Encryption: Fixed or still broken?
DOD officials downplay security concerns about drones' unencrypted video feeds
- By Kevin Coleman
- Jan 20, 2010
Drones are now a critical component of the U.S. arsenal and strategy for modern-day warfare. According to intelligence reports from the Pakistani government, in the first half of 2009, U.S. drones carried out about 50 strikes in that country. Many more strikes have taken place in Afghanistan, particularly in the tribal regions of North and South Waziristan.
In recent months, the frequency of drone attacks has increased, indicating that those missions are putting pressure on militants and their leaders. Multiple sources have stated that for now, the U.S. strategy of using drones to target Taliban and al Qaeda leaders will continue. However, Pakistani leaders continue to publicly complain about the U.S. drone strikes on terrorist territories within their country.
It is easy to see the technological advantage of this relatively new class of weapon. And with the significant amount of publicity given to the problem of our adversaries being able to view unencrypted drone video feeds, particularly after a Wall Street Journal report last month, the world has become much more aware of the issue.
Senior Defense Department officials played down the security concerns about those unencrypted feeds after the newspaper broke the story. The story said that Iran-backed Shiite insurgents had obtained and used the software SkyGrabber — sold online for $25.95 — to intercept and view live video feeds from the drones. The software was developed to allow Internet users to grab music, photos, videos, programs and other content and was not intended for military use as a cyber weapon, though it has served that purpose.
Adm. Mike Mullen, chairman of the Joint Chiefs of Staff, did not dispute the encryption issue and confirmed that hackers had obtained data from drones flying over Iraq. He reportedly went on to say that he is very concerned about hacking and cybersecurity in general. I believe the vast majority of security professionals and military and government leaders share his concern.
However, what remains unclear is whether the problem has been addressed or is still an issue. On Dec. 17, 2009, numerous sources, including Alsumaria Iraqi Satellite TV Network in Iraq, reported that the issue had been fixed. ABC News similarly reported that DOD officials had downplayed the security threat and said the old issue had been fixed.
However, on Dec. 18, the Washington Post quoted a military official as saying, “It will take at least until 2014 to encrypt video feeds from the U.S. military's Predator and Reaper drones to prevent enemy forces from intercepting the information.”
Part of the problem is bandwidth and time delay constraints. Encrypted video can require up to twice the bandwidth and processing time as that of straight video. Until the aging Global information Grid (now 25 years old) can be upgraded, field commanders in regions with limited bandwidth have to choose between unencrypted video or no video at all.
The bottom line is that this shortcoming never should have gotten this far. With an estimated 36 percent of the Air Force's 2010 budget being spent on new drones like the Predator, you can bet this issue will be a hot topic.
A review board should have identified it as a security flaw during the design phase. Some organizations call them red team reviews, while others call them security and technology advisory boards (STABs). In both types of reviews, third-party groups from outside the defense industry and Beltway conduct independent examinations, render objective opinions, and offer constructive criticism on mission-critical projects and those with high dollar values. Independent auditing is common to ensure the accuracy and integrity of financials but is far less pervasive when it comes to security.
It is unknown if that technique was used as part of the drone program, but it is highly doubtful. Perhaps it is time that this proven technique be formalized and mandated given the recent upswing in cyberattacks. Security must be built in, not bolted on later. It would be advisable if the military and defense contracting community took a STAB at ensuring security.