Turn Left Here? Why Problems with GPS Show our Cyber Weaknesses
It turns out that the problems with GPS are bigger than any of us knew about — and that has serious implications about not just GPS, but about the larger cybersecurity debate that is playing out in the Senate this week with the final debate over the revised Cybersecurity Act of 2012.
Last month news broke that a team of researchers from the University of Texas had hijacked a drone by spoofing the GPS used in it’s navigation system. “Spoofing” is a hacking technique that involves fooling a computer into believing that the hacker’s computer is a trusted computer. In this case, the U of T team fooled the drone by sending a signal that pretended to be from satellites in the GPS constellation but contained inaccurate location information — information that would have caused the drone to crash if not for pilot intervention.
Which should worry you not just because GPS helps fly drones but also because none of us know how to get anywhere without it any more.
Earlier last month the GPS industry successfully fought off the perceived threat that part of the electromagnetic spectrum used by GPS might be taken by other services. But this threat pales in comparison to the threat of GPS spoofing. GPS is both a critical military technology — as evidenced by the Department of Defense’s strategic budget priorities and the continued restrictions imposed by the Department of Defense and the Department of State on the export of military grade GPS receivers and associated technology.
Despite this, there doesn’t seem to be a consensus which part of the federal government should take the lead on address the issue. Even though Congress recently passed a new bill instructing the Federal Aviation Administration to increase the use of GPS in aerial navigation and open United States airspace to privately owned drones, the FAA has no authority to secure the GPS signal. Similarly, although the Department of Homeland Security has been assigned the lead role in domestic cybersecurity, DHS was absent at a recent House of Representatives hearing on domestic drone security that specifically addressed the GPS vulnerability. All this despite the fact that this is the second (known) time that drones have been hacked.
All this goes to show that the United States still has a long way to go in figuring out how to secure itself and its critical infrastructure from cyber attack. And the revised Cyber Security Act of 2012 is least that we can do to get that process moving faster. The current version removed language that some business leaders felt would create burdensome regulation, and now requires additional regulation only of some already heavily regulated critical infrastructure industries like nuclear power — in short, industries where we can all agree that there cannot be too much safety and security since the cost of failure is higher than we want to bear (think Fukushima or New Orleans and you’ll see what I mean). Both House and Senate leaders on both sides of the aisle — including the House Republican Task Force on Cybersecurity — and President Obama, all agree that the current bill is good enough to start the ball rolling on making positive changes.
And since I don’t think I’m going to give up my GPS — no matter how much that may be a good idea — we can’t get started soon enough.
Richard Wheeler is a Truman Security Fellow.
Featured image is from Flowizm