti-American message. Was it directed by Tehran?

Hacking is politics by another means; we’re just going to have to get used this. This is going to be part of politics in the future. They are going to be platforms for getting your message, out and they’re going to be targets. That said, I don’t think this was the Iranian government. It probably was an effort by well-meaning amateurs, at least well-meaning from Tehran’s point of view.