If you think that computer intrusions are the main thing we need to worry about when it comes to cybersecurity, think again. There's growing concern about the implications of our increasingly wireless world and how readily it can be disrupted.
When it comes to our reliance on the electromagnetic spectrum for communication, I’m reminded of the lyrics from "The air that I breathe" by the Hollies: "Sometimes, all I need is the air that I breathe and to love you."
Today, the air that we breathe also serves as a primary conduit for transmitting voice communications, establishing network connectivity, and enabling remote control over physical objects that run the gamut from military drones over Afghanistan to local traffic light signals.
But the downside to this high tech phenomenon lies in the potential for individuals, terrorist groups, or nations to intentionally deny, degrade, or alter our wireless signals. While it’s taken as a given that our traditional international sparring partners such as Russia have advanced electronic warfare jamming capabilities, individuals can also cause harm by using handheld equipment costing less than $500.
It’s true that “jammers,” the name given to those devices that are designed to deny or degrade wireless signals, are illegal to market, sell, or use in the US. Yet, despite a string of enforcement actions, there remains no shortage of websites offering this equipment for sale, including this one hiding in plain sight at jammer-store.com.
A few years back, US Navy Adm. Jonathan Greenert recognized our growing wireless vulnerability, writing, “Inexpensive jammers, signal detectors, computer processors, and communication systems make it easier today for unfriendly states, terrorists, and criminals to affect our ability to use the EM-cyber environment.” With this in mind, the Admiral concluded that “[f]uture conflicts will be won in a new arena – that of the electromagnetic spectrum and cyberspace. We must merge, then master those realms.”
And there’s the rub. What if we don’t master those realms, but somebody else does? What if everyone masters those realms?
Disruption capabilities, such as through radio frequency jammers, could create “quiet” zones that prevent vital, wireless voice communications (including those of first responders like police, paramedics, and firefighters) and remote data commands (including those that exist across our financial services, transportation, and energy sectors).
Then there’s the threat of interference with space-based global position system technology. GPS is one of the most significant, ubiquitous, and taken-for-granted technologies of our era. Many of our nation’s essential functions are highly dependent upon GPS, which transmits not merely location data but also timing information.
Location is essential for vehicle tracking and navigation, the coordinated movement of people and cargoes, geological surveying, precision agriculture – and the list goes on, reflecting an amazingly diverse set of interests at stake.
What some don't appreciate, however, is the role the GPS timing signal plays in our lives. GPS timing is becoming the go-to measure, either directly or indirectly, for allowing computers to synchronize with one another and form networks, such as the Internet itself.
Making all of these matters worse, interference doesn’t simply mean that signals are denied or degraded, which results in communications becoming unavailable. Wireless signals also can be spoofed, thereby fooling recipients into believing that inaccurate messages are legitimate and calling into question the integrity of wireless-dependent operations. For example, research done by students at the University of Texas-Austin while aboard a luxury yacht a couple of years ago, showed that spoofing GPS signals could guide an $80 million vessel wildly off course.
So, what are we doing to study, analyze, and respond to intentional interference with our wireless communications? Surprisingly little.
Within the US government, the Department of Homeland Security is a likely leader, as is the multiagency Purposeful Interference Response Team (PIRT), managed by the Department of Defense. Yet, there is no national, cross-government initiative to detect, collect, centralize, analyze, or respond to purposeful spoofing or disruptions of wireless communications. In the private sector, it similarly appears that no sector or cross-sector leads have taken to gather industry data or develop a research agenda to counter the expanding business risk of intentional interference.
In terms of mitigating and deterring the threat, federal enforcement efforts are grossly under-resourced, and those that exist are primarily civil rather than criminal in nature and reside in the Federal Communications Commission. Federal law enforcement, including the FBI, have no known national efforts in place to train and equip federal agents or local police to rapidly identify, locate, and disrupt those behind jamming events. As a result, stopping the source of interference typically takes days, or even months, rather than minutes or hours.
Although we can’t change the past, we can build a stronger future. We have been fortunate to date in our having faced relatively unsophisticated adversaries, with either limited access or limited desire to routinely employ interference or disruption technologies. Nonetheless, the intent and capabilities to disrupt networks certainly exist. All of which brings to mind the 9/11 Commission, which famously reported its belief that the 2001 terrorist attacks revealed four kinds of US government failures: "imagination, policy, capabilities, and management."
I think we can rule out lack of imagination as being part of the problem. Instead, it’s past time to get serious about being proactive rather than reactive. As a good starting point, our national cybersecurity efforts should be reviewed and revised to include a focus on threats against the electromagnetic spectrum.
We have a window of opportunity to be prepared for wireless interference. Let’s not continue to squander it, lest we lose precious time – and perhaps even the timing signal itself.
Steven Chabinsky is General Counsel and Chief Risk Officer for CrowdStrike, a cybersecurity technology firm, and the cyber columnist for Security Magazine. He previously served as Deputy Assistant Director of the FBI’s Cyber Division. You can follow him on Twitter @StevenChabinsky.