Dave already broke this story (is that the right phrase?) on this blog in an update to his post, but I think the topic has enough fissile discussion material to warrant a post of its own. I’d like to steal the intro to this story from Ars Technica, which is where I first read about this:
What three-letter Internet acronym best fits the bizarre news out of Iraq and Afghanistan that militants there have been intercepting US Predator drone video feeds using laptops and a $30 piece of Russian software: LOL, WTF, or OMG?
Actually, all three are appropriate for something this farcical, horrible, and brain-numbing. The reason that the transmissions could be picked up easily by a cheap satellite recording program? They were broadcast in the clear between the drone and ground control. That’s right—no encryption was used.
If that doesn’t give you pause, you might need to check your pulse. It’s an embarrassing example of how cybersecurity is such an under-developed part of the nation’s security. We can build and deploy flying, remotely-operated killing machines à la Terminator, but we can’t encrypt the video feed?
But the threat doesn’t come from Skynet. It comes from our inability and our unwillingness to take seriously the problems and shortcomings of cybersecurity. And with more and more reliance on internet connectivity for operations, and a shift from proprietary military hardware to standard off-the-shelf equipment, the risk of being compromised by hackers is rapidly increasing.
Perhaps now more than ever, we have a unique situation where the weapons of war are becoming easier and easier to hijack from afar. To steal a nuclear warhead, one must first get past the soldiers trained to protect those valuable assets. Steel, concrete, defensive weapons, and armed soldiers stand in the way of stealing such a powerful weapon. But as the picture in Dave’s post asks, does a cyber attack need anything more than a computer with an internet connection? Will World War 3 be launched from a Starbucks coffee shop?
The Legal Implications
When I read about the Predator Drone incident, I wondered what the implications would be for how we treat issue of electronically hijacking weapons to use on others. Say those Iraqi and Afghan militants found a way to control those drones and use them against civilians. Who would be culpable for the deaths of those civilians? Would the U.S. Military be guilty of negligence in allowing that military hardware to fall into enemy hands so easily? I mean, it’s one thing to break into a heavily-guarded nuclear silo and steal a nuke (which hasn’t happened yet to anyone’s knowledge). There are plenty of measures in place to prevent the theft use of a nuclear weapon by a foreign agent. But the defenses against a cyber attack? In this case, almost non-existent. Would the military be guilty of negligence for willingly allowing such weapons to continue to function without stringent security measures?
I ask because this may not only apply to physical military hardware, but also electronic weapons. Let’s try a hypothetical: if a Pentagon defensive computer network is re-purposed to take down, say, the FAA’s flight-planning processing system (which can catastrophically fail on its own when even one router in the nationwide network malfunctions), who’s held liable? Is it the foreign (or even domestic?) hackers who took control of the network? Or is it the Pentagon that failed to secure it’s own network? Or is it the FAA whose flight-planning network was vulnerable to even the slightest disturbances?
I know one thing for sure: the first time the U.S. gets hit by a major cyber attack is going to be a wake-up call for us all . . .