Wednesday, 23 December 2009

Why Hollywood Security Is Better Than The Pentagon's

It sounds like the plot of a Hollywood blockbuster: A group of insurgents hack into American military drones, using software they got off the Internet, according to The Wall Street Journal. But, for the benefit of that screenwriter likely pounding away right now to get his idea in first -- as well as for the general public -- what actually happened?
Essentially, three trends are coming together in war.
First is the growing use of unmanned systems, something I explore in my book "Wired for War." Just a few years ago, the U.S. military had no interest in unmanned systems. Indeed, when the U.S. invaded Iraq, we had only a handful of unmanned systems in the air and zero on the ground in the invasion force, none of them armed.
Today, we have more than 7,000 in the air, ranging from the 48-foot-long Predator to tiny ones that can fit in a backpack, and 12,000 on the ground, such as the Packbot and Talon systems that hunt down roadside bombs. Many of these systems are armed, giving new meaning to the term "killer app."
This 180-degree turn to robotics, however, often came in an ad-hoc manner. The back-end networks didn't perfectly fit with the wide variety of unmanned systems that were being plugged in.
Even more, the pressure was on to push the systems out as rapidly as possible, for very good reason. There was a war on, and these unmanned systems were proving to be far more useful to our troops than what the regular Pentagon acquisitions process had been providing.
One robotics company executive described how he couldn't even get his phone calls returned a few years ago. Now, he was told, "Make them as fast as you can."
Second, though, was a dash of arrogance. In not coming through the regular planning and purchasing system, many of the systems used proprietary software as well as commercial, off-the-shelf hardware. So many of the communications feeds going back and forth were poorly protected, and, in some cases, not even encrypted.
This was the case, for example, for some of the overhead surveillance video feeds that the unmanned systems were collecting and, in turn, beaming back both to command posts as well as to American patrols on the ground, who watch the feed off ROVER. (Akin to Dick Tracy's watch, this is a rugged video monitor a soldier can strap onto his or her arm or gear.)
The problem of the relatively open video feeds has been known for a while. Indeed, back during our operations in the Balkans, it was discovered that just about anyone in Eastern Europe with a satellite dish could watch live overhead footage of U.S. Special Operations forces going out on raids of suspected war criminals. One joker commented that it was harder to tap into the Disney Channel.
But the Pentagon assumed that foes in the Middle East wouldn't be smart enough to figure this out, and underestimated how quickly the technology to tap in to the feeds would advance, becoming cheaper and widely available. The problems were not fixed, and more and more of these relatively open systems were deployed.
Unfortunately, we all know what happens when we "assume" our enemies are dumb (they make something out of "u" and "me."). Using a $26 software package called Skygrabber, originally designed to allow customers to download movies and songs off the Internet (none of them pirated, of course), insurgents were able to tap into the various U.S. military video feeds, The Wall Street Journal reported. U.S. forces became aware of it after they captured a Shiite militia member in Iraq, whose laptop had files of the pirated footage saved on it.
To be clear, these insurgents were not able to take over control of the drones. They really weren't even doing "hacking" by the true meaning of the term. It was more like someone snooping in on a police radio scanner listening to unencrypted transmissions.
Some people used to listen to these scanners for entertainment, but for criminals, it proved useful to know what the police know and where they might be headed, which is why the police now encrypt these scanners.
Here too, it seems more likely the insurgents weren't watching themselves on the pirated video for amusement, but rather because the video feeds let them know what the U.S. military was monitoring. If I see that the U.S. military is watching a house with a station wagon out front, and I am sitting in a house with a station wagon out front, then I might well suspect that they are on to me.
This leads to the third trend -- the shifting domains of warfare. War is not merely about bullets and bombs, it is also becoming about bits and bytes. This was a relatively old security opening that wasn't fixed because we assumed it couldn't be exploited by insurgents or groups in the Middle East. What are our assumptions then about sophisticated, large-scale efforts funded by certain state powers on the Eurasian landmass "that shalt not be named"?
More importantly, not everyone is merely going to want to snoop, merely to learn what we know. Instead, we are entering an era of "battles of persuasion." In these, the goal is not to blow up the enemy's soldiers and weapons, as in traditional warfare, but to jam or disrupt their controls, change critical information they rely on to operate properly or even "persuade" them to do things contrary to the goals.
To use a Hollywood example, if Goose told Maverick in "Top Gun" to "recode all American F-14s fighters as Mig-29s," Tom Cruise would have just laughed his maniacal cackle and ignored him. A robotic Cruise would simply follow the instruction to recode the software and now view IceMan as a legitimate target to shoot down.
The U.S. military has responded to the reports with a mix of public calm and private consternation. Officials have said they are fixing the problem, such as by working to encrypt the video downlinks, and that this is a tempest in a teapot.
The first problem, though, is the scale. There are literally thousands of unmanned systems in the air (as well as the current ROVER models that only receive the unencrypted video feed) that will need to be retooled for encryption. This will be expensive and arduous, and all while the war goes on. There are also worries that layering the encryption on top of the system software will slow down the communications and make them hard for multiple users to access at once.
More important, though, is the ad-hoc, back-end nature of the response. It is far different from having your entire system design of both hardware and software take into account how to protect information efficiently but effectively, throughout the communications and operations chain.
The result could be that our patched systems may end up still less protected than the movies or video games you download at home on your DVR or X-Box.
The best explanation of this comes from arstechnica:
"Operating system vendors have built entire 'protected path' setups to guard audio and video all the way through the device chain. TVs and monitors now routinely use HDCP copy protection to secure their links over HDMI cables.
"Game consoles are packed with encryption schemes to prevent copied games from playing. Microsoft even goes out of its way to add encryption when Windows Media Center records unencrypted over-the-air TV content. Even the humble DVD, with its long-since-breached CSS encryption, offers more in the way of encryption."
In sum, unfortunately for would-be scriptwriters, the overall danger of this incident is certainly not up to the level of a Hollywood blockbuster. But, moving forward, it is also a bit worrisome for the rest of us that Hollywood had put more efforts into protecting the "Terminator" movies from illegal download than our military had in protecting its robotic systems at war today. 

No comments:

Post a Comment